README ¶
PortSpec
PortSpec is a tool to ensure all hosts in your network or under your control have open ports that are up to the specification you set.
By setting a list of hosts and the ports you expect to be open, PortSpec will run every predefined amount of time and scan these hosts for open TCP ports. After all open ports are found, PortSpec will compare this list with the one you defined, and it will alert you if something is not in spec.
Currently it is being under active development, and has very minimal functionality, fit for a small particular purpose that it was developed for, but hopefully some day it can work and have more features that will address more needs.
Configuration
PortSpec is configured solely by the conf.yml
file. The path of this file
can be specified by the -c
command line flag. So if you launch it with
portspec -c /etc/portspec/portspec.yml
, it will read the configuration from
there. You can have multiple instances of PortSpec running with different
configuration files, in the same server, without issues.
The included conf.yml
contains an example configuration file. Some of the
included options can be found here:
interval
The interval
setting controls how often (in seconds) should PortSpec scan
the hosts and report on the results. This clearly depends on your needs, but the
recommended values are 3600 (one hour) to 86400 (one day). Keep in mind that if
this value is too low, the previous scan may not finish before the new one
starts, but this usually happens if you have a large number of hosts, and this
is set to too low.
ipv6
The ipv6
setting is currently not implemented. However, when it is, if this
flag is true
, it will also scan the IPv6 address of all hosts that are given
as a hostname (example.com
vs 192.0.2.50
). This flag will default to true
very soon after the feature is implemented.
parallelscans
The parallelscans
setting is also not currently implemented. It will define
how many host scans should run in parallel. This is host scans and not port
scans, so adjust this value accordingly.
hosts
The hosts
setting is a list of hosts that will be scanned by PortSpec. It can
currently be either a domain name (example.com
), an IPv4 Address
(192.0.2.10
), or an IPv6 Address (2001:db8::1337
). Each host needs to have
an array of ports that SHOULD be open. This list is the expected ports that
you want open, not the list of ports that will be scanned on this host. This
list can be empty, in case you expect no open TCP ports on this host.
An example of this configuration is:
hosts:
"www.example.org":
- 22
- 80
- 443
"www.example.com":
- 25
- 587
"example.net":
scanports
The scanports
setting is a list of ports that PortSpec will scan for in all
hosts. By default a pretty large list is included, but you can add and remove
ports as needed. Port ranges are currently not supported, but it is a feature
that is coming very soon.
Alert Modules
Currently PortSpec supports mutliple modes of alerting the users. In this section you can find configuration options for each implemented module.
E-Mail is the most basic alert method and will cause PortSpec to send an e-mail
to a set of specified e-mail addresses. To configure e-mail, you will need to
add to the conf.yml
the following:
sendemail
If you set sendemail
to true
, the e-mail alerts will be activated. Do not
include this or set this to false
, and PortSpec will not send e-mail
notifications.
smtpserver
The smtpserver
setting contains the address of the SMTP server to use for
outgoing e-mail. This can be a hostname (smtp.example.com
), an IPv4 Address
(192.0.2.10
), or an IPv6 Address (2001:db8::1337
). Currently PortSpec
requires the server to support TLS in order to be able to login successfully.
smtpport
The smtpport
setting is the port that PortSpec should contact the SMTP Server
at. The most common setting is 587
, but other options such as 2525
are also
possible.
smtpusername
The smtpusername
setting is the username that PortSpec should connect to the
SMTP server as. Note that PortSpec uses TLS for the connection and Auth/Plain
as the login method.
smtppassword
The smtppassword
setting is the password for the mail server. This password is
sent only if the server supports TLS, therefore it is encrypted during the
connection.
alertemail
The alertemail
setting contains a list of e-mail addresses that will receive
an e-mail alert by PortSpec. One e-mail will be sent for each address in the
list, and not a single e-mail with multiple recipients.
fromemail
The fromemail
setting contains the e-mail address all alerts will be sent as.
This value will be sent to the mail server as well as be included in the From
header of the e-mail. You can currently only control the e-mail address, and
not the name. This is currently hardcoded as PortSpec
.
Logs
Currently PortSpec tries to produce a large amount of logs. This is done so you can go back and check for information that may be useful at some point in the future. Great care has been given to ensure no private information is being logged, other than user provided values such as hosts and IP Addresses.
The framework utilized for logging supports two modes, one that will output data as human readable format, which is common for other services, such as web servers, mail servers, etc. and an other that will output all logs in JSON, to be used directly with a log processing tool of your choice. A third format is available that is used when PortSpec runs in a terminal, and also supports colors for greater visibility.
By default the first option is used, but you can switch between them using
command line flags. The -j
flag will cause PortSpec to output JSON. This
option is not configurable using the config file to ensure that all logs, such
as configuration file parsing errors, are in the same format. This hopefully
minimizes parsing errors.
PortSpec logs to the Standard Output (stdout
), so redirection or a proper
daemon handling system is needed to save the logs to files. For example,
systemd
will save stdout
to /var/log/syslog
.
Installation
To download and install PortSpec, either clone this repository and use Go to build the executable, or download one of the prebuilt binaries.
PortSpec runs as a daemon, and must be running continuously. This can be done
in any way you want, such as a supervisor like supervisord
, but for
distributions with systemd
, this method is the one recommended. In this
repository you can find the portspec.service
file. This is a systemd
unit
file you can place to /etc/systemd/system/
in order for Linux to recognize as
a service.
After you install this unit file, you need to run:
sudo systemctl enable portspec
This will enable the portspec
service and will have it execute at system
boot. In order to start the service, you can use sudo service portspec start
,
and to stop it, use sudo service portspec stop
.
Now you need to save the configuration file somewhere. The recommended path is
/etc/portspec/portspec.yml
. Since this directory does not exist in your
system, you need to create it:
sudo mkdir /etc/portspec
Now either copy conf.yml
from this repository, or start a new one from
scratch.
By default, systemd
units are running as root
. This is something you do not
want in your server, since this code may not be trusted, and in general you
should avoid running things as a privileged account. For this reason, you need
to create a portspec
user for your system:
sudo adduser -s /usr/sbin/nologin -r -M portspec
Now that you have the portspec
user, go and change the /etc/portspec
folder
owner to this user:
sudo chown -R portspec:portspec /etc/portspec
Finally, make sure this file is only readable by the portspec
user:
sudo chmod 600 /etc/portspec/portspec.yml
This is recommended since the configuration file may contain sensitive information such as e-mail passwords, or API keys.
Documentation ¶
There is no documentation for this package.