From: Marcus Hufvudsson Subject: Re: New Portsentry version, how to proceed? To: ports Date: Tue, 24 Jun 2025 17:27:04 +0200 On 6/24/25 11:53, Stuart Henderson wrote: > * reply-to set to ports@ > > On 2025/06/23 23:21, Kirill A. Korinsky wrote: >> On Mon, 23 Jun 2025 21:05:05 +0200, >> Marcus Hufvudsson wrote: >>> Hi! The Portsentry project ran between 1997-2003. As a long time user, I >>> recently picked up and revived the project. After much work, I have now >>> released version 2.0. It includes bugfixes and new features. One of my >>> goals with Portsentry 2.0 was to make sure I kept support for all the >>> *BSD's. I plan to keep maintaining it and develop new features in the >>> future. >>> >>> >>> I'm now reaching out because I'm not sure of how to proceed regarding >>> getting the new version into OpenBSD. Currently, Portsentry 1.2 lives in >>> your repository, but maybe it's better suited in your ports collections > It _is_ in ports, not the main repository. Oh, right my mistake > >>> now that I'm maintaining it again? For your reference, the project is >>> hosted here: https://github.com/portsentry/portsentry >>> >>> >>> Please advice if or how you want to proceed. >>> >> The best way is send a diff which updates security/portsentry to >> ports@openbsd.org > Here's a first cut at that, which might save time if somebody else is > interested in picking this up. It could do with some extra bits like > an rc script, perhaps a pkg-readme, and needs testing (I haven't done > that). And preferably with a port maintainer listed in the Makefile > who runs it on OpenBSD and can take care of updates etc. > > PIE-related flags patched out as our compilers do that by default where > it works (iirc there maybe some arch where it doesn't and we don't want > PIE in those cases). Would you like me to add an rc script and perhaps make the makefile configurable to exclude PIE? If I where to make an rc script I could do with a good example to follow though. > > I think most OpenBSD users would be happier if it forked and restricted > privileges to only the parts needed, dropping to an unprivileged user > for other operations, rather than running entirely as root. That would > be an upstream thing rather than a ports thing though. I actually have privilege drop on my internal todo-list. I'll bump the prio on it and see it done asap > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/portsentry/Makefile,v > diff -u -p -r1.14 Makefile > --- Makefile 27 Sep 2023 16:34:35 -0000 1.14 > +++ Makefile 24 Jun 2025 09:51:20 -0000 > @@ -1,41 +1,31 @@ > COMMENT= port scan detection and active defense > > -DISTNAME= portsentry-1.2 > -CATEGORIES= security > -REVISION = 0 > +V= 2.0.1 > +DISTNAME= portsentry-$V-src > +PKGNAME= portsentry-$V > +EXTRACT_SUFX= .tar.xz > > -# Common Public License > -PERMIT_PACKAGE= Yes > -WANTLIB= c > +HOMEPAGE= https://portsentry.xyz/ > +SITES= https://github.com/portsentry/portsentry/releases/download/v$V/ > > -SITES= ${SITE_SOURCEFORGE:=sentrytools/} > +CATEGORIES= security > > -WRKDIST= ${WRKDIR}/portsentry_beta > +# "Common Public License", see LICENSE, has patent "no litigation" terms > +PERMIT_PACKAGE= Yes > > -ALL_TARGET= openbsd > -MAKE_FLAGS= CFLAGS="${CFLAGS}" > +WANTLIB= c pcap > > -DOCS= README.install README.methods README.stealth > +MODULES= devel/cmake > +CONFIGURE_ARGS= -DBUILD_TESTS=On > > -pre-build: > - @perl -pi -e "s,/usr/local/psionic,${SYSCONFDIR}," \ > - ${WRKSRC}/portsentry.conf > - @perl -pi -e "s,/usr/local/psionic,${SYSCONFDIR}," \ > - ${WRKSRC}/portsentry_config.h > +BUILD_DEPENDS= textproc/lowdown > > -do-install: > - ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/portsentry > +post-install: > ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/portsentry > - ${INSTALL_PROGRAM} ${WRKSRC}/portsentry ${PREFIX}/bin > - ${INSTALL_DATA} ${WRKSRC}/portsentry.conf \ > - ${PREFIX}/share/examples/portsentry/ > - ${INSTALL_DATA} ${WRKSRC}/portsentry.ignore \ > - ${PREFIX}/share/examples/portsentry/ > - > -.for i in ${DOCS} > - ${INSTALL_DATA} ${WRKSRC}/${i} ${PREFIX}/share/doc/portsentry/ > -.endfor > + ${INSTALL_DATA} ${WRKSRC}/docs/*.md ${PREFIX}/share/doc/portsentry/ > + lowdown -s -t man -m section=8 -m title=portsentry -m volume='' ${WRKSRC}/docs/Manual.md > ${PREFIX}/man/man8/portsentry.8 > + lowdown -s -t man -m section=5 -m title=portsentry.conf -m volume='' ${WRKSRC}/docs/portsentry.conf.md > ${PREFIX}/man/man5/portsentry.conf.5 > > -NO_TEST= Yes > +#lowdown -s -tman -m section=${sec} -mtitle=${name} -mvolume='' ${WRKSRC}/man/${name}.${sec}.md > ${PREFIX}/man/man${sec}/${name}.${sec > > -.include > +.include > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/portsentry/distinfo,v > diff -u -p -r1.5 distinfo > --- distinfo 18 Jan 2015 03:15:06 -0000 1.5 > +++ distinfo 24 Jun 2025 09:51:20 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (portsentry-1.2.tar.gz) = 3R7c/PLZ23tXIt5PHaNq5FcDvwWRevZXq290kb5/pS4= > -SIZE (portsentry-1.2.tar.gz) = 48054 > +SHA256 (portsentry-2.0.1-src.tar.xz) = 6TLDX/gqsnFvgSGXXd5VLW+hK38LTXKudaQr3QgNZXk= > +SIZE (portsentry-2.0.1-src.tar.xz) = 138376 > Index: patches/patch-CMakeLists_txt > =================================================================== > RCS file: patches/patch-CMakeLists_txt > diff -N patches/patch-CMakeLists_txt > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-CMakeLists_txt 24 Jun 2025 09:51:20 -0000 > @@ -0,0 +1,37 @@ > +Index: CMakeLists.txt > +--- CMakeLists.txt.orig > ++++ CMakeLists.txt > +@@ -9,18 +9,11 @@ option(USE_PCAP "Build with pcap code and link with li > + set(CONFIG_FILE "\"/etc/portsentry/portsentry.conf\"" CACHE STRING "Path to portsentry config file") > + set(WRAPPER_HOSTS_DENY "\"/etc/hosts.deny\"" CACHE STRING "Path to hosts.deny file") > + > +-set(STANDARD_COMPILE_OPTS -Wall -Wextra -pedantic -Werror -Wformat -Wformat-security -Wstack-protector -Wshadow -Wredundant-decls -Wdisabled-optimization -Wnested-externs -Wstrict-overflow=2 -fPIE -fstack-protector-strong -fstrict-aliasing -fno-common -fno-strict-overflow -D_FORTIFY_SOURCE=2) > ++set(STANDARD_COMPILE_OPTS -Wall -Wextra -pedantic -Werror -Wformat -Wformat-security -Wstack-protector -Wshadow -Wredundant-decls -Wdisabled-optimization -Wnested-externs -Wstrict-overflow=2 -fstack-protector-strong -fstrict-aliasing -fno-common -fno-strict-overflow -D_FORTIFY_SOURCE=2) > + > +-check_c_compiler_flag("-fcf-protection=full" COMPILER_SUPPORTS_CFI_PROTECTION) > +- > +-if (COMPILER_SUPPORTS_CFI_PROTECTION) > +- set(STANDARD_COMPILE_OPTS ${STANDARD_COMPILE_OPTS} -fcf-protection=full) > +-endif() > +- > +-set(STANDARD_LINK_OPTS -pie -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-undefined) > ++set(STANDARD_LINK_OPTS -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-undefined) > + set(CORE_SOURCE_FILES src/config_data.c src/configfile.c src/io.c src/util.c src/state_machine.c src/cmdline.c src/sentry_connect.c src/sighandler.c src/port.c