Index | Thread | Search

From:
Marcus Hufvudsson <marcus@protohuf.net>
Subject:
Re: New Portsentry version, how to proceed?
To:
ports <ports@openbsd.org>
Date:
Tue, 24 Jun 2025 17:27:04 +0200

Download raw body.

Thread 
On 6/24/25 11:53, Stuart Henderson wrote:
> * reply-to set to ports@
>
> On 2025/06/23 23:21, Kirill A. Korinsky wrote:
>> On Mon, 23 Jun 2025 21:05:05 +0200,
>> Marcus Hufvudsson <marcus@protohuf.net> wrote:
>>> Hi! The Portsentry project ran between 1997-2003. As a long time user, I
>>> recently picked up and revived the project. After much work, I have now
>>> released version 2.0. It includes bugfixes and new features. One of my
>>> goals with Portsentry 2.0 was to make sure I kept support for all the
>>> *BSD's. I plan to keep maintaining it and develop new features in the
>>> future.
>>>
>>>
>>> I'm now reaching out because I'm not sure of how to proceed regarding
>>> getting the new version into OpenBSD. Currently, Portsentry 1.2 lives in
>>> your repository, but maybe it's better suited in your ports collections
> It _is_ in ports, not the main repository.
Oh, right my mistake
>
>>> now that I'm maintaining it again? For your reference, the project is
>>> hosted here: https://github.com/portsentry/portsentry
>>>
>>>
>>> Please advice if or how you want to proceed.
>>>
>> The best way is send a diff which updates security/portsentry to
>> ports@openbsd.org
> Here's a first cut at that, which might save time if somebody else is
> interested in picking this up. It could do with some extra bits like
> an rc script, perhaps a pkg-readme, and needs testing (I haven't done
> that). And preferably with a port maintainer listed in the Makefile
> who runs it on OpenBSD and can take care of updates etc.
>
> PIE-related flags patched out as our compilers do that by default where
> it works (iirc there maybe some arch where it doesn't and we don't want
> PIE in those cases).

Would you like me to add an rc script and

perhaps make the makefile configurable to exclude PIE?

If I where to make an rc script I could do with a good example to follow 
though.

