aboutsummaryrefslogtreecommitdiffstats
path: root/config/portsentry
diff options
context:
space:
mode:
authorsullrich <sullrich@pfsense.org>2009-12-10 16:39:19 -0500
committersullrich <sullrich@pfsense.org>2009-12-10 16:39:28 -0500
commit365b5097b9da9a2f4cd4044a63d7fcc95ae6b40b (patch)
tree07b75d9c28885f3b2b6ceb135df90aeb009c755d /config/portsentry
parent60421ea0ac6418b53414ab275b3c25fa3bd5bdd3 (diff)
downloadpfsense-packages-365b5097b9da9a2f4cd4044a63d7fcc95ae6b40b.tar.gz
pfsense-packages-365b5097b9da9a2f4cd4044a63d7fcc95ae6b40b.tar.bz2
pfsense-packages-365b5097b9da9a2f4cd4044a63d7fcc95ae6b40b.zip
Adding portsentry package
Diffstat (limited to 'config/portsentry')
-rw-r--r--config/portsentry/portsentry.inc286
-rw-r--r--config/portsentry/portsentry.xml120
2 files changed, 406 insertions, 0 deletions
diff --git a/config/portsentry/portsentry.inc b/config/portsentry/portsentry.inc
new file mode 100644
index 00000000..05c8b751
--- /dev/null
+++ b/config/portsentry/portsentry.inc
@@ -0,0 +1,286 @@
+<?php
+
+function portsentry_custom_php_deinstall_command() {
+ conf_mount_rw();
+ exec("killall portsentry");
+ exec("rm -rf /usr/local/etc/portsentry*");
+}
+
+function portsentry_custom_php_install_command() {
+ global $config;
+
+ if($config['installedpackages']['portsentry']['config'][0]['blocktcp'])
+ $blocktcp = "1";
+ else
+ $blocktcp = "0";
+
+ if($config['installedpackages']['portsentry']['config'][0]['blockudp'])
+ $blockudp = "1";
+ else
+ $blockudp = "0";
+
+ if($config['installedpackages']['portsentry']['config'][0]['portbanner'])
+ $portbanner = $config['installedpackages']['portsentry']['config'][0]['portbanner'];
+ else
+ $portbanner = "You have connected to an invalid port. Your connection has been logged.";
+
+ if($config['installedpackages']['portsentry']['config'][0]['scantrigger'])
+ $scantrigger = $config['installedpackages']['portsentry']['config'][0]['scantrigger'];
+ else
+ $scantrigger = "0";
+
+ $isfirst = true;
+ $ports = "";
+ foreach($config['installedpackages']['portsentry']['config'][0]['row'] as $ps) {
+ if(!$isfirst)
+ $ports .= ",";
+ if($ps['listenport'])
+ $ports .= $ps['listenport'];
+ $isfirst = false;
+ }
+ $tcp_ports = $ports;
+ $udp_ports = $ports;
+
+ $config = <<<EOF
+# PortSentry Configuration
+
+#######################
+# Port Configurations #
+#######################
+#
+#
+# Some example port configs for classic and basic Stealth modes
+#
+# I like to always keep some ports at the "low" end of the spectrum.
+# This will detect a sequential port sweep really quickly and usually
+# these ports are not in use (i.e. tcpmux port 1)
+#
+# ** X-Windows Users **: If you are running X on your box, you need to be sure
+# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
+# Doing so will prevent the X-client from starting properly.
+#
+# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
+#
+
+# Un-comment these if you are really anal:
+TCP_PORTS="$tcp_ports"
+UDP_PORTS="$udp_ports"
+
+###########################################
+# Advanced Stealth Scan Detection Options #
+###########################################
+#
+# This is the number of ports you want PortSentry to monitor in Advanced mode.
+# Any port *below* this number will be monitored. Right now it watches
+# everything below 1024.
+#
+# On many Linux systems you cannot bind above port 61000. This is because
+# these ports are used as part of IP masquerading. I don't recommend you
+# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
+# OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
+# warned! Don't write me if you have have a problem because I'll only tell
+# you to RTFM and don't run above the first 1024 ports.
+#
+#
+#ADVANCED_PORTS_TCP="1024"
+#ADVANCED_PORTS_UDP="1024"
+#
+# This field tells PortSentry what ports (besides listening daemons) to
+# ignore. This is helpful for services like ident that services such
+# as FTP, SMTP, and wrappers look for but you may not run (and probably
+# *shouldn't* IMHO).
+#
+# By specifying ports here PortSentry will simply not respond to
+# incoming requests, in effect PortSentry treats them as if they are
+# actual bound daemons. The default ports are ones reported as
+# problematic false alarms and should probably be left alone for
+# all but the most isolated systems/networks.
