Package: portsentry Version: 1.2-14
Hi team, I´m Michel Gabriel Ramirez Fournier, Cybersecurity engineer and Debian user since many moons ago. I´m a passionate Linux predicator which loves to recommend the good things of Debian as a server in search of security and stability for PYMES. For that reason a few days ago i was showing to a company the benefits of the integration of the application PORTSENTRY with FAIL2BAN to block attackers efforts to scan the server target ports and at same time blocking possible (future) brute force attacks coming from the same aggressor or source. The configuration is indeed very easy, but i detected a malfunction in PORTSENTRY behavior when is installed, and this is caused because it doesn´t create automatically (after being installed) the registry file which stores the list of aggressor IPs detected: */var/lib/portsentry/portsentry.history* This file is just created when a security event (like a port scan) trigger the file creation by the active PORTSENTRY process. The absent file doesn´t interfere the normal functioning of PORTSENTRY but if FAIL2BAN is enabled with the jail to integrate with PORTSENTRY this scenario of missing file will cause a FAIL2BAN crash: *[portsentry]* *logpath = /var/lib/portsentry/portsentry.history* As part of an exercise i successfully started to use this flaw of PORTSENTRY as part of an attack in a capture the flag simulation, and with just erasing the file /var/lib/portsentry/portsentry.history and waiting a few seconds for the demon reload the result is the subsequent crash of FAIL2BAN. I also recently send an email to the PORTSENTRY maintainer mid...@debian.org (but still without answer) informing about the flaw detected because maybe this malfunction of PORTSENTRY can be fixed just by creating the missing file /var/lib/portsentry/portsentry.history after the installation and checking if the file is present in the root folder after every daemon reload. By doing this steps the dependence with FAIL2BAN won’t cause the FAIL2BAN crash. *I am using Linux debian 5.10.0-14-amd64.* I appreciate all the help received from *t...@security.debian.org <t...@security.org>* to report this bug. Respectfully Michel