src/packet_info.c src/ignore.c src/sentry.c src/block.c) > + > +-execute_process(COMMAND git log -1 --format=%h WORKING_DIRECTORY ${CMAKE_SOURCE_DIR} OUTPUT_VARIABLE GIT_COMMIT_HASH OUTPUT_STRIP_TRAILING_WHITESPACE) > + add_definitions("-DGIT_COMMIT_HASH=\"${GIT_COMMIT_HASH}\"") > + > + if (USE_PCAP) > +@@ -63,9 +56,9 @@ if (USE_PCAP) > + endif() > + > + # INSTALL TARGETS for portsentry program > +-install(TARGETS portsentry DESTINATION usr/sbin) > +-install(FILES examples/portsentry.conf DESTINATION etc/portsentry) > +-install(FILES examples/portsentry.ignore DESTINATION etc/portsentry) > ++install(TARGETS portsentry DESTINATION sbin) > ++install(FILES examples/portsentry.conf DESTINATION share/examples/portsentry) > ++install(FILES examples/portsentry.ignore DESTINATION share/examples/portsentry) > + > + > + # PORTCON - helper test program used in system tests > Index: patches/patch-docs_portsentry_conf_md > =================================================================== > RCS file: patches/patch-docs_portsentry_conf_md > diff -N patches/patch-docs_portsentry_conf_md > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-docs_portsentry_conf_md 24 Jun 2025 09:51:20 -0000 > @@ -0,0 +1,9 @@ > +Index: docs/portsentry.conf.md > +--- docs/portsentry.conf.md.orig > ++++ docs/portsentry.conf.md > +@@ -1,4 +1,4 @@ > +-% portsentry.conf(8) | System Manager's Manual > ++% portsentry.conf(5) | System Manager's Manual > + > + # NAME > + > Index: patches/patch-examples_portsentry_conf > =================================================================== > RCS file: patches/patch-examples_portsentry_conf > diff -N patches/patch-examples_portsentry_conf > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-examples_portsentry_conf 24 Jun 2025 09:51:20 -0000 > @@ -0,0 +1,29 @@ > +Index: examples/portsentry.conf > +--- examples/portsentry.conf.orig > ++++ examples/portsentry.conf > +@@ -166,12 +166,15 @@ BLOCKED_FILE="/tmp/portsentry.blocked" > + # is cleaner than the above option. > + #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" > + > +-# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) > ++# Generic BSD > + #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" > + > + # FreeBSD > + #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole" > + > ++# OpenBSD > ++#KILL_ROUTE="route add $TARGET$ 127.0.0.1 -reject" > ++ > + # iptables support for Linux > + #KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP" > + > +@@ -183,7 +186,7 @@ BLOCKED_FILE="/tmp/portsentry.blocked" > + > + # For those running pf (OpenBSD, etc.) > + # NOTE THAT YOU NEED TO CHANGE external_interface to a valid interface > +-#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -" > ++#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -a portsentry -f -" > + > + > + ################ > Index: patches/patch-portsentry_c > =================================================================== > RCS file: patches/patch-portsentry_c > diff -N patches/patch-portsentry_c > --- patches/patch-portsentry_c 11 Mar 2022 19:53:52 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,12 +0,0 @@ > ---- portsentry.c.orig Wed Oct 25 07:17:38 2006 > -+++ portsentry.c Wed Oct 25 07:18:02 2006 > -@@ -1581,8 +1581,7 @@ void > - Usage (void) > - { > - printf ("PortSentry - Port Scan Detector.