From: Stuart Henderson Subject: Re: New Portsentry version, how to proceed? To: marcus@protohuf.net, tech@openbsd.org Cc: ports Date: Tue, 24 Jun 2025 10:53:11 +0100 Reply-To: ports * reply-to set to ports@ On 2025/06/23 23:21, Kirill A. Korinsky wrote: > On Mon, 23 Jun 2025 21:05:05 +0200, > Marcus Hufvudsson wrote: > > > > Hi! The Portsentry project ran between 1997-2003. As a long time user, I > > recently picked up and revived the project. After much work, I have now > > released version 2.0. It includes bugfixes and new features. One of my > > goals with Portsentry 2.0 was to make sure I kept support for all the > > *BSD's. I plan to keep maintaining it and develop new features in the > > future. > > > > > > I'm now reaching out because I'm not sure of how to proceed regarding > > getting the new version into OpenBSD. Currently, Portsentry 1.2 lives in > > your repository, but maybe it's better suited in your ports collections It _is_ in ports, not the main repository. > > now that I'm maintaining it again? For your reference, the project is > > hosted here: https://github.com/portsentry/portsentry > > > > > > Please advice if or how you want to proceed. > > > > The best way is send a diff which updates security/portsentry to > ports@openbsd.org Here's a first cut at that, which might save time if somebody else is interested in picking this up. It could do with some extra bits like an rc script, perhaps a pkg-readme, and needs testing (I haven't done that). And preferably with a port maintainer listed in the Makefile who runs it on OpenBSD and can take care of updates etc. PIE-related flags patched out as our compilers do that by default where it works (iirc there maybe some arch where it doesn't and we don't want PIE in those cases). I think most OpenBSD users would be happier if it forked and restricted privileges to only the parts needed, dropping to an unprivileged user for other operations, rather than running entirely as root. That would be an upstream thing rather than a ports thing though. Index: Makefile =================================================================== RCS file: /cvs/ports/security/portsentry/Makefile,v diff -u -p -r1.14 Makefile --- Makefile 27 Sep 2023 16:34:35 -0000 1.14 +++ Makefile 24 Jun 2025 09:51:20 -0000 @@ -1,41 +1,31 @@ COMMENT= port scan detection and active defense -DISTNAME= portsentry-1.2 -CATEGORIES= security -REVISION = 0 +V= 2.0.1 +DISTNAME= portsentry-$V-src +PKGNAME= portsentry-$V +EXTRACT_SUFX= .tar.xz -# Common Public License -PERMIT_PACKAGE= Yes -WANTLIB= c +HOMEPAGE= https://portsentry.xyz/ +SITES= https://github.com/portsentry/portsentry/releases/download/v$V/ -SITES= ${SITE_SOURCEFORGE:=sentrytools/} +CATEGORIES= security -WRKDIST= ${WRKDIR}/portsentry_beta +# "Common Public License", see LICENSE, has patent "no litigation" terms +PERMIT_PACKAGE= Yes -ALL_TARGET= openbsd -MAKE_FLAGS= CFLAGS="${CFLAGS}" +WANTLIB= c pcap -DOCS= README.install README.methods README.stealth +MODULES= devel/cmake +CONFIGURE_ARGS= -DBUILD_TESTS=On -pre-build: - @perl -pi -e "s,/usr/local/psionic,${SYSCONFDIR}," \ - ${WRKSRC}/portsentry.conf - @perl -pi -e "s,/usr/local/psionic,${SYSCONFDIR}," \ - ${WRKSRC}/portsentry_config.h +BUILD_DEPENDS= textproc/lowdown -do-install: - ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/portsentry +post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/portsentry - ${INSTALL_PROGRAM} ${WRKSRC}/portsentry ${PREFIX}/bin - ${INSTALL_DATA} ${WRKSRC}/portsentry.conf \ - ${PREFIX}/share/examples/portsentry/ - ${INSTALL_DATA} ${WRKSRC}/portsentry.ignore \ - ${PREFIX}/share/examples/portsentry/ - -.for i in ${DOCS} - ${INSTALL_DATA} ${WRKSRC}/${i} ${PREFIX}/share/doc/portsentry/ -.endfor + ${INSTALL_DATA} ${WRKSRC}/docs/*.md ${PREFIX}/share/doc/portsentry/ + lowdown -s -t man -m section=8 -m title=portsentry -m volume='' ${WRKSRC}/docs/Manual.md > ${PREFIX}/man/man8/portsentry.8 + lowdown -s -t man -m section=5 -m title=portsentry.conf -m volume='' ${WRKSRC}/docs/portsentry.conf.md > ${PREFIX}/man/man5/portsentry.conf.5 -NO_TEST= Yes +#lowdown -s -tman -m section=${sec} -mtitle=${name} -mvolume='' ${WRKSRC}/man/${name}.${sec}.md > ${PREFIX}/man/man${sec}/${name}.