Re: security/portsentry removal
On 4/8/23 04:56, Mel Pilgrim wrote: Can anyone suggest something equivalent in the port tree? Have a look at fail2ban. It's design intent is monitoring running services, but really it's just a set of log file regex filters. Anything that logs network activity can feed it. Hello and thanks for answering. In fact I'm already using fail2ban for "running" services. Portsenty is a bit different, in that it's conceived to listen on ports used by non-running services. I.e. Got a SMTP server? Let fail2ban check its logs. No? Let portsentry listen on port 25. I thought about writing regexes for fail2ban to check if ipfw denied access to ports where portsentry used to listen. So far it's the best idea I've come up with, but I hoped for something simpler (i.e. more close to how portsentry worked). bye & Thanks av.
Re: security/portsentry removal
On 4/8/23 12:47 AM, Andrea Venturoli wrote: On 4/8/23 04:56, Mel Pilgrim wrote: Can anyone suggest something equivalent in the port tree? Have a look at fail2ban. It's design intent is monitoring running services, but really it's just a set of log file regex filters. Anything that logs network activity can feed it. Hello and thanks for answering. In fact I'm already using fail2ban for "running" services. Portsenty is a bit different, in that it's conceived to listen on ports used by non-running services. I.e. Got a SMTP server? Let fail2ban check its logs. No? Let portsentry listen on port 25. I thought about writing regexes for fail2ban to check if ipfw denied access to ports where portsentry used to listen. So far it's the best idea I've come up with, but I hoped for something simpler (i.e. more close to how portsentry worked). would blacklistd(8) meet your requirements? i use it to block ssh login spammers with decent success. its part of the base system as well, but does require pf. -p
Re: security/portsentry removal
> On Apr 8, 2023, at 3:55 PM, Pete Wright wrote: > > > On 4/8/23 12:47 AM, Andrea Venturoli wrote: >> On 4/8/23 04:56, Mel Pilgrim wrote: >> Can anyone suggest something equivalent in the port tree? >>> >>> Have a look at fail2ban. It's design intent is monitoring running >>> services, but really it's just a set of log file regex filters. Anything >>> that logs network activity can feed it. >> >> Hello and thanks for answering. >> In fact I'm already using fail2ban for "running" services. >> >> Portsenty is a bit different, in that it's conceived to listen on ports used >> by non-running services. >> I.e. >> Got a SMTP server? Let fail2ban check its logs. >> No? Let portsentry listen on port 25. >> >> I thought about writing regexes for fail2ban to check if ipfw denied access >> to ports where portsentry used to listen. >> So far it's the best idea I've come up with, but I hoped for something >> simpler (i.e. more close to how portsentry worked). >> > > would blacklistd(8) meet your requirements? i use it to block ssh login > spammers with decent success. its part of the base system as well, but does > require pf. > > -p > > blacklistd is a good product as it's available out of the box however from my experience fail2ban does a better job. So far I recall blacklistd is supported only by ssh and postfix. One more thing is blacklistd does not detect brute for attack of invalid users in ssh. Kind regards, Moin(with all hats off) signature.asc Description: Message signed with OpenPGP
Re: security/portsentry removal
On 4/8/23 15:55, Pete Wright wrote: would blacklistd(8) meet your requirements? I guess not. From the man: blacklistd is a daemon similar to syslogd(8) that listens to sockets at paths specified in the sockpathsfile for notifications from other daemons The purpose of portsentry is to listen on ports when there is no deamon there. i use it to block ssh login spammers with decent success. I use fail2ban for that. its part of the base system as well, but does require pf. Which I don't use :) (I use ipfw). bye & Thanks anyway av.
Re: security/portsentry removal
On 4/8/23 16:40, Helge Oldach wrote: I wonder why that would provide anything useful though. Main reason is to react to port scans or swiping attempts at well-known service. I.e. Someone (or some bot) connect to port 22, 25, 110, etc... when there's no such service available and he/she/it gets banned. I too am wondering whether this still makes sense today (after more that 20 years since portsentry was conceived). Yey I'm currently tasked to replace it, with possible questions being asked later :) bye & Thanks av.
Re: Fetching distfile from OSDN?
Christian Weisgerber: > I just upgrade shells/yash, whose distfile is hosted on OSDN. > I had to put the full URL into MASTER_SITES, because I can't figure > out how to use the OSDN shortcut to fetch this: Actually, the download page also offers a "simplified release file URL", whose format matches MASTER_SITE_OSDN. The MASTE_SITE_OSDN URL works for regular fetching, but fails for the "makesum" target, which was what confused me. This is a peculiarity of the MASTER_SITE_OSDN handling and the way "makesum" is implemented. I opened PR #270708 about that. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: security/portsentry removal
On 2023-04-08 0:47, Andrea Venturoli wrote: On 4/8/23 04:56, Mel Pilgrim wrote: Can anyone suggest something equivalent in the port tree? Have a look at fail2ban. It's design intent is monitoring running services, but really it's just a set of log file regex filters. Anything that logs network activity can feed it. Hello and thanks for answering. In fact I'm already using fail2ban for "running" services. Portsenty is a bit different, in that it's conceived to listen on ports used by non-running services. I.e. Got a SMTP server? Let fail2ban check its logs. No? Let portsentry listen on port 25. I thought about writing regexes for fail2ban to check if ipfw denied access to ports where portsentry used to listen. So far it's the best idea I've come up with, but I hoped for something simpler (i.e. more close to how portsentry worked). That's exactly what I suggest. IME dropping/ignoring packets to closed ports slows scanners down enough as it is, and the result is the same: they just see a non-responsive host. But completeness, peace of mind, etc. FWIW, you can still build and use portsentry either extratree or copy the port to your local category.
