$Id: CHANGES,v 1.50 2003/05/23 17:44:15 crowland Exp crowland $

PortSentry Changes

10-12-1997 0.01 - Project Begins. 

10-13-1997 0.02 - Multiple port binding.
    	   	Config file added.
	   	TCP wrapper support added.

10-14-1997 0.03 - Added state engine.

11-2-1997  0.04 - Bug fixes in state engine. 
		Speed enhancements.

11-4-1997  0.05 - Added PORT_BANNER option

11-30-1997 0.06 - Re-vamped config file options. Consolidated variables
and added $TARGET$ macro expansion. Added option to run external
command.

12-04-1997 0.08 - Code cleanup and public alpha release.

12-06-1997 0.09 - Added option to skip blocking on UDP scans to
prevent DOS  attacks. 

12-10-1997 0.10 - Added alert for possible stealth scan detection.

3-10-1998 0.50 - FINALLY got back to work on this thing.

3-11-1998 0.50 - Added/changed configuration option to not react to 
TCP/UDP probes (report only).

Added history file to store permanent list of all blocked hosts.

Changed blocked file to be truncated to 0 bytes on startup so
users don't have to manually clean it out on re-start.

Removed reporting of already blocked hosts for UDP to
prevent possible denial of service attack. 

Put in limit of 64 open sockets per instance (some systems
did not have FD_SETSIZE defined correctly and this caused
errors).

Removed logging of connections from ignored hosts (why
ignore them if I still report their connection??)

Began renaming from "Abacus Sentry" to just plain "sentry"
to eliminate confusion.

Updated docs.

Minor code cleanups.

5-11-1998	0.60 Put in reverse DNS reporting on connections. Should
have done this long ago..
	 
Changed history file and blocked file to write out resolved
hostname on connects

5-25-1998 0.60 Added TCP SYN stealth scan detection

	     Added TCP FIN stealth scan detection

	     Added "Advanced" stealth scan detection mode.

5-26-1998 0.60 Added "Smart-Verify" port profiling in all stealth
modes to avoid blocking legitimate connections.

5-28-1998 0.61 Added tcp/ip headers with distribution because
some versions of Linux still use the "old" style and not the BSD
variant.

4-12-1999 0.80 Cleaned up lots of code. Reduced major redundant
sections. 

Eliminated redundant config file reads and moved code
to inititialize variables at startup instead of during program
loops. 

Added ports 635TCP, 12345TCP, 12346TCP, 31337UDP to port list. 

Lines of code reduced by 20%.

Removed hacked-in tcpip.h/ip.h header files and used proper Linux
defines.

Renamed package from "Abacus Sentry" to "PortSentry"


4-13-1999 0.80 Cleaned up more code. Moved packet classification
to separate function. 

Began regression testing.

4-14-1999 0.80 Added port 1524TCP (ingreslock) after several
reports of ttdbserver overflows using this as the backdoor
insertion point. 

4-30-1999 0.80 Fixed buggy string substitute function. It is now
faster and more reliable. 

Removed config file reading from all sub-functions and put it
into InitConfig() in main executable. This cuts down on file IO
during heavy activation of the probe scanner. 

Lots of small code cleanups.

5-01-1999 0.89 All docs updated and code base given distribution
version 0.89-BETA for release.

05-03-1999 0.89 Added $PORT$ option parsing to all kill options

Added KILL_TCP/KILL_UDP option of "2" to allow for running a command,
but not running other kill route/hosts.deny options

Fixed another bug in the subst function that would return an empty
string if nothing found instead of a string copy of the original. This
was causing a string that didn't have the optional $PORT$ command to
return empty.

Moved check for BLOCKED_FILE into init function from the checkconfig
function.

Printed out corrupted config file warnings to screen and syslog
instead of just syslog before aborting.

Made QA checklist part of package in case people are interested.

Added some more logging to kill* functions. Also added print out to
log files of exact string run for route, hostsdeny, runcmd options.

Changed BANNER to something a little shorter.

Fixed NeXTSTEP route command entry.
 
05-04-1999 0.89a Added new trojan horse ports for TCP_PORTS:

20034 - NetBus Pro
5742 - Win Crash Trojan 
30303 - Socket De Troye
40421 - Unknown Trojan Horse (Master's Paradise [CHR])

The above were taken from a post on comp.security.unix by:
jeromexxx@club-internet.fr on 05-03-99


05-10-1999 - 0.90 QA checklist completed.

Incremented version to 0.90
Updated docs/spellcheck

05-11-1999 - 0.90 Changed install dir to /usr/local/psionic/portsentry

Updated docs again.

