5.15. Checking for open ports

To compile with support for this option, use the configure option

./configure --enable-port-check

This module enables samhain to check for open ports (services) on the local machine, and report ports that are open, but not listed in the configuration. Reports are like:

interface:portnumber/protocol (maybe_servicename)

This is a non-RPC service, e.g. 192.168.1.2:22/tcp (maybe_ssh). The service name is taken from /etc/services, and prepended by maybe_, because samhain cannot determine whether it really is the SSH daemon that is listening on this port.

interface:portnumber/protocol (servicename)

This is an RPC service, e.g. 192.168.1.2:2049/tcp (nfs). The service name is obtained by querying the portmapper daemon. The portmapper daemon may return a service name as listed in /etc/rpc, or just a number (if there is no name for the service). If the portmapper daemon only returns the number of the RPC service, samhain will list RPC_number as servicename.

5.15.1. Options

By default, (only) the interface corresponding to the 'official name' of the host will be scanned. Additional interfaces can be added via the option PortCheckInterface=(list of) IP address(es), where 'IP address' is the address of the interface that should be scanned. You can use this options multiple times to specify up to 15 additional interfaces, or supply a list of interfaces.

NoteDon't specify external interfaces
 

While it is possible to misuse this option to specify an external IP address, the check will only work for interfaces on the local machine.

Services (open ports) that are required or optional (allowed, but not required) can be specified with the options PortCheckRequired=interface:service list, and/or PortCheckOptional=interface:service list.

Services (open ports) that should be completely ignored can be specified with the option PortCheckIgnore=interface:service list.

Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list of required/optional services. Each service must be listed as 'port/protocol' (e.g. 22/tcp) for a non-RPC service, and 'name/protocol' for an RPC service (e.g. portmapper/tcp). If an RPC service has no name, but just an RPC program number, then the name must be given as 'RPC_number' (e.g. RPC_100075).

By default, both TCP and UDP ports are scanned. To disable UDP scanning, the option PortCheckUDP=boolean can be used.

Ports that should be skipped during the check can be specified with the option PortCheckSkip=interface:port list.

Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list 'port/protocol' pairs (e.g.: 22/tcp,514/udp,...) to skip.

This option is different from PortCheckIgnore=... in two ways: (i) since it allows to skip ports only, it does not work for RPC services which have no fixed port, and (ii) since the port is not probed, you can avoid error messages by obnoxious deamons.

TipMySQL (port 3306)
 

MySQL counts unsuccessful connection attempts and may refuse further connection if some limit is exceeded. You may want to use the PortCheckSkip option to avoid probing the MySQL port.

By default, all ports from 0 to 65535 are scanned. To change these limits, the options PortCheckMinPort=integer and PortCheckMaxPort=integer can be used.

5.15.2. Example configuration

  [PortCheck]
  #
  # Activate (default is on)
  #
  PortCheckActive = yes

  # The severity of reports: debug/info/notice/warn/err/crit/alert
  # (default is crit)
  #
  SeverityPortCheck = crit

  # These are the defaults
  #
  PortCheckMinPort = 0
  PortCheckMaxPort = 65535
 
  # Services that are required. This example specifies ssl (22/tcp), 
  # smtp (25/tcp), http (80/tcp), and portmapper.
  #
  PortCheckRequired = 192.168.1.128:22/tcp,25/tcp,80/tcp,portmapper/tcp,portmapper/udp

  # Services that are optional. This example specifies 
  # mysql (3306/tcp).
  #
  PortCheckOptional = 192.168.1.128:3306/tcp

  # Additional interfaces to scan. This example presumes that
  # the 'official hostname' corresponds to 192.168.1.128, and
  # that the machine has three more interfaces.
  # 127.0.0.1 (localhost) is not listed, hence not scanned.
  #
  PortCheckInterface = 192.168.1.129
  PortCheckInterface = 192.168.1.130
  PortCheckInterface = 192.168.1.131

  # The interval (in seconds) for port checks (default is 300 sec)
  #
  PortCheckInterval = 300

  # By default, UDP ports are checked as well as TCP ports.
  #
  PortCheckUDP = yes