+#
+# Default TCP ident and NetBIOS service
+ADVANCED_EXCLUDE_TCP="113,139"
+# Default UDP route (RIP), NetBIOS, bootp broadcasts.
+ADVANCED_EXCLUDE_UDP="520,138,137,67"
+
+
+######################
+# Configuration Files#
+######################
+#
+# Hosts to ignore
+IGNORE_FILE="/usr/local/etc/portsentry.ignore"
+# Hosts that have been denied (running history)
+HISTORY_FILE="/var/db/portsentry.history"
+# Hosts that have been denied this session only (temporary until next restart)
+BLOCKED_FILE="/var/db/portsentry.blocked"
+
+##############################
+# Misc. Configuration Options#
+##############################
+#
+# DNS Name resolution - Setting this to "1" will turn on DNS lookups
+# for attacking hosts. Setting it to "0" (or any other value) will shut
+# it off.
+RESOLVE_HOST = "1"
+
+###################
+# Response Options#
+###################
+# Options to dispose of attacker. Each is an action that will
+# be run if an attack is detected. If you don't want a particular
+# option then comment it out and it will be skipped.
+#
+# The variable $TARGET$ will be substituted with the target attacking
+# host when an attack is detected. The variable $PORT$ will be substituted
+# with the port that was scanned.
+#
+##################
+# Ignore Options #
+##################
+# These options allow you to enable automatic response
+# options for UDP/TCP. This is useful if you just want
+# warnings for connections, but don't want to react for
+# a particular protocol (i.e. you want to block TCP, but
+# not UDP). To prevent a possible Denial of service attack
+# against UDP and stealth scan detection for TCP, you may
+# want to disable blocking, but leave the warning enabled.
+# I personally would wait for this to become a problem before
+# doing though as most attackers really aren't doing this.
+# The third option allows you to run just the external command
+# in case of a scan to have a pager script or such execute
+# but not drop the route. This may be useful for some admins
+# who want to block TCP, but only want pager/e-mail warnings
+# on UDP, etc.
+#
+#
+# 0 = Do not block UDP/TCP scans.
+# 1 = Block UDP/TCP scans.
+# 2 = Run external command only (KILL_RUN_CMD)
+
+BLOCK_UDP="$block_udp"
+BLOCK_TCP="$block_tcp"
+
+###############
+# TCP Wrappers#
+###############
+# This text will be dropped into the hosts.deny file for wrappers
+# to use. There are two formats for TCP wrappers:
+#
+# Format One: Old Style - The default when extended host processing
+# options are not enabled.
+#
+KILL_HOSTS_DENY="ALL: \$TARGET\$"
+
+# Format Two: New Style - The format used when extended option
+# processing is enabled. You can drop in extended processing
+# options, but be sure you escape all '%' symbols with a backslash
+# to prevent problems writing out (i.e. \%c \%h )
+#
+#KILL_HOSTS_DENY="ALL: \$TARGET\$ : DENY"
+
+###################
+# External Command#
+###################
+# This is a command that is run when a host connects, it can be whatever
+# you want it to be (pager, etc.). This command is executed before the
+# route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
+#
+#
+# I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
+# YOU!
+#
+# TCP/IP is an *unauthenticated protocol* and people can make scans appear out
+# of thin air. The only time it is reasonably safe (and I *never* think it is
+# reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
+# This mode requires a full connect and is very hard to spoof.
+#
+# The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
+# to run *before* the blocking occurs and should be set to "0" to make the
+# command run *after* the blocking has occurred.
+#
+#KILL_RUN_CMD_FIRST = "0"
+#
+# \$PORT\$
+KILL_RUN_CMD="pfctl -k \$TARGET\$ ; pfctl -t virusprot -T add \$TARGET\$"
+
+#####################
+# Scan trigger value#
+#####################
+# Enter in the number of port connects you will allow before an
+# alarm is given. The default is 0 which will react immediately.
+# A value of 1 or 2 will reduce false alarms. Anything higher is
+# probably not necessary. This value must always be specified, but
+# generally can be left at 0.
+#
+# NOTE: If you are using the advanced detection option you need to
+# be careful that you don't make a hair trigger situation. Because
+# Advanced mode will react for *any* host connecting to a non-used
+# below your specified range, you have the opportunity to really
+# break things. (i.e someone innocently tries to connect to you via
+# SSL [TCP port 443] and you immediately block them). Some of you
+# may even want this though. Just be careful.
