From nobody Sun Apr 09 00:33:01 2023 X-Original-To: freebsd-ports@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PvCkZ5zwyz454Bw for ; Sun, 9 Apr 2023 00:33:10 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Received: from echo.brtsvcs.net (echo.brtsvcs.net [208.111.40.118]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4PvCkY2xxlz4FQ3 for ; Sun, 9 Apr 2023 00:33:09 +0000 (UTC) (envelope-from list_freebsd@bluerosetech.com) Authentication-Results: mx1.freebsd.org; none Received: from chombo.houseloki.net (65-100-43-2.dia.static.qwest.net [65.100.43.2]) by echo.brtsvcs.net (Postfix) with ESMTPS id DCE2D38D01; Sun, 9 Apr 2023 00:33:01 +0000 (UTC) Received: from [10.26.25.100] (ivy.pas.ds.pilgrimaccounting.com [10.26.25.100]) by chombo.houseloki.net (Postfix) with ESMTPSA id 88F964F4F2; Sat, 8 Apr 2023 17:33:01 -0700 (PDT) Subject: Re: security/portsentry removal To: Andrea Venturoli , freebsd-ports@freebsd.org References: <0bfd94dd-5be3-6461-cb98-db1a1664e220@netfence.it> <3d779c56-236d-f18b-5ac0-71f6580bb498@bluerosetech.com> From: Mel Pilgrim Message-ID: <78691af2-bbec-4b5a-eb68-d09ff52054aa@bluerosetech.com> Date: Sat, 8 Apr 2023 17:33:01 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 List-Id: Porting software to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-ports List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports@freebsd.org X-BeenThere: freebsd-ports@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4PvCkY2xxlz4FQ3 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36236, ipnet:208.111.40.0/24, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 2023-04-08 0:47, Andrea Venturoli wrote: > On 4/8/23 04:56, Mel Pilgrim wrote: >>> Can anyone suggest something equivalent in the port tree? >> >> Have a look at fail2ban.  It's design intent is monitoring running >> services, but really it's just a set of log file regex filters. Anything >> that logs network activity can feed it. > > Hello and thanks for answering. > In fact I'm already using fail2ban for "running" services. > > Portsenty is a bit different, in that it's conceived to listen on ports > used by non-running services. > I.e. > Got a SMTP server? Let fail2ban check its logs. > No? Let portsentry listen on port 25. > > I thought about writing regexes for fail2ban to check if ipfw denied > access to ports where portsentry used to listen. > So far it's the best idea I've come up with, but I hoped for something > simpler (i.e. more close to how portsentry worked). That's exactly what I suggest. IME dropping/ignoring packets to closed ports slows scanners down enough as it is, and the result is the same: they just see a non-responsive host. But completeness, peace of mind, etc. FWIW, you can still build and use portsentry either extratree or copy the port to your local category.