\n"); > -- printf ("Copyright 1997-2003 Craig H. Rowland --sourceforget dot net>\n"); > -+ printf ("Copyright 1997-2003 Craig H. Rowland \n"); > - printf ("Licensing restrictions apply. Please see documentation\n"); > - printf ("Version: %s\n\n", VERSION); > - #ifdef SUPPORT_STEALTH > Index: patches/patch-portsentry_conf > =================================================================== > RCS file: patches/patch-portsentry_conf > diff -N patches/patch-portsentry_conf > --- patches/patch-portsentry_conf 11 Mar 2022 19:53:52 -0000 1.2 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,15 +0,0 @@ > ---- portsentry.conf.orig Fri May 23 20:10:13 2003 > -+++ portsentry.conf Wed Oct 25 22:02:13 2006 > -@@ -211,10 +211,10 @@ BLOCK_TCP="1" > - #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any" > - # > - # > --# For those running ipfilt (OpenBSD, etc.) > -+# For those running pf (OpenBSD, etc.) > - # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!! > - # > --#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -" > -+#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -" > - > - > - ############### > Index: pkg/DESCR > =================================================================== > RCS file: /cvs/ports/security/portsentry/pkg/DESCR,v > diff -u -p -r1.2 DESCR > --- pkg/DESCR 14 Aug 2003 02:52:04 -0000 1.2 > +++ pkg/DESCR 24 Jun 2025 09:51:20 -0000 > @@ -1,5 +1,17 @@ > -PortSentry is part of the Abacus Project suite of security tools. > -It is a program designed to detect and respond to port scans against > -a target host in real-time. There are other port scan detectors that > -perform similar detection of scans, but PortSentry has some unique > -features that may make it worth looking into > +Portsentry monitors network traffic to detect port scans in real-time. > +It can identify several types of scan, including TCP, UDP, SYN, FIN, > +XMAS, and NULL scans. > + > +Upon detecting a port scan, Portsentry can respond in several ways to > +mitigate the threat: > + > +- Blocking the attacker: It can automatically add the attacker's IP > +address to the system's firewall or access control list, effectively > +blocking any further connections from that IP. > + > +- Logging: Portsentry logs the details of the scan attempt, including > +the source IP address, timestamp, and type of scan detected. This > +information can be useful for forensic analysis and monitoring. > + > +- Notification: It can send alerts to system administrators via email > +or other messaging systems to notify them of the detected scan. > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/portsentry/pkg/PLIST,v > diff -u -p -r1.7 PLIST > --- pkg/PLIST 11 Mar 2022 19:53:52 -0000 1.7 > +++ pkg/PLIST 24 Jun 2025 09:51:20 -0000 > @@ -1,8 +1,18 @@ > -bin/portsentry > +@man man/man5/portsentry.conf.5 > +@man man/man8/portsentry.8 > +@bin sbin/portsentry > share/doc/portsentry/ > -share/doc/portsentry/README.install > -share/doc/portsentry/README.methods > -share/doc/portsentry/README.stealth > +share/doc/portsentry/Acknowledgement.md > +@comment share/doc/portsentry/Contributing.md > +@comment share/doc/portsentry/HOWTO-Compile.md > +@comment share/doc/portsentry/HOWTO-Docker.md > +@comment share/doc/portsentry/HOWTO-Fail2Ban.md > +share/doc/portsentry/HOWTO-Logfile.md > +share/doc/portsentry/HOWTO-Use-Cases.md > +share/doc/portsentry/HOWTO-Use.md > +@comment share/doc/portsentry/Manual.md > +@comment share/doc/portsentry/README.md > +@comment share/doc/portsentry/portsentry.conf.md > share/examples/portsentry/ > @sample ${SYSCONFDIR}/portsentry/ > share/examples/portsentry/portsentry.conf