+#
+SCAN_TRIGGER="$scan_trigger"
+
+######################
+# Port Banner Section#
+######################
+#
+# Enter text in here you want displayed to a person tripping the PortSentry.
+# I *don't* recommend taunting the person as this will aggravate them.
+# Leave this commented out to disable the feature
+#
+# Stealth scan detection modes don't use this feature
+#
+PORT_BANNER="$port_banner"
+
+EOF
+
+ conf_mount_rw();
+ // Write out configuration
+ $fd = fopen("/usr/local/etc/portsentry.conf", "w");
+ fwrite($fd, $config);
+ fclose($fd);
+
+ $svscan = <<<EOD
+#!/bin/sh
+
+# PROVIDE: portsentry
+# REQUIRE: LOGIN
+# KEYWORD: FreeBSD
+
+. /etc/rc.subr
+
+name="portsentry"
+rcvar=`set_rcvar`
+command="/usr/local/bin/portsentry"
+portsentry_enable=\${portsentry_enable-"YES"}
+
+start_cmd="portsentry_start"
+stop_postcmd="portsentry_stop_post"
+
+load_rc_config \$name
+
+portsentry_start () {
+ echo "Starting svscan."
+ /usr/bin/env \
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+ portsentry
+}
+
+portsentry_stop_post () {
+ echo "Stopping portsentry."
+ killall portsentry
+}
+
+run_rc_command "\$1"
+
+EOD;
+
+ $fd = fopen("/usr/local/etc/rc.d/portsentry.sh", "w");
+ fwrite($fd, $svscan);
+ fclose($fd);
+ exec("chmod a+rx /usr/local/etc/rc.d/portsentry.sh");
+ conf_mount_ro();
+}
+
+?> \ No newline at end of file
diff --git a/config/portsentry/portsentry.xml b/config/portsentry/portsentry.xml
new file mode 100644
index 00000000..9ff6a167
--- /dev/null
+++ b/config/portsentry/portsentry.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ portsentry.xml
+ Copyright (C) 2009 Scott Ullrich
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <name>portsentry</name>
+ <version>1.0</version>
+ <title>Portsentry</title>
+ <aftersaveredirect><![CDATA[/pkg_edit.php?xml=portsentry.xml&id=1]]></aftersaveredirect>
+ <include_file>/usr/local/pkg/portsentry.inc</include_file>
+ <menu>
+ <name>Portsentry</name>
+ <tooltiptext></tooltiptext>
+ <section>Services</section>
+ <url></url>
+ </menu>
+ <service>
+ <name>Portsentry</name>
+ <rcfile>portsentry.sh</rcfile>
+ <executable>portsentry</executable>
+ <description>The Sentry tools provide host-level security services for the Unix platform. PortSentry protect against portscans, and detect suspicious login activity on a continuous basis.</description>
+ </service>
+ <configpath>installedpackages->portsentry->config</configpath>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/portsentry/portsentry.inc</item>
+ </additional_files_needed>
+ <fields>
+ <field>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr>Listen on port</fielddescr>
+ <fieldname>listenport</fieldname>
+ <description>Instructs portsentry to look for bogus activity on port</description>
+ <type>input</type>
+ <size>25</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ <field>
+ <fielddescr>Scan trigger value</fielddescr>
+ <fieldname>scantrigger</fieldname>
+ <description>Enter in the number of port connects you will allow before an alarm is given. The default is 0 which will react immediately.A value of 1 or 2 will reduce false alarms. Anything higher is probably not necessary. This value must always be specified, but generally can be left at 0.</description>
+ <type>input</type>
+ <size>80</size>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Block TCP</fielddescr>
+ <fieldname>blocktcp</fieldname>
+ <description>Determines if portsentry will listen on defined ports using the TCP protocol.</description>
+ <type>checkbox</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Block UDP</fielddescr>
+ <fieldname>blockudp</fieldname>
+ <description>Determines if portsentry will listen on defined ports using the UDP protocol.</description>
+ <type>checkbox</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Port Banner</fielddescr>
+ <fieldname>portbanner</fieldname>
+ <description>Text to ouput when client connects to a portsentry port.</description>
+ <type>checkbox</type>
+ <required/>
+ </field>
+ </fields>
+ <custom_delete_php_command>
+ </custom_delete_php_command>
+ <custom_add_php_command>
+ </custom_add_php_command>
+ <custom_php_resync_config_command>
+ </custom_php_resync_config_command>
+ <custom_php_install_command>
+ portsentry_custom_php_install_command();
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ portsentry_custom_php_deinstall_command();
+ </custom_php_deinstall_command>
+ <custom_php_command_before_form>
+ </custom_php_command_before_form>
+</packagegui> \ No newline at end of file