Close Menu
The point is obvious. There is more than one way to burn a book. And the world is full of people running about with lit matches. Every minority ... feels it has the will, the right, the duty to douse the kerosene, light the fuse. Every dimwit editor who sees himself as the source of all dreary blanc-mange plain porridge unleavened literature, licks his guillotine and eyes the neck of any author who dares to speak above a whisper or write above a nursery rhyme.”
Ray Bradbury
BASH

Brutus – Brutus Client

By Updated:No Comments1 Min Read

It’s possible to have Brutus running on a number of machines – it scales very well – but you can’t have singular reporting if multiple machines are performing their own blocks.  

This is how you can run Brutus as a client to the main server so that all blocks across all servers show up in reports.

First, Portsentry is installed on the client server, referencing our diagram above it would be the email server.  There’s a minor change to the portsentry.conf, which is that it runs the client shellscript instead of the instructrouter.sh script.

[pastacode lang=”bash” manual=”TCP_PORTS%3D%221%2C11%2C15%2C79%2C111%2C119%2C143%2C540%2C635%2C1080%2C1524%2C2000%2C5742%2C6667%2C12345%2C12346%2C20034%2C27665%2C31337%2C32771%2C32772%2C32773%2C32774%2C40421%2C49724%2C54320%22%0AUDP_PORTS%3D%221%2C7%2C9%2C69%2C161%2C162%2C513%2C635%2C640%2C641%2C700%2C37444%2C34555%2C31335%2C32770%2C32771%2C32772%2C32773%2C32774%2C31337%2C54321%22%0A%0AADVANCED_PORTS_TCP%3D%2265535%22%0AADVANCED_PORTS_UDP%3D%2265535%22%0AADVANCED_EXCLUDE_TCP%3D%2222%22%0AADVANCED_EXCLUDE_UDP%3D%22%22%0A%0AIGNORE_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.ignore%22%0AHISTORY_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.history%22%0ABLOCKED_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.blocked%22%0A%0ARESOLVE_HOST%20%3D%20%220%22%0ASCAN_TRIGGER%20%3D%20%220%22%0AKILL_RUN_CMD_FIRST%20%3D%20%220%22%0A%0ABLOCK_UDP%3D%221%22%0ABLOCK_TCP%3D%221%22%0A%0A%23%20target%3Dsource%20IP%2C%20port%3Dtouch%20detected%20on%20this%20port%2C%20mode%3Datcp%2Ctcp%2Caudp%2Cudp%0A%23%20only%20target’s%20used%20for%20blocking%2C%20the%20rest%20is%20for%20logging%0AKILL_ROUTE%3D%22%2Fetc%2Fportsentry%2Fbrutusclient.sh%20%24TARGET%24%20%24PORT%24%20%24MODE%24%22″ message=”portsentry.conf” highlight=”” provider=”manual”/]

This brutusclient.sh script is copied to /etc/portsentry , its only job is to SSH into the Brutus server and run instructrouter.sh from there, providing the IP address to be blocked.

This means the root account needs a public/private keypair as well, and the /root/.ssh/id-pub.rsa key needs to be copied to the server’s /root/.ssh/authorized_keys file.

If, from the client server and logged in as root, you’re able to SSH into the Brutus server as root without entering a password, you’re good to go.

[pastacode lang=”bash” manual=”%23!%2Fbin%2Fbash%0A%23%20note%2C%20this%20hosts’s%20public%20key%20for%20root%20needs%20to%20be%20in%20authorized_keys%20on%20the%20target%20host%0A%0Aremotehostname%20%3D%20%22192.168.1.5%22%0A%0Assh%20root%40%24remotehostname%20%22%2Fetc%2Fportsentry%2Finstructrouter.sh%20%241%22″ message=”brutusclient.sh” highlight=”” provider=”manual”/]
Post Views: 328

Related Posts

Leave A Reply