Goodness speaks in a whisper, evil shouts.”
Tibetan Proverb
BASH

Brutus – Brutus Client

By Updated:No Comments1 Min Read

It’s possible to have Brutus running on a number of machines – it scales very well – but you can’t have singular reporting if multiple machines are performing their own blocks.  

This is how you can run Brutus as a client to the main server so that all blocks across all servers show up in reports.

First, Portsentry is installed on the client server, referencing our diagram above it would be the email server.  There’s a minor change to the portsentry.conf, which is that it runs the client shellscript instead of the instructrouter.sh script.

portsentry.conf 
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"

ADVANCED_PORTS_TCP="65535"
ADVANCED_PORTS_UDP="65535"
ADVANCED_EXCLUDE_TCP="22"
ADVANCED_EXCLUDE_UDP=""

IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/etc/portsentry/portsentry.history"
BLOCKED_FILE="/etc/portsentry/portsentry.blocked"

RESOLVE_HOST = "0"
SCAN_TRIGGER = "0"
KILL_RUN_CMD_FIRST = "0"

BLOCK_UDP="1"
BLOCK_TCP="1"

# target=source IP, port=touch detected on this port, mode=atcp,tcp,audp,udp
# only target's used for blocking, the rest is for logging
KILL_ROUTE="/etc/portsentry/brutusclient.sh $TARGET$ $PORT$ $MODE$"

This brutusclient.sh script is copied to /etc/portsentry , its only job is to SSH into the Brutus server and run instructrouter.sh from there, providing the IP address to be blocked.

This means the root account needs a public/private keypair as well, and the /root/.ssh/id-pub.rsa key needs to be copied to the server’s /root/.ssh/authorized_keys file.

If, from the client server and logged in as root, you’re able to SSH into the Brutus server as root without entering a password, you’re good to go.

brutusclient.sh 
#!/bin/bash
# note, this hosts's public key for root needs to be in authorized_keys on the target host

remotehostname = "192.168.1.5"

ssh [email protected]$remotehostname "/etc/portsentry/instructrouter.sh $1"

Post Views: 189

Related Posts

Leave A Reply

Secured By miniOrange