2603.6 - removed port 22 from exlusion

2026-03-12 03:32:14 -04:00
parent bfb0c3fe6f
commit 1c35d604e3
5 changed files with 11 additions and 6 deletions
--- a/portspoof.service
+++ b/portspoof.service
@@ -8,6 +8,7 @@ ExecStart=/usr/bin/python3 -m portspoof_py \
    -s /etc/portspoof/portspoof_signatures \
    -c /etc/portspoof/portspoof.conf \
    -l /var/log/portspoof/portspoof.jsonl \
+    --exclude 22 \
    --admin-port 8080
 User=root
 TimeoutStopSec=30
--- a/portspoof_py/init.py
+++ b/portspoof_py/init.py
@@ -1,2 +1,2 @@
 """portspoof_py — asyncio Python rewrite of the portspoof TCP honeypot."""
-__version__ = '2603.5'
+__version__ = '2603.6'
--- a/portspoof_py/cli.py
+++ b/portspoof_py/cli.py
@@ -36,6 +36,9 @@ def _parse_args(argv=None):
                   help='JSON log output file')
    p.add_argument('--iface',           metavar='IFACE',
                   help='Network interface for iptables rules (e.g. eth0)')
+    p.add_argument('--exclude',         metavar='PORTS', default='',
+                   help='Comma-separated ports to exclude from iptables REDIRECT '
+                        '(e.g. --exclude 22,2222). Port 22 is no longer exempt by default.')
    p.add_argument('--no-iptables',     action='store_true',
                   help='Skip iptables rule setup/teardown')
    p.add_argument('-v', '--verbose',   action='store_true',
@@ -110,9 +113,10 @@ def main(argv=None) -> int:
    print(f"[portspoof] port map ready ({len(cfg.port_map)} entries)", flush=True)

    # iptables setup
-    exempt = [args.admin_port] if args.admin_port else []
+    exclude_ports = [int(p.strip()) for p in args.exclude.split(',') if p.strip().isdigit()]
+    exempt = exclude_ports + ([args.admin_port] if args.admin_port else [])
    if not args.no_iptables:
-        exempt_desc = ', '.join(str(p) for p in [22] + exempt + [args.port])
+        exempt_desc = ', '.join(str(p) for p in exempt + [args.port])
        iface_desc = args.iface or 'all'
        print(f"[portspoof] adding iptables rules (listener={args.port}, exempt={exempt_desc}, iface={iface_desc})")
        try:
--- a/portspoof_py/iptables.py
+++ b/portspoof_py/iptables.py
@@ -29,10 +29,10 @@ def check_root() -> bool:


 def _exempt_list(listen_port: int, exempt_ports: Optional[list]) -> list:
-    """Return deduped ordered list: [22, *extras, listen_port]."""
+    """Return deduped ordered list: [*extras, listen_port]."""
    seen: set = set()
    result = []
-    for p in [22] + (exempt_ports or []) + [listen_port]:
+    for p in (exempt_ports or []) + [listen_port]:
        if p not in seen:
            seen.add(p)
            result.append(p)
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi"

 [project]
 name = "portspoof-py"
-version = "2603.5"
+version = "2603.6"
 description = "Python asyncio rewrite of the portspoof TCP honeypot"
 readme = "README.md"
 requires-python = ">=3.11"