$Id: CHANGES,v 1.50 2003/05/23 17:44:15 crowland Exp crowland $ PortSentry Changes 10-12-1997 0.01 - Project Begins. 10-13-1997 0.02 - Multiple port binding. Config file added. TCP wrapper support added. 10-14-1997 0.03 - Added state engine. 11-2-1997 0.04 - Bug fixes in state engine. Speed enhancements. 11-4-1997 0.05 - Added PORT_BANNER option 11-30-1997 0.06 - Re-vamped config file options. Consolidated variables and added $TARGET$ macro expansion. Added option to run external command. 12-04-1997 0.08 - Code cleanup and public alpha release. 12-06-1997 0.09 - Added option to skip blocking on UDP scans to prevent DOS attacks. 12-10-1997 0.10 - Added alert for possible stealth scan detection. 3-10-1998 0.50 - FINALLY got back to work on this thing. 3-11-1998 0.50 - Added/changed configuration option to not react to TCP/UDP probes (report only). Added history file to store permanent list of all blocked hosts. Changed blocked file to be truncated to 0 bytes on startup so users don't have to manually clean it out on re-start. Removed reporting of already blocked hosts for UDP to prevent possible denial of service attack. Put in limit of 64 open sockets per instance (some systems did not have FD_SETSIZE defined correctly and this caused errors). Removed logging of connections from ignored hosts (why ignore them if I still report their connection??) Began renaming from "Abacus Sentry" to just plain "sentry" to eliminate confusion. Updated docs. Minor code cleanups. 5-11-1998 0.60 Put in reverse DNS reporting on connections. Should have done this long ago.. Changed history file and blocked file to write out resolved hostname on connects 5-25-1998 0.60 Added TCP SYN stealth scan detection Added TCP FIN stealth scan detection Added "Advanced" stealth scan detection mode. 5-26-1998 0.60 Added "Smart-Verify" port profiling in all stealth modes to avoid blocking legitimate connections. 5-28-1998 0.61 Added tcp/ip headers with distribution because some versions of Linux still use the "old" style and not the BSD variant. 4-12-1999 0.80 Cleaned up lots of code. Reduced major redundant sections. Eliminated redundant config file reads and moved code to inititialize variables at startup instead of during program loops. Added ports 635TCP, 12345TCP, 12346TCP, 31337UDP to port list. Lines of code reduced by 20%. Removed hacked-in tcpip.h/ip.h header files and used proper Linux defines. Renamed package from "Abacus Sentry" to "PortSentry" 4-13-1999 0.80 Cleaned up more code. Moved packet classification to separate function. Began regression testing. 4-14-1999 0.80 Added port 1524TCP (ingreslock) after several reports of ttdbserver overflows using this as the backdoor insertion point. 4-30-1999 0.80 Fixed buggy string substitute function. It is now faster and more reliable. Removed config file reading from all sub-functions and put it into InitConfig() in main executable. This cuts down on file IO during heavy activation of the probe scanner. Lots of small code cleanups. 5-01-1999 0.89 All docs updated and code base given distribution version 0.89-BETA for release. 05-03-1999 0.89 Added $PORT$ option parsing to all kill options Added KILL_TCP/KILL_UDP option of "2" to allow for running a command, but not running other kill route/hosts.deny options Fixed another bug in the subst function that would return an empty string if nothing found instead of a string copy of the original. This was causing a string that didn't have the optional $PORT$ command to return empty. Moved check for BLOCKED_FILE into init function from the checkconfig function. Printed out corrupted config file warnings to screen and syslog instead of just syslog before aborting. Made QA checklist part of package in case people are interested. Added some more logging to kill* functions. Also added print out to log files of exact string run for route, hostsdeny, runcmd options. Changed BANNER to something a little shorter. Fixed NeXTSTEP route command entry. 