It’s possible to have Brutus running on a number of machines – it scales very well – but you can’t have singular reporting if multiple machines are performing their own blocks.
This is how you can run Brutus as a client to the main server so that all blocks across all servers show up in reports.
First, Portsentry is installed on the client server, referencing our diagram above it would be the email server. There’s a minor change to the portsentry.conf, which is that it runs the client shellscript instead of the instructrouter.sh script.
[pastacode lang=”bash” manual=”TCP_PORTS%3D%221%2C11%2C15%2C79%2C111%2C119%2C143%2C540%2C635%2C1080%2C1524%2C2000%2C5742%2C6667%2C12345%2C12346%2C20034%2C27665%2C31337%2C32771%2C32772%2C32773%2C32774%2C40421%2C49724%2C54320%22%0AUDP_PORTS%3D%221%2C7%2C9%2C69%2C161%2C162%2C513%2C635%2C640%2C641%2C700%2C37444%2C34555%2C31335%2C32770%2C32771%2C32772%2C32773%2C32774%2C31337%2C54321%22%0A%0AADVANCED_PORTS_TCP%3D%2265535%22%0AADVANCED_PORTS_UDP%3D%2265535%22%0AADVANCED_EXCLUDE_TCP%3D%2222%22%0AADVANCED_EXCLUDE_UDP%3D%22%22%0A%0AIGNORE_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.ignore%22%0AHISTORY_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.history%22%0ABLOCKED_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.blocked%22%0A%0ARESOLVE_HOST%20%3D%20%220%22%0ASCAN_TRIGGER%20%3D%20%220%22%0AKILL_RUN_CMD_FIRST%20%3D%20%220%22%0A%0ABLOCK_UDP%3D%221%22%0ABLOCK_TCP%3D%221%22%0A%0A%23%20target%3Dsource%20IP%2C%20port%3Dtouch%20detected%20on%20this%20port%2C%20mode%3Datcp%2Ctcp%2Caudp%2Cudp%0A%23%20only%20target’s%20used%20for%20blocking%2C%20the%20rest%20is%20for%20logging%0AKILL_ROUTE%3D%22%2Fetc%2Fportsentry%2Fbrutusclient.sh%20%24TARGET%24%20%24PORT%24%20%24MODE%24%22″ message=”portsentry.conf” highlight=”” provider=”manual”/]
This brutusclient.sh script is copied to /etc/portsentry , its only job is to SSH into the Brutus server and run instructrouter.sh from there, providing the IP address to be blocked.
This means the root account needs a public/private keypair as well, and the /root/.ssh/id-pub.rsa key needs to be copied to the server’s /root/.ssh/authorized_keys file.
If, from the client server and logged in as root, you’re able to SSH into the Brutus server as root without entering a password, you’re good to go.