${sec -.include +.include Index: distinfo =================================================================== RCS file: /cvs/ports/security/portsentry/distinfo,v diff -u -p -r1.5 distinfo --- distinfo 18 Jan 2015 03:15:06 -0000 1.5 +++ distinfo 24 Jun 2025 09:51:20 -0000 @@ -1,2 +1,2 @@ -SHA256 (portsentry-1.2.tar.gz) = 3R7c/PLZ23tXIt5PHaNq5FcDvwWRevZXq290kb5/pS4= -SIZE (portsentry-1.2.tar.gz) = 48054 +SHA256 (portsentry-2.0.1-src.tar.xz) = 6TLDX/gqsnFvgSGXXd5VLW+hK38LTXKudaQr3QgNZXk= +SIZE (portsentry-2.0.1-src.tar.xz) = 138376 Index: patches/patch-CMakeLists_txt =================================================================== RCS file: patches/patch-CMakeLists_txt diff -N patches/patch-CMakeLists_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-CMakeLists_txt 24 Jun 2025 09:51:20 -0000 @@ -0,0 +1,37 @@ +Index: CMakeLists.txt +--- CMakeLists.txt.orig ++++ CMakeLists.txt +@@ -9,18 +9,11 @@ option(USE_PCAP "Build with pcap code and link with li + set(CONFIG_FILE "\"/etc/portsentry/portsentry.conf\"" CACHE STRING "Path to portsentry config file") + set(WRAPPER_HOSTS_DENY "\"/etc/hosts.deny\"" CACHE STRING "Path to hosts.deny file") + +-set(STANDARD_COMPILE_OPTS -Wall -Wextra -pedantic -Werror -Wformat -Wformat-security -Wstack-protector -Wshadow -Wredundant-decls -Wdisabled-optimization -Wnested-externs -Wstrict-overflow=2 -fPIE -fstack-protector-strong -fstrict-aliasing -fno-common -fno-strict-overflow -D_FORTIFY_SOURCE=2) ++set(STANDARD_COMPILE_OPTS -Wall -Wextra -pedantic -Werror -Wformat -Wformat-security -Wstack-protector -Wshadow -Wredundant-decls -Wdisabled-optimization -Wnested-externs -Wstrict-overflow=2 -fstack-protector-strong -fstrict-aliasing -fno-common -fno-strict-overflow -D_FORTIFY_SOURCE=2) + +-check_c_compiler_flag("-fcf-protection=full" COMPILER_SUPPORTS_CFI_PROTECTION) +- +-if (COMPILER_SUPPORTS_CFI_PROTECTION) +- set(STANDARD_COMPILE_OPTS ${STANDARD_COMPILE_OPTS} -fcf-protection=full) +-endif() +- +-set(STANDARD_LINK_OPTS -pie -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-undefined) ++set(STANDARD_LINK_OPTS -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-undefined) + set(CORE_SOURCE_FILES src/config_data.c src/configfile.c src/io.c src/util.c src/state_machine.c src/cmdline.c src/sentry_connect.c src/sighandler.c src/port.c src/packet_info.c src/ignore.c src/sentry.c src/block.c) + +-execute_process(COMMAND git log -1 --format=%h WORKING_DIRECTORY ${CMAKE_SOURCE_DIR} OUTPUT_VARIABLE GIT_COMMIT_HASH OUTPUT_STRIP_TRAILING_WHITESPACE) + add_definitions("-DGIT_COMMIT_HASH=\"${GIT_COMMIT_HASH}\"") + + if (USE_PCAP) +@@ -63,9 +56,9 @@ if (USE_PCAP) + endif() + + # INSTALL TARGETS for portsentry program +-install(TARGETS portsentry DESTINATION usr/sbin) +-install(FILES examples/portsentry.conf DESTINATION etc/portsentry) +-install(FILES examples/portsentry.ignore DESTINATION etc/portsentry) ++install(TARGETS portsentry DESTINATION sbin) ++install(FILES examples/portsentry.conf DESTINATION share/examples/portsentry) ++install(FILES examples/portsentry.ignore DESTINATION share/examples/portsentry) + + + # PORTCON - helper test program used in system tests Index: patches/patch-docs_portsentry_conf_md =================================================================== RCS file: patches/patch-docs_portsentry_conf_md diff -N patches/patch-docs_portsentry_conf_md --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-docs_portsentry_conf_md 24 Jun 2025 09:51:20 -0000 @@ -0,0 +1,9 @@ +Index: docs/portsentry.conf.md +--- docs/portsentry.conf.md.orig ++++ docs/portsentry.conf.md +@@ -1,4 +1,4 @@ +-% portsentry.conf(8) | System Manager's Manual ++% portsentry.conf(5) | System Manager's Manual + + # NAME + Index: patches/patch-examples_portsentry_conf =================================================================== RCS file: patches/patch-examples_portsentry_conf diff -N patches/patch-examples_portsentry_conf --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-examples_portsentry_conf 24 Jun 2025 09:51:20 -0000 @@ -0,0 +1,29 @@ +Index: examples/portsentry.conf +--- examples/portsentry.conf.orig ++++ examples/portsentry.conf +@@ -166,12 +166,15 @@ BLOCKED_FILE="/tmp/portsentry.blocked" + # is cleaner than the above option. + #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" + +-# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) ++# Generic BSD + #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" + + # FreeBSD + #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole" + ++# OpenBSD ++#KILL_ROUTE="route add $TARGET$ 127.0.0.1 -reject" ++ + # iptables support for Linux + #KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP" + +@@ -183,7 +186,7 @@ BLOCKED_FILE="/tmp/portsentry.blocked" + + # For those running pf (OpenBSD, etc.) + # NOTE THAT YOU NEED TO CHANGE external_interface to a valid interface +-#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -" ++#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -a portsentry -f -" + + + ################ Index: patches/patch-portsentry_c =================================================================== RCS file: patches/patch-portsentry_c diff -N patches/patch-portsentry_c --- patches/patch-portsentry_c 11 Mar 2022 19:53:52 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ ---- portsentry.c.orig Wed Oct 25 07:17:38 2006 -+++ portsentry.c Wed Oct 25 07:18:02 2006 -@@ -1581,8 +1581,7 @@ void - Usage (void) - { - printf ("PortSentry - Port Scan Detector.\n"); -- printf ("Copyright 1997-2003 Craig H. Rowland \n"); -+ printf ("Copyright 1997-2003 Craig H. Rowland \n"); - printf ("Licensing restrictions apply. Please see documentation\n"); - printf ("Version: %s\n\n", VERSION); - #ifdef SUPPORT_STEALTH Index: patches/patch-portsentry_conf =================================================================== RCS file: patches/patch-portsentry_conf diff -N patches/patch-portsentry_conf --- patches/patch-portsentry_conf 11 Mar 2022 19:53:52 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ ---- portsentry.conf.orig Fri May 23 20:10:13 2003 -+++ portsentry.conf Wed Oct 25 22:02:13 2006 -@@ -211,10 +211,10 @@ BLOCK_TCP="1" - #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any" - # - # --# For those running ipfilt (OpenBSD, etc.) -+# For those running pf (OpenBSD, etc.) - # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!! - # --#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -" -+#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -" - - - ############### Index: pkg/DESCR =================================================================== RCS file: /cvs/ports/security/portsentry/pkg/DESCR,v diff -u -p -r1.2 DESCR --- pkg/DESCR 14 Aug 2003 02:52:04 -0000 1.2 +++ pkg/DESCR 24 Jun 2025 09:51:20 -0000 @@ -1,5 +1,17 @@ -PortSentry is part of the Abacus Project suite of security tools. -It is a program designed to detect and respond to port scans against -a target host in real-time. There are other port scan detectors that -perform similar detection of scans, but PortSentry has some unique -features that may make it worth looking into +Portsentry monitors network traffic to detect port scans in real-time. +It can identify several types of scan, including TCP, UDP, SYN, FIN, +XMAS, and NULL scans. + +Upon detecting a port scan, Portsentry can respond in several ways to +mitigate the threat: + +- Blocking the attacker: It can automatically add the attacker's IP +address to the system's firewall or access control list, effectively +blocking any further connections from that IP. + +- Logging: Portsentry logs the details of the scan attempt, including +the source IP address, timestamp, and type of scan detected. This +information can be useful for forensic analysis and monitoring. + +- Notification: It can send alerts to system administrators via email +or other messaging systems to notify them of the detected scan. Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/portsentry/pkg/PLIST,v diff -u -p -r1.7 PLIST --- pkg/PLIST 11 Mar 2022 19:53:52 -0000 1.7 +++ pkg/PLIST 24 Jun 2025 09:51:20 -0000 @@ -1,8 +1,18 @@ -bin/portsentry +@man man/man5/portsentry.conf.5 +@man man/man8/portsentry.8 +@bin sbin/portsentry share/doc/portsentry/ -share/doc/portsentry/README.install -share/doc/portsentry/README.methods -share/doc/portsentry/README.stealth +share/doc/portsentry/Acknowledgement.md +@comment share/doc/portsentry/Contributing.md +@comment share/doc/portsentry/HOWTO-Compile.md +@comment share/doc/portsentry/HOWTO-Docker.md +@comment share/doc/portsentry/HOWTO-Fail2Ban.md +share/doc/portsentry/HOWTO-Logfile.md +share/doc/portsentry/HOWTO-Use-Cases.md +share/doc/portsentry/HOWTO-Use.md +@comment share/doc/portsentry/Manual.md +@comment share/doc/portsentry/README.md +@comment share/doc/portsentry/portsentry.conf.md share/examples/portsentry/ @sample ${SYSCONFDIR}/portsentry/ share/examples/portsentry/portsentry.conf