Portsentry for pfsense

sloan

I was wondering if there is any interest for a portsentry port for pfsense. 
Does it make sense to have the ability to add hosts to a hosts.deny file when a port scan is detected?
I noted that it does not appear that there is a hosts.deny file, just a hosts.allow.
Would portsentry even work if there was interest in a package?

For those who do not know portsentry here is a link to info about portsentry.

http://www.linuxjournal.com/article/4751

"Once a host is targeted by an attacker, a port scan is almost always performed. The port scan is done to expose all services available on the target host and to provide a starting point for break-in attempts. PortSentry detects such scans by monitoring the unused ports on the host. Upon a connection attempt to one of the unused ports, PortSentry is alerted and has the ability to issue a number of commands in response to the scan. The commands issued are configured by the administrator within a configuration file. Although any command may be used, the most helpful is one in which the IP address of the attacker's host is essentially "black holed" by issuing a routing command that denies all traffic from that address. The violation and corresponding action taken by PortSentry are recorded in the system log. Using another Psionic utility, Logcheck, these security alerts are e-mailed to an administrator at designated intervals. Thus, the host is now capable not only of retaliating against a potential break-in attempt automatically, but also of notifying the administrator of the occurrence."

cmb

the snort package can be configured to do that, and a lot more.

sloan

Snort is a great package, but it is large and complex.  Portsentry is simple and lightweight.  Easy to use and learn.
Is it just an issue of building this package on FreeBSD or is there a specific platform required to build a package for pfsense?

sullrich

pkg_add -r portsentry from a shell

Then edit /usr/local/etc/rc.d/portsentry.sh and add the portsentry start command

Don't forget to make the newly created .sh file executable chmod a+rx /usr/local/etc/rc.d/portsentry.sh

sloan

Way cool!!!
I really  had no idea that I could add packages from the Free BSD repositories.  I was under the impression that any packages had to be customized to pfsense.
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/portsentry.tbz… Done

So now I suppose I can add just about anything?  With the downside being that any added packages and dependencies add more ways to cause potential conflict with the firewall?

Do you recommend not adding many packages?

sullrich

These things are not supported.  Have fun :)