>
> I think most OpenBSD users would be happier if it forked and restricted
> privileges to only the parts needed, dropping to an unprivileged user
> for other operations, rather than running entirely as root. That would
> be an upstream thing rather than a ports thing though.
I actually have privilege drop on my internal todo-list. I'll bump the 
prio on it and see it done asap
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/portsentry/Makefile,v
> diff -u -p -r1.14 Makefile
> --- Makefile	27 Sep 2023 16:34:35 -0000	1.14
> +++ Makefile	24 Jun 2025 09:51:20 -0000
> @@ -1,41 +1,31 @@
>   COMMENT=	port scan detection and active defense
>   
> -DISTNAME=	portsentry-1.2
> -CATEGORIES=	security
> -REVISION =	0
> +V=		2.0.1
> +DISTNAME=	portsentry-$V-src
> +PKGNAME=	portsentry-$V
> +EXTRACT_SUFX=	.tar.xz
>   
> -# Common Public License
> -PERMIT_PACKAGE=    	Yes
> -WANTLIB=		c
> +HOMEPAGE=	https://portsentry.xyz/
> +SITES=		https://github.com/portsentry/portsentry/releases/download/v$V/
>   
> -SITES=		${SITE_SOURCEFORGE:=sentrytools/}
> +CATEGORIES=	security
>   
> -WRKDIST=        ${WRKDIR}/portsentry_beta
> +# "Common Public License", see LICENSE, has patent "no litigation" terms
> +PERMIT_PACKAGE=	Yes
>   
> -ALL_TARGET=	openbsd
> -MAKE_FLAGS=	CFLAGS="${CFLAGS}"
> +WANTLIB=	c pcap
>   
> -DOCS=	README.install README.methods README.stealth
> +MODULES=	devel/cmake
> +CONFIGURE_ARGS=	-DBUILD_TESTS=On
>   
> -pre-build:
> -	@perl -pi -e "s,/usr/local/psionic,${SYSCONFDIR}," \
> -		${WRKSRC}/portsentry.conf
> -	@perl -pi -e "s,/usr/local/psionic,${SYSCONFDIR}," \
> -		${WRKSRC}/portsentry_config.h
> +BUILD_DEPENDS=	textproc/lowdown
>   
> -do-install:
> -	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/portsentry
> +post-install:
>   	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/portsentry
> -	${INSTALL_PROGRAM} ${WRKSRC}/portsentry ${PREFIX}/bin
> -	${INSTALL_DATA} ${WRKSRC}/portsentry.conf \
> -		${PREFIX}/share/examples/portsentry/
> -	${INSTALL_DATA} ${WRKSRC}/portsentry.ignore \
> -		${PREFIX}/share/examples/portsentry/
> -
> -.for i in ${DOCS}
> -	${INSTALL_DATA} ${WRKSRC}/${i} ${PREFIX}/share/doc/portsentry/
> -.endfor
> +	${INSTALL_DATA} ${WRKSRC}/docs/*.md ${PREFIX}/share/doc/portsentry/
> +	lowdown -s -t man -m section=8 -m title=portsentry -m volume='' ${WRKSRC}/docs/Manual.md > ${PREFIX}/man/man8/portsentry.8
> +	lowdown -s -t man -m section=5 -m title=portsentry.conf -m volume='' ${WRKSRC}/docs/portsentry.conf.md > ${PREFIX}/man/man5/portsentry.conf.5
>   
> -NO_TEST=	Yes
> +#lowdown -s -tman -m section=${sec} -mtitle=${name} -mvolume='' ${WRKSRC}/man/${name}.${sec}.md > ${PREFIX}/man/man${sec}/${name}.${sec
>   
> -.include <bsd.port.mk>
> +.include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/portsentry/distinfo,v
> diff -u -p -r1.5 distinfo
> --- distinfo	18 Jan 2015 03:15:06 -0000	1.5
> +++ distinfo	24 Jun 2025 09:51:20 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (portsentry-1.2.tar.gz) = 3R7c/PLZ23tXIt5PHaNq5FcDvwWRevZXq290kb5/pS4=
> -SIZE (portsentry-1.2.tar.gz) = 48054
> +SHA256 (portsentry-2.0.1-src.tar.xz) = 6TLDX/gqsnFvgSGXXd5VLW+hK38LTXKudaQr3QgNZXk=
> +SIZE (portsentry-2.0.1-src.tar.xz) = 138376
> Index: patches/patch-CMakeLists_txt
> ===================================================================
> RCS file: patches/patch-CMakeLists_txt
> diff -N patches/patch-CMakeLists_txt
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CMakeLists_txt	24 Jun 2025 09:51:20 -0000
> @@ -0,0 +1,37 @@
> +Index: CMakeLists.txt
> +--- CMakeLists.txt.orig
> ++++ CMakeLists.txt
> +@@ -9,18 +9,11 @@ option(USE_PCAP "Build with pcap code and link with li
> + set(CONFIG_FILE "\"/etc/portsentry/portsentry.conf\"" CACHE STRING "Path to portsentry config file")
> + set(WRAPPER_HOSTS_DENY "\"/etc/hosts.deny\"" CACHE STRING "Path to hosts.deny file")
> +
> +-set(STANDARD_COMPILE_OPTS -Wall -Wextra -pedantic -Werror -Wformat -Wformat-security -Wstack-protector -Wshadow -Wredundant-decls -Wdisabled-optimization -Wnested-externs -Wstrict-overflow=2 -fPIE -fstack-protector-strong -fstrict-aliasing -fno-common -fno-strict-overflow -D_FORTIFY_SOURCE=2)
