# $Id$ # Authority: matthias Summary: Port scan detection and active defense Name: portsentry Version: 1.2 Release: 1.te License: Common Public License Group: Applications/System URL: http://sf.net/project/sentrytools Source0: http://dl.sf.net/sentrytools/%{name}-%{version}.tar.gz Source1: portsentry.init Source2: portsentry.modes Source3: portsentry.cron Patch: portsentry-1.2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Obsoletes: sentry %description PortSentry is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community. More information can be obtained from http://sf.net/projects/sentrytools. PortSentry has a number of options to detect port scans, the purpose of this is to give an admin a heads up that their host is being probed. There are similar programs that do this already (klaxon, etc.) We have added a little twist to the whole idea (auto-blocking), plus extensive support for stealth scan detection. PortSentry has four "stealth" scan detection modes. Method one uses a pre-defined list of ports to watch over. If someone pokes at them it activates. The second method is what is called "inverse" port binding, where every port under a range is watched *except* for those that the system has bound for network daemons when the PortSentry starts or ones that you've manually excluded. This is a very sensitive way for looking for port probes, but also the most prone to false alarms. %prep %setup -n portsentry_beta %patch -p1 -b .te %build %{__make} %{?_smp_mflags} linux %install %{__rm} -rf %{buildroot} mkdir -p %{buildroot}/var/portsentry %{__make} install %{__install} -Dp -m 700 %{SOURCE1} %{buildroot}/etc/init.d/portsentry %{__install} -Dp -m 600 %{SOURCE2} %{buildroot}/etc/portsentry/portsentry.modes %{__install} -Dp -m 600 %{SOURCE3} %{buildroot}/etc/cron.d/portsentry %clean %{__rm} -rf %{buildroot} %post /sbin/chkconfig --add portsentry %preun if [ $1 -eq 0 ]; then /sbin/service portsentry stop > /dev/null 2>&1 /sbin/chkconfig --del portsentry fi %postun if [ $1 -ge 1 ]; then /sbin/service portsentry condrestart > /dev/null 2>&1 fi %files %defattr(-, root, root, 0755) %doc CHANGES CREDITS LICENSE README* %config /etc/init.d/portsentry %config /etc/cron.d/portsentry %dir /etc/portsentry %config(noreplace) /etc/portsentry/portsentry.conf %config(noreplace) /etc/portsentry/portsentry.ignore %config(noreplace) /etc/portsentry/portsentry.modes %attr(700, root, root) %dir /var/portsentry /usr/sbin/portsentry %changelog * Thu Aug 25 2005 Troy Engel 1.2-1.te - Update to final 1.2 release - Update patch to apply cleanly - Update SPEC to reflect new license, webspace and tarball dirname * Fri Nov 7 2003 Matthias Saou 1.1-11.fr - Rebuild for Fedora Core 1. - Updated the init script for automatic i18n support. * Wed Sep 17 2003 Matthias Saou - Changed automatic restart to be every 20min instead of 6h. - Exclude 135 TCP because of Blaster (too many blocked NATed addresses). * Fri May 9 2003 Matthias Saou - One year without changes :-) - Rebuilt for Red Hat Linux 9. * Fri May 3 2002 Matthias Saou - Rebuilt against Red Hat Linux 7.3. - Added the %{?_smp_mflags} expansion. * Thu Dec 6 2001 Matthias Saou - Restart portsentry upon iptables/ipchains flush to not let the previously blocked hosts to what they want! - Now default to iptables and not ipchains. * Wed Oct 31 2001 Matthias Saou - Removed the mail sent every 6 hours about the flush on success. * Wed Oct 17 2001 Matthias Saou - Fixed the emailing example KILL_RUN_CMD I had added. * Fri Sep 18 2001 Matthias Saou - Fixed the init script to update correctly the ignore file on non english systems. * Sat Aug 18 2001 Matthias Saou - Added UDP port 123 to the advanced exclude, since ntp queries were getting the ntp server blocked! * Fri Aug 3 2001 Matthias Saou - Update to 1.1. - Spec file cleanup, merged both patches to the new version. - New updated initscript, now excludes default gateways and nameservers. - Added a cron entry to flush added iptables/ipchains entries. * Thu Nov 9 2000 Matthias Saou - added some exclude tcp & udp ports in "a" modes - changed the default mode to "atcp" & "audp" with a portsentry.modes file * Tue Sep 5 2000 Tim Powers - fixed initscript so that it doesn't overwrite the portsentry.ignore file, just appends to it (in a roundabout way) - patched default behavior of config file *not* to automagically start blocking tcp and udp - the above were tested by Henri J. Schlereth" , and don't forget he reported the problem to me too :) * Thu Aug 10 2000 Tim Powers - fixed the initscript so that it actually starts both or all modes of scanning - noreplace for config files * Thu Aug 10 2000 Tim Powers - fixed perms on /var/portsentry - added initscript with many suggestions from Henri J. Schlereth , it's real nice :) - added post, preun and postun sections since we now have an initscript * Wed Aug 9 2000 Tim Powers - FHSified the package. Was putting stuff in the horrible location of /usr/psionic, which is not FHS compliant. Fixed. * Mon Jul 24 2000 Prospector - rebuilt * Mon Jul 10 2000 Tim Powers - rebuilt * Mon Jul 03 2000 Prospector - automatic rebuild * Thu May 18 2000 Tim Powers - update to 1.0 * Tue Nov 23 1999 Tim Powers - updated to 0.99.1 * Tue Jul 20 1999 Tim Powers - yet another name change and version update to 0.98 - made neccessary changes to everything so it would build * Wed May 05 1999 Bill Nottingham - build for powertools-6.0, rename to portsentry * Fri Oct 2 1998 Michael Maher - built package