Removed NeXTSTEP make rule because OS lacks vsnprintf() and I don't 
have a working version to put in.

Re-Ordered #include<> files to prevent warnings/errors under BSD (OpenBSD)

05-12-1999 - 0.90 Found very subtle bug in SafeStrncpy that would overwrite last
part of dest data with extra null outside of bounds and would intermittently
corrupt data. This was a real pain and took almost six hours of testing on various
platforms to track down as no debugger turned it up. I hope you people appreciate
all the aggravation I go through to write this thing. ;)

5-26-1999 - 0.90a Applied patch from <lindsey@mallorn.com> to get new version
to compile under older Linux distributions.

Added AIX build option.

6-02-1999 - 0.90b Added OSF build option.

Added OSF KILL_ROUTE command in .conf file

Fixed ipchains entry in .conf file.

Updated conf file to warn about bogus route.

Switched to native linux tcphdr/udphdr structs instead of BSD style.

6-03-1999 - 0.90c Added ignore.csh script contributed by Christopher
Lindsey.

7-09-1999 - 0.91 Fixed corrupted readme.qa file

7-12-1999 - 0.98 Fixed IP parsing problems in .ignore and .blocked functions.
Now correctly ignores blocked hosts and ignored hosts. Bug reported by
<lindsey@mallorn.com>

7-27-1999 - 0.98.1 Fixed a nasty bug where an attacker could cause
Sentry to ignore a scan if you have a specific configuration setup
on your host. Bug reported by Reuven Gevaryahu
<gevaryah@netaxs.com>.

7-28-1999 - 0.99 Finally put back in the parts that correctly read IP 
options and added extra code to check for illegal sizes, etc. This
has been a long time coming...sorry for the delay.

08-02-1999 - 0.99 WriteBlocked() now writes out packet type being blocked
"TCP" or "UDP" in the log files.

10-15-1999 - 1.0 NeverBlock() function fixed so now it actually does ignore hosts
correctly. I was stripping off the EOL prematurely during a strlen check and
this caused the problem. Thanks to all reporters for finding this.

10-24-1999 - 1.0 Updated docs to tell users how to add LOCAL0 facility for syslog
reporting.

11-14-1999 - 1.0 Y2K fix in WriteBlocked functions. Now uses four digit year in .blocked
and .history files. 

	Old format:

	942286729 - 11/10/99 20:18:49 Host: 192.168.2.12/192.168.2.12 Port: 111 TCP Blocked 

	New format:

	942286729 - 11/10/1999 20:18:49 Host: 192.168.2.12/192.168.2.12 Port: 111 TCP Blocked 

PortSentry doesn't use dates as part of its operations, however third party scripts may use the
.blocked and .history files and the two digit format would roll over to 1/1/100 on Jan 1 instead 
of 1/1/00 causing a potential problem. Sorry about that. :(

12-21-1999 - 1.1 Fixed typo in bare-bones TCP list where 524 was supposed to be for 1524.

03-31-2000 - 1.1 Updated .conf to add ipf blocking rule. Thanks Graham Dunn
<gdunn@inscriber.com>

06-08-2000 - 1.1 Fixed an error in the state engine portion that could cause an increment error
under certain conditions. Thanks Peter M. Allan <peter.m.allan@hsbcgroup.com> for finding this.

6-21-2000 - 1.1 New Features added

		- Added in feature to disable DNS host resolution by checking RESOLVE_HOST in
		conf file. 

		- Added in feature to have external command run before or after blocking has 
		occurred as defined in KILL_RUN_CMD_FIRST option in conf file.

		- Removed DoBlockTCP/UDP functions. Converted over to generic flag checker.


7-5-2000 - 1.1 

		- Added iptables support (thanks Scott Catterton <scatterton@valinux.com>)

		- Added Makefile support for Irix
		
		- Put in ports for common DDOS ports

9-8-2000 - 1.1  - Added in netmask support

9-9-2000 - 1.1  - Finally moved resolver functions to own area.
		- Made CleanAndResolve to ensure DNS records returned are sanitized
		  correctly before being passed back.

3-23-2001 - 1.1 - Fixed a bug that showed up under Linux 2.4 Kernel that would cause accept 
to loop. There was an error with how I used a count variable after trying to bind to ports. 
If the port didn't bind the count for the openSockfd would still increment and this caused 
the error to show up. 

6-26-2001 - 1.1 - Added Mac OS X build support (Same as FreeBSD). Fixed bug for Advanced mode
to properly monitor 1024 ports (it only did first 1023 before). Thanks Guido. 


05-23-2003 - 1.2 - Removed references to old psionic e-mail and changed license to 
Common Public License.

