First, Portsentry is installed on the client server, referencing our diagram above it would be the email server. There’s a minor change to the portsentry.conf, which is that it runs the client shellscript instead of the instructrouter.sh script.
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
ADVANCED_PORTS_TCP="65535"
ADVANCED_PORTS_UDP="65535"
ADVANCED_EXCLUDE_TCP="22"
ADVANCED_EXCLUDE_UDP=""
IGNORE_FILE="/etc/portsentry/portsentry.ignore"
HISTORY_FILE="/etc/portsentry/portsentry.history"
BLOCKED_FILE="/etc/portsentry/portsentry.blocked"
RESOLVE_HOST = "0"
SCAN_TRIGGER = "0"
KILL_RUN_CMD_FIRST = "0"
BLOCK_UDP="1"
BLOCK_TCP="1"
# target=source IP, port=touch detected on this port, mode=atcp,tcp,audp,udp
# only target's used for blocking, the rest is for logging
KILL_ROUTE="/etc/portsentry/brutusclient.sh $TARGET$ $PORT$ $MODE$"
This brutusclient.sh script is copied to /etc/portsentry , its only job is to SSH into the Brutus server and run instructrouter.sh from there, providing the IP address to be blocked.
This means the root account needs a public/private keypair as well, and the /root/.ssh/id-pub.rsa key needs to be copied to the server’s /root/.ssh/authorized_keys file.
If, from the client server and logged in as root, you’re able to SSH into the Brutus server as root without entering a password, you’re good to go.
#!/bin/bash
# note, this hosts's public key for root needs to be in authorized_keys on the target host
remotehostname = "192.168.1.5"
ssh [email protected]$remotehostname "/etc/portsentry/instructrouter.sh $1"