> ++set(STANDARD_COMPILE_OPTS -Wall -Wextra -pedantic -Werror -Wformat -Wformat-security -Wstack-protector -Wshadow -Wredundant-decls -Wdisabled-optimization -Wnested-externs -Wstrict-overflow=2 -fstack-protector-strong -fstrict-aliasing -fno-common -fno-strict-overflow -D_FORTIFY_SOURCE=2)
> +
> +-check_c_compiler_flag("-fcf-protection=full" COMPILER_SUPPORTS_CFI_PROTECTION)
> +-
> +-if (COMPILER_SUPPORTS_CFI_PROTECTION)
> +-  set(STANDARD_COMPILE_OPTS ${STANDARD_COMPILE_OPTS} -fcf-protection=full)
> +-endif()
> +-
> +-set(STANDARD_LINK_OPTS -pie -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-undefined)
> ++set(STANDARD_LINK_OPTS -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-undefined)
> + set(CORE_SOURCE_FILES src/config_data.c src/configfile.c src/io.c src/util.c src/state_machine.c src/cmdline.c src/sentry_connect.c src/sighandler.c src/port.c src/packet_info.c src/ignore.c src/sentry.c src/block.c)
> +
> +-execute_process(COMMAND git log -1 --format=%h WORKING_DIRECTORY ${CMAKE_SOURCE_DIR} OUTPUT_VARIABLE GIT_COMMIT_HASH OUTPUT_STRIP_TRAILING_WHITESPACE)
> + add_definitions("-DGIT_COMMIT_HASH=\"${GIT_COMMIT_HASH}\"")
> +
> + if (USE_PCAP)
> +@@ -63,9 +56,9 @@ if (USE_PCAP)
> + endif()
> +
> + # INSTALL TARGETS for portsentry program
> +-install(TARGETS portsentry DESTINATION usr/sbin)
> +-install(FILES examples/portsentry.conf DESTINATION etc/portsentry)
> +-install(FILES examples/portsentry.ignore DESTINATION etc/portsentry)
> ++install(TARGETS portsentry DESTINATION sbin)
> ++install(FILES examples/portsentry.conf DESTINATION share/examples/portsentry)
> ++install(FILES examples/portsentry.ignore DESTINATION share/examples/portsentry)
> +
> +
> + # PORTCON - helper test program used in system tests
> Index: patches/patch-docs_portsentry_conf_md
> ===================================================================
> RCS file: patches/patch-docs_portsentry_conf_md
> diff -N patches/patch-docs_portsentry_conf_md
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ patches/patch-docs_portsentry_conf_md	24 Jun 2025 09:51:20 -0000
> @@ -0,0 +1,9 @@
> +Index: docs/portsentry.conf.md
> +--- docs/portsentry.conf.md.orig
> ++++ docs/portsentry.conf.md
> +@@ -1,4 +1,4 @@
> +-% portsentry.conf(8) | System Manager's Manual
> ++% portsentry.conf(5) | System Manager's Manual
> +
> + # NAME
> +
> Index: patches/patch-examples_portsentry_conf
> ===================================================================
> RCS file: patches/patch-examples_portsentry_conf
> diff -N patches/patch-examples_portsentry_conf
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ patches/patch-examples_portsentry_conf	24 Jun 2025 09:51:20 -0000
> @@ -0,0 +1,29 @@
> +Index: examples/portsentry.conf
> +--- examples/portsentry.conf.orig
> ++++ examples/portsentry.conf
> +@@ -166,12 +166,15 @@ BLOCKED_FILE="/tmp/portsentry.blocked"
> + # is cleaner than the above option.
> + #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
> +
> +-# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
> ++# Generic BSD
> + #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
> +
> + # FreeBSD
> + #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
> +
> ++# OpenBSD
> ++#KILL_ROUTE="route add $TARGET$ 127.0.0.1 -reject"
> ++
> + # iptables support for Linux
> + #KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
> +
> +@@ -183,7 +186,7 @@ BLOCKED_FILE="/tmp/portsentry.blocked"
> +
> + # For those running pf (OpenBSD, etc.)
> + # NOTE THAT YOU NEED TO CHANGE external_interface to a valid interface
> +-#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -"
> ++#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -a portsentry -f -"
> +
> +
> + ################
> Index: patches/patch-portsentry_c
> ===================================================================
> RCS file: patches/patch-portsentry_c
