To compile with support for this option, use the configure option
./configure --enable-port-check
This module enables samhain to check for open ports (services) on the local machine, and report ports that are open, but not listed in the configuration. Reports are like:
This is a non-RPC service, e.g.
            192.168.1.2:22/tcp (maybe_ssh). The service name is
            taken from 
            /etc/services, and
            prepended by 
            maybe_, because 
            
            samhain cannot determine whether it really
            is the SSH daemon that is listening on this
            port.
This is an RPC service, e.g. 192.168.1.2:2049/tcp
            (nfs). The service name is obtained by querying the
            portmapper daemon. The portmapper daemon may return a
            service name as listed in 
            /etc/rpc, or just
            a number (if there is no name for the service). If the
            portmapper daemon only returns the number of the RPC
            service, samhain will list 
            RPC_number as servicename.
By default, (only) the interface corresponding to the
        'official name' of the host will be scanned. Additional
        interfaces can be added via the option 
        PortCheckInterface=
        (list of) IP
        address(es) , where 'IP address' is
        the address of the interface that should be scanned. You
        can use this options multiple times to specify up to 15
        additional interfaces, or supply a list of
        interfaces.
| ![[Note]](stylesheet-images/note.png) | Don't specify external interfaces | 
|---|---|
| While it is possible to misuse this option to specify an external IP address, the check will only work for interfaces on the local machine. | 
Services (open ports) that are required or optional
        (allowed, but not required) can be specified with the
        options 
        PortCheckRequired=
        interface:service
        list , and/or 
        PortCheckOptional=
        interface:service
        list .
Services (open ports) that should be completely
        ignored can be specified with the option 
        PortCheckIgnore=
        interface:service
        list .
Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list of required/optional services. Each service must be listed as 'port/protocol' (e.g. 22/tcp) for a non-RPC service, and 'name/protocol' for an RPC service (e.g. portmapper/tcp). If an RPC service has no name, but just an RPC program number, then the name must be given as 'RPC_number' (e.g. RPC_100075).
By default, both TCP and UDP ports are scanned. To
        disable UDP scanning, the option 
        PortCheckUDP=
        boolean can be
        used.
Ports that should be skipped during the check can be
        specified with the option 
        PortCheckSkip=
        interface:port
        list .
Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list 'port/protocol' pairs (e.g.: 22/tcp,514/udp,...) to skip.
This option is different from PortCheckIgnore=... in two ways: (i) since it allows to skip ports only, it does not work for RPC services which have no fixed port, and (ii) since the port is not probed, you can avoid error messages by obnoxious deamons.
| ![[Tip]](stylesheet-images/tip.png) | MySQL (port 3306) | 
|---|---|
| MySQL counts unsuccessful connection attempts and may refuse further connection if some limit is exceeded. You may want to use the PortCheckSkip option to avoid probing the MySQL port. | 
By default, all ports from 0 to 65535 are scanned. To
        change these limits, the options 
        PortCheckMinPort=
        integer and 
        PortCheckMaxPort=
        integer can be
        used.
[PortCheck] # # Activate (default is on) # PortCheckActive = yes # The severity of reports: debug/info/notice/warn/err/crit/alert # (default is crit) # SeverityPortCheck = crit # These are the defaults # PortCheckMinPort = 0 PortCheckMaxPort = 65535 # Services that are required. This example specifies ssl (22/tcp), # smtp (25/tcp), http (80/tcp), and portmapper. # PortCheckRequired = 192.168.1.128:22/tcp,25/tcp,80/tcp,portmapper/tcp,portmapper/udp # Services that are optional. This example specifies # mysql (3306/tcp). # PortCheckOptional = 192.168.1.128:3306/tcp # Additional interfaces to scan. This example presumes that # the 'official hostname' corresponds to 192.168.1.128, and # that the machine has three more interfaces. # 127.0.0.1 (localhost) is not listed, hence not scanned. # PortCheckInterface = 192.168.1.129 PortCheckInterface = 192.168.1.130 PortCheckInterface = 192.168.1.131 # The interval (in seconds) for port checks (default is 300 sec) # PortCheckInterval = 300 # By default, UDP ports are checked as well as TCP ports. # PortCheckUDP = yes