05-04-1999 0.89a Added new trojan horse ports for TCP_PORTS: 20034 - NetBus Pro 5742 - Win Crash Trojan 30303 - Socket De Troye 40421 - Unknown Trojan Horse (Master's Paradise [CHR]) The above were taken from a post on comp.security.unix by: jeromexxx@club-internet.fr on 05-03-99 05-10-1999 - 0.90 QA checklist completed. Incremented version to 0.90 Updated docs/spellcheck 05-11-1999 - 0.90 Changed install dir to /usr/local/psionic/portsentry Updated docs again. Removed NeXTSTEP make rule because OS lacks vsnprintf() and I don't have a working version to put in. Re-Ordered #include<> files to prevent warnings/errors under BSD (OpenBSD) 05-12-1999 - 0.90 Found very subtle bug in SafeStrncpy that would overwrite last part of dest data with extra null outside of bounds and would intermittently corrupt data. This was a real pain and took almost six hours of testing on various platforms to track down as no debugger turned it up. I hope you people appreciate all the aggravation I go through to write this thing. ;) 5-26-1999 - 0.90a Applied patch from to get new version to compile under older Linux distributions. Added AIX build option. 6-02-1999 - 0.90b Added OSF build option. Added OSF KILL_ROUTE command in .conf file Fixed ipchains entry in .conf file. Updated conf file to warn about bogus route. Switched to native linux tcphdr/udphdr structs instead of BSD style. 6-03-1999 - 0.90c Added ignore.csh script contributed by Christopher Lindsey. 7-09-1999 - 0.91 Fixed corrupted readme.qa file 7-12-1999 - 0.98 Fixed IP parsing problems in .ignore and .blocked functions. Now correctly ignores blocked hosts and ignored hosts. Bug reported by 7-27-1999 - 0.98.1 Fixed a nasty bug where an attacker could cause Sentry to ignore a scan if you have a specific configuration setup on your host. Bug reported by Reuven Gevaryahu . 7-28-1999 - 0.99 Finally put back in the parts that correctly read IP options and added extra code to check for illegal sizes, etc. This has been a long time coming...sorry for the delay. 08-02-1999 - 0.99 WriteBlocked() now writes out packet type being blocked "TCP" or "UDP" in the log files. 10-15-1999 - 1.0 NeverBlock() function fixed so now it actually does ignore hosts correctly. I was stripping off the EOL prematurely during a strlen check and this caused the problem. Thanks to all reporters for finding this. 10-24-1999 - 1.0 Updated docs to tell users how to add LOCAL0 facility for syslog reporting. 11-14-1999 - 1.0 Y2K fix in WriteBlocked functions. Now uses four digit year in .blocked and .history files. Old format: 942286729 - 11/10/99 20:18:49 Host: 192.168.2.12/192.168.2.12 Port: 111 TCP Blocked New format: 942286729 - 11/10/1999 20:18:49 Host: 192.168.2.12/192.168.2.12 Port: 111 TCP Blocked PortSentry doesn't use dates as part of its operations, however third party scripts may use the .blocked and .history files and the two digit format would roll over to 1/1/100 on Jan 1 instead of 1/1/00 causing a potential problem. Sorry about that. :( 12-21-1999 - 1.1 Fixed typo in bare-bones TCP list where 524 was supposed to be for 1524. 03-31-2000 - 1.1 Updated .conf to add ipf blocking rule. Thanks Graham Dunn 06-08-2000 - 1.1 Fixed an error in the state engine portion that could cause an increment error under certain conditions. Thanks Peter M. Allan for finding this. 6-21-2000 - 1.1 New Features added - Added in feature to disable DNS host resolution by checking RESOLVE_HOST in conf file. - Added in feature to have external command run before or after blocking has occurred as defined in KILL_RUN_CMD_FIRST option in conf file. - Removed DoBlockTCP/UDP functions. Converted over to generic flag checker. 7-5-2000 - 1.1 - Added iptables support (thanks Scott Catterton ) - Added Makefile support for Irix - Put in ports for common DDOS ports 9-8-2000 - 1.1 - Added in netmask support 9-9-2000 - 1.1 - Finally moved resolver functions to own area. - Made CleanAndResolve to ensure DNS records returned are sanitized correctly before being passed back. 3-23-2001 - 1.1 - Fixed a bug that showed up under Linux 2.4 Kernel that would cause accept to loop. There was an error with how I used a count variable after trying to bind to ports. If the port didn't bind the count for the openSockfd would still increment and this caused the error to show up. 6-26-2001 - 1.1 - Added Mac OS X build support (Same as FreeBSD). Fixed bug for Advanced mode to properly monitor 1024 ports (it only did first 1023 before). Thanks Guido. 05-23-2003 - 1.2 - Removed references to old psionic e-mail and changed license to Common Public License.