15. Checking for open ports

To compile with support for this option, use the configure option

./configure --enable-port-check

This module enables samhain to check for open ports (services) on the local machine, and report ports that are open, but not listed in the configuration. Reports are like:

interface:portnumber/protocol (maybe_servicename)

This is a non-RPC service, e.g. 192.168.1.2:22/tcp (maybe_ssh). The service name is taken from /etc/services, and prepended by maybe_, because samhain cannot determine whether it really is the SSH daemon that is listening on this port.

interface:portnumber/protocol (servicename)

This is an RPC service, e.g. 192.168.1.2:2049/tcp (nfs). The service name is obtained by querying the portmapper daemon. The portmapper daemon may return a service name as listed in /etc/rpc, or just a number (if there is no name for the service). If the portmapper daemon only returns the number of the RPC service, samhain will list RPC_number as servicename.

15.1. Options

By default, (only) the interface corresponding to the 'official name' of the host will be scanned. Additional interfaces can be added via the option PortCheckInterface= (list of) IP address(es) , where 'IP address' is the address of the interface that should be scanned. You can use this options multiple times to specify up to 15 additional interfaces, or supply a list of interfaces.

[Note]Don't specify external interfaces

While it is possible to misuse this option to specify an external IP address, the check will only work for interfaces on the local machine.

If addresses are dynamically assigned, you can use instead PortCheckDevice= (list of) device(s) to specify device(s) to scan, regardless of address(es) assigned to them (each address counts towards the maximum of 63 interfaces for PortCheckInterface). Devices will be re-checked before scan to account for address changes.

Services (open ports) that are required or optional (allowed, but not required) can be specified with the options PortCheckRequired= interface:service list , and/or PortCheckOptional= interface:service list .

Services (open ports) that should be completely ignored can be specified with the option PortCheckIgnore= interface:service list .

Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list of required/optional services. Each service must be listed as 'port/protocol' (e.g. 22/tcp) for a non-RPC service, and 'name/protocol' for an RPC service (e.g. portmapper/tcp). If an RPC service has no name, but just an RPC program number, then the name must be given as 'RPC_number' (e.g. RPC_100075).

[Note]Interface specification

The PortCheckRequired, PortCheckOptional, PortCheckIgnore options are considered whenever the port is checked on some specific interface, and thus the interface needs to match and is not optional.

By default, both TCP and UDP ports are scanned. To disable UDP scanning, the option PortCheckUDP= boolean can be used.

Ports that should be skipped during the check can be specified with the option PortCheckSkip= interface:port list .

Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list 'port/protocol' pairs (e.g.: 22/tcp,514/udp,...) to skip.

This option is different from PortCheckIgnore=... in three ways: (i) since it allows to skip ports only, it does not work for RPC services which have no fixed port, (ii) since the port is not probed, you can avoid error messages by obnoxious deamons, and (iii) it works without specifying the interface (equals to ALL).

[Tip]MySQL (port 3306)

MySQL counts unsuccessful connection attempts and may refuse further connection if some limit is exceeded. You may want to use the PortCheckSkip option to avoid probing the MySQL port.

By default, all ports from 0 to 65535 are scanned. To change these limits, the options PortCheckMinPort= integer and PortCheckMaxPort= integer can be used.

15.2. Example configuration

	  [PortCheck]
	  #
	  # Activate (default is on)
	  #
	  PortCheckActive = yes
	  
	  # The severity of reports: debug/info/notice/warn/err/crit/alert
	  # (default is crit)
	  #
	  SeverityPortCheck = crit
	  
	  # These are the defaults
	  #
	  PortCheckMinPort = 0
	  PortCheckMaxPort = 65535
	  
	  # Services that are required. This example specifies ssl (22/tcp), 
	  # smtp (25/tcp), http (80/tcp), and portmapper.
	  #
	  PortCheckRequired = 192.168.1.128:22/tcp,25/tcp,80/tcp,portmapper/tcp,portmapper/udp
	  
	  # Services that are optional. This example specifies 
	  # mysql (3306/tcp).
	  #
	  PortCheckOptional = 192.168.1.128:3306/tcp
	  
	  # Additional interfaces to scan. This example presumes that
	  # the 'official hostname' corresponds to 192.168.1.128, and
	  # that the machine has three more interfaces.
	  # 127.0.0.1 (localhost) is not listed, hence not scanned.
	  #
	  PortCheckInterface = 192.168.1.129
	  PortCheckInterface = 192.168.1.130
	  PortCheckInterface = 192.168.1.131
	  
	  # The interval (in seconds) for port checks (default is 300 sec)
	  #
	  PortCheckInterval = 300
	  
	  # By default, UDP ports are checked as well as TCP ports.
	  #
	  PortCheckUDP = yes