> diff -N patches/patch-portsentry_c
> --- patches/patch-portsentry_c	11 Mar 2022 19:53:52 -0000	1.2
> +++ /dev/null	1 Jan 1970 00:00:00 -0000
> @@ -1,12 +0,0 @@
> ---- portsentry.c.orig	Wed Oct 25 07:17:38 2006
> -+++ portsentry.c	Wed Oct 25 07:18:02 2006
> -@@ -1581,8 +1581,7 @@ void
> - Usage (void)
> - {
> -   printf ("PortSentry - Port Scan Detector.\n");
> --  printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot
> --sourceforget dot net>\n");
> -+  printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n");
> -   printf ("Licensing restrictions apply. Please see documentation\n");
> -   printf ("Version: %s\n\n", VERSION);
> - #ifdef SUPPORT_STEALTH
> Index: patches/patch-portsentry_conf
> ===================================================================
> RCS file: patches/patch-portsentry_conf
> diff -N patches/patch-portsentry_conf
> --- patches/patch-portsentry_conf	11 Mar 2022 19:53:52 -0000	1.2
> +++ /dev/null	1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> ---- portsentry.conf.orig	Fri May 23 20:10:13 2003
> -+++ portsentry.conf	Wed Oct 25 22:02:13 2006
> -@@ -211,10 +211,10 @@ BLOCK_TCP="1"
> - #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
> - #
> - #
> --# For those running ipfilt (OpenBSD, etc.)
> -+# For those running pf (OpenBSD, etc.)
> - # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
> - #
> --#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
> -+#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -"
> -
> -
> - ###############
> Index: pkg/DESCR
> ===================================================================
> RCS file: /cvs/ports/security/portsentry/pkg/DESCR,v
> diff -u -p -r1.2 DESCR
> --- pkg/DESCR	14 Aug 2003 02:52:04 -0000	1.2
> +++ pkg/DESCR	24 Jun 2025 09:51:20 -0000
> @@ -1,5 +1,17 @@
> -PortSentry is part of the Abacus Project suite of security tools.
> -It is a program designed to detect and respond to port scans against
> -a target host in real-time. There are other port scan detectors that
> -perform similar detection of scans, but PortSentry has some unique
> -features that may make it worth looking into
> +Portsentry monitors network traffic to detect port scans in real-time.
> +It can identify several types of scan, including TCP, UDP, SYN, FIN,
> +XMAS, and NULL scans.
> +
> +Upon detecting a port scan, Portsentry can respond in several ways to
> +mitigate the threat:
> +
> +- Blocking the attacker: It can automatically add the attacker's IP
> +address to the system's firewall or access control list, effectively
> +blocking any further connections from that IP.
> +
> +- Logging: Portsentry logs the details of the scan attempt, including
> +the source IP address, timestamp, and type of scan detected. This
> +information can be useful for forensic analysis and monitoring.
> +
> +- Notification: It can send alerts to system administrators via email
> +or other messaging systems to notify them of the detected scan.
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/portsentry/pkg/PLIST,v
> diff -u -p -r1.7 PLIST
> --- pkg/PLIST	11 Mar 2022 19:53:52 -0000	1.7
> +++ pkg/PLIST	24 Jun 2025 09:51:20 -0000
> @@ -1,8 +1,18 @@
> -bin/portsentry
> +@man man/man5/portsentry.conf.5
> +@man man/man8/portsentry.8
> +@bin sbin/portsentry
>   share/doc/portsentry/
> -share/doc/portsentry/README.install
> -share/doc/portsentry/README.methods
> -share/doc/portsentry/README.stealth
> +share/doc/portsentry/Acknowledgement.md
> +@comment share/doc/portsentry/Contributing.md
> +@comment share/doc/portsentry/HOWTO-Compile.md
> +@comment share/doc/portsentry/HOWTO-Docker.md
> +@comment share/doc/portsentry/HOWTO-Fail2Ban.md
> +share/doc/portsentry/HOWTO-Logfile.md
> +share/doc/portsentry/HOWTO-Use-Cases.md
> +share/doc/portsentry/HOWTO-Use.md
> +@comment share/doc/portsentry/Manual.md
> +@comment share/doc/portsentry/README.md
> +@comment share/doc/portsentry/portsentry.conf.md
>   share/examples/portsentry/
>   @sample ${SYSCONFDIR}/portsentry/
>   share/examples/portsentry/portsentry.conf