To compile with support for this option, use the configure option
./configure --enable-port-check
This module enables samhain to check for open ports (services) on the local machine, and report ports that are open, but not listed in the configuration.
By default, (only) the interface corresponding to the 'official name' of the host will be scanned. Additional interfaces can be added via the option PortCheckInterface=IP address, where 'IP address' is the address of the interface that should be scanned. You can use this options multiple times to specify up to 15 additional interfaces.
![]() | Note |
---|---|
While it is possible to misuse this option to specify an external IP address, the check will only work for interfaces on the local machine. |
Services (open ports) that are required or optional (allowed, but not required) can be specified with the options PortCheckRequired=interface:service list, and/or PortCheckRequired=interface:service list.
Here, 'interface' should be the IP address of an interface, and 'service list' the comma-separated list of required/optional services. Each service must be listed as 'port/protocol' (e.g. 22/tcp) for a non-RPC service, and 'name/protocol' for an RPC service (e.g. portmapper/tcp).
By default, both TCP and UDP ports are scanned. To disable UDP scanning, the option PortCheckUDP=boolean can be used.
[PortCheck] # # Activate (default is on) # PortCheckActive = yes # The severity of reports: debug/info/notice/warn/err/crit/alert # (default is crit) # SeverityPortCheck = crit # Services that are required. This example specifies ssl (22/tcp), # smtp (25/tcp), http (80/tcp), and portmapper. # PortCheckRequired = 192.168.1.128:22/tcp,25/tcp,80/tcp,portmapper/tcp,portmapper/udp # Services that are optional. This example specifies # mysql (3306/tcp). # PortCheckOptional = 192.168.1.128:3306/tcp # Additional interfaces to scan. This example presumes that # the 'official hostname' corresponds to 192.168.1.128, and # that the machine has three more interfaces. # 127.0.0.1 (localhost) is not listed, hence not scanned. # PortCheckInterface = 192.168.1.129 PortCheckInterface = 192.168.1.130 PortCheckInterface = 192.168.1.131 # The interval (in seconds) for port checks (default is 300 sec) # PortCheckInterval = 300 # By default, UDP ports are checked as well as TCP ports. # PortCheckUDP = yes