First, Portsentry is installed on the client server, referencing our diagram above it would be the email server. There’s a minor change to the portsentry.conf, which is that it runs the client shellscript instead of the instructrouter.sh script.
[pastacode lang=”bash” manual=”TCP_PORTS%3D%221%2C11%2C15%2C79%2C111%2C119%2C143%2C540%2C635%2C1080%2C1524%2C2000%2C5742%2C6667%2C12345%2C12346%2C20034%2C27665%2C31337%2C32771%2C32772%2C32773%2C32774%2C40421%2C49724%2C54320%22%0AUDP_PORTS%3D%221%2C7%2C9%2C69%2C161%2C162%2C513%2C635%2C640%2C641%2C700%2C37444%2C34555%2C31335%2C32770%2C32771%2C32772%2C32773%2C32774%2C31337%2C54321%22%0A%0AADVANCED_PORTS_TCP%3D%2265535%22%0AADVANCED_PORTS_UDP%3D%2265535%22%0AADVANCED_EXCLUDE_TCP%3D%2222%22%0AADVANCED_EXCLUDE_UDP%3D%22%22%0A%0AIGNORE_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.ignore%22%0AHISTORY_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.history%22%0ABLOCKED_FILE%3D%22%2Fetc%2Fportsentry%2Fportsentry.blocked%22%0A%0ARESOLVE_HOST%20%3D%20%220%22%0ASCAN_TRIGGER%20%3D%20%220%22%0AKILL_RUN_CMD_FIRST%20%3D%20%220%22%0A%0ABLOCK_UDP%3D%221%22%0ABLOCK_TCP%3D%221%22%0A%0A%23%20target%3Dsource%20IP%2C%20port%3Dtouch%20detected%20on%20this%20port%2C%20mode%3Datcp%2Ctcp%2Caudp%2Cudp%0A%23%20only%20target’s%20used%20for%20blocking%2C%20the%20rest%20is%20for%20logging%0AKILL_ROUTE%3D%22%2Fetc%2Fportsentry%2Fbrutusclient.sh%20%24TARGET%24%20%24PORT%24%20%24MODE%24%22″ message=”portsentry.conf” highlight=”” provider=”manual”/]
This brutusclient.sh script is copied to /etc/portsentry , its only job is to SSH into the Brutus server and run instructrouter.sh from there, providing the IP address to be blocked.
This means the root account needs a public/private keypair as well, and the /root/.ssh/id-pub.rsa key needs to be copied to the server’s /root/.ssh/authorized_keys file.
If, from the client server and logged in as root, you’re able to SSH into the Brutus server as root without entering a password, you’re good to go.