To compile with support for this option, use the configure option
./configure --enable-port-check
This module enables samhain to check for open ports (services) on the local machine, and report ports that are open, but not listed in the configuration. Reports are like:
- interface:portnumber/protocol (maybe_servicename)
This is a non-RPC service, e.g. 192.168.1.2:22/tcp (maybe_ssh). The service name is taken from
/etc/services, and prepended by maybe_, because samhain cannot determine whether it really is the SSH daemon that is listening on this port.- interface:portnumber/protocol (servicename)
This is an RPC service, e.g. 192.168.1.2:2049/tcp (nfs). The service name is obtained by querying the portmapper daemon. The portmapper daemon may return a service name as listed in
/etc/rpc, or just a number (if there is no name for the service). If the portmapper daemon only returns the number of the RPC service, samhain will list RPC_number as servicename.
By default, (only) the interface corresponding to the
'official name' of the host will be scanned. Additional
interfaces can be added via the option
PortCheckInterface=
(list of) IP
address(es) , where 'IP address' is
the address of the interface that should be scanned. You
can use this options multiple times to specify up to 15
additional interfaces, or supply a list of
interfaces.
![[Note]](stylesheet-images/note.png) | Don't specify external interfaces |
|---|---|
While it is possible to misuse this option to specify an external IP address, the check will only work for interfaces on the local machine. |
If addresses are dynamically assigned, you can use instead
PortCheckDevice=
(list of) device(s) to
specify device(s)
to scan, regardless of address(es) assigned to them (each address counts
towards the maximum of 63 interfaces for PortCheckInterface). Devices
will be re-checked before scan to account for address changes.
Services (open ports) that are required or optional
(allowed, but not required) can be specified with the
options
PortCheckRequired=
interface:service
list , and/or
PortCheckOptional=
interface:service
list .
Services (open ports) that should be completely
ignored can be specified with the option
PortCheckIgnore=
interface:service
list .
Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list of required/optional services. Each service must be listed as 'port/protocol' (e.g. 22/tcp) for a non-RPC service, and 'name/protocol' for an RPC service (e.g. portmapper/tcp). If an RPC service has no name, but just an RPC program number, then the name must be given as 'RPC_number' (e.g. RPC_100075).
| Interface specification |
|---|---|
The PortCheckRequired, PortCheckOptional, PortCheckIgnore options are considered whenever the port is checked on some specific interface, and thus the interface needs to match and is not optional. |
By default, both TCP and UDP ports are scanned. To
disable UDP scanning, the option
PortCheckUDP=
boolean can be
used.
Ports that should be skipped during the check can be
specified with the option
PortCheckSkip=
interface:port
list .
Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list 'port/protocol' pairs (e.g.: 22/tcp,514/udp,...) to skip.
This option is different from PortCheckIgnore=... in three ways: (i) since it allows to skip ports only, it does not work for RPC services which have no fixed port, (ii) since the port is not probed, you can avoid error messages by obnoxious deamons, and (iii) it works without specifying the interface (equals to ALL).
![[Tip]](stylesheet-images/tip.png) | MySQL (port 3306) |
|---|---|
MySQL counts unsuccessful connection attempts and may refuse further connection if some limit is exceeded. You may want to use the PortCheckSkip option to avoid probing the MySQL port. |
By default, all ports from 0 to 65535 are scanned. To
change these limits, the options
PortCheckMinPort=
integer and
PortCheckMaxPort=
integer can be
used.
[PortCheck] # # Activate (default is on) # PortCheckActive = yes # The severity of reports: debug/info/notice/warn/err/crit/alert # (default is crit) # SeverityPortCheck = crit # These are the defaults # PortCheckMinPort = 0 PortCheckMaxPort = 65535 # Services that are required. This example specifies ssl (22/tcp), # smtp (25/tcp), http (80/tcp), and portmapper. # PortCheckRequired = 192.168.1.128:22/tcp,25/tcp,80/tcp,portmapper/tcp,portmapper/udp # Services that are optional. This example specifies # mysql (3306/tcp). # PortCheckOptional = 192.168.1.128:3306/tcp # Additional interfaces to scan. This example presumes that # the 'official hostname' corresponds to 192.168.1.128, and # that the machine has three more interfaces. # 127.0.0.1 (localhost) is not listed, hence not scanned. # PortCheckInterface = 192.168.1.129 PortCheckInterface = 192.168.1.130 PortCheckInterface = 192.168.1.131 # The interval (in seconds) for port checks (default is 300 sec) # PortCheckInterval = 300 # By default, UDP ports are checked as well as TCP ports. # PortCheckUDP = yes