create rss feed php | mysql prepared statement | java script browser detector
 


 

Install and Config Psad in Debian 7 Wheezy



Psad (Port Scan Attack Detector) is an intrusion prevention software, written in Perl by Michael Rash. Psad makes use of iptables and ip6tables log messages to detect, alert, and (optionally) block port scans and other suspect traffic. So, logging must be enabled to iptables firewall in order Psad to work.

Additionally, Psad can use many signatures from Snort intrusion detection system.

Michael Rash is the author of Linux Firewalls: Attack Detection and Response. Ι strongly recommend to read this book.

Port scan itself will not damage your system. But, Port Scan is usually the first step of an attack. Cracker can use nmap or similar tools to scan your network before starting an attack in order to discover ways to break the system.

Generally speaking, you do not need psad (not even iptables) if your hosting provider offers a dedicated hardware firewall (for example Cisco ASA 550 series). Of course, you must have the budget to pay for it and the knowledge to setup and manage it.

Enable logging to iptables

To force iptables loggins from dropped traffic:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

You may want to save your basic rules:

iptables-save > /etc/iptables.up.rules

Setup

Using apt-get, psad (2.2-3.1) will be installed:

apt-get install psad

Configuration

Do not use /etc/fail2ban/jail.conf, create /etc/fail2ban/jail.local instead:

nano /etc/psad/psad.conf

Default /etc/psad/psad.conf is provided here. Below are mentioned ONLY THE CHANGES made in psad.conf with the default value commented and the documentation provided by psad author.

So, my settings are:

REMARK: EMAIL_ADDRESSES pontikis@gmail.com; is not needed if you have forwarded root mail.

### Supports multiple email addresses (as a comma separated
### list).
#EMAIL_ADDRESSES             root@localhost;
EMAIL_ADDRESSES             pontikis@gmail.com;

### Machine hostname
#HOSTNAME                    _CHANGEME_;
HOSTNAME                    cosmos.medisign.com;

### Specify the home and external networks.  Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
#HOME_NET                    any;
HOME_NET                    NOT_USED;

### By default, psad acquires iptables log data from the /var/log/messages
### file which the local syslog daemon (usually) writes iptables log messages
### to.  If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
### reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad.  On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended.
#IPT_SYSLOG_FILE             /var/log/messages;
IPT_SYSLOG_FILE             /var/log/kern.log;

### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
#EMAIL_LIMIT_STATUS_MSG      Y;
EMAIL_LIMIT_STATUS_MSG      N;

### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
#ENABLE_AUTO_IDS             N;
ENABLE_AUTO_IDS             Y;

### Block all traffic from offending IP if danger
### level >= to this value
#AUTO_IDS_DANGER_LEVEL       5;
AUTO_IDS_DANGER_LEVEL       3;

### Set the auto-blocked timeout in seconds (the default
### is one hour).
#AUTO_BLOCK_TIMEOUT          3600;
AUTO_BLOCK_TIMEOUT          86400;

### By setting this variable to N, all auto-blocking emails can be
### suppressed.
#ENABLE_AUTO_IDS_EMAILS      Y;
ENABLE_AUTO_IDS_EMAILS      N;

### system binaries
#mailCmd          /bin/mail;
mailCmd          /usr/bin/mail;

Whitelist - blacklist

You can blacklist an IP (value = 5) or whitelist an IP (value = 0)

nano /etc/psad/auto_dl
127.0.0.1       0;          # Server IP.
144.76.70.100       0;          # Server IP.
95.211.47.207       0;          # Management IP.
82.192.71.9       0;          # Management IP.

Restart psad

You can blacklist an IP (value = 5) or whitelist an IP (value = 0)

systemctl restart psad.service

Useful commands

To check psad activity:

  • psad output: psad -S
  • remove automatically blocked ip: psad --fw-rm-block-ip <ip>
  • remove automatically blocked ips: psad -F
  • update signatures: psad --sig-update && psad -H

More details at PSAD man page

Update signatures periodically

Using cron

crontab -e
...
@weekly /usr/sbin/psad --sig-update && /usr/sbin/psad -H | mail -s "psad signatures updated on COSMOS" pontikis@gmail.com  # Weekly update of psad signatures
...

Examples

PSAD sample report:

Test psad

Using various available web based port scanners or nmap from a "test machine":

nmap -sX <your-ip-here>

the test machine IP will be blocked. Almost immediately, you will receive an email:

[psad-status] added iptables auto-block against <test machine IP> for 86400 seconds

Related Posts

You may also be interested in

Your comments are welcomed!

Εγγραφή!
Sign-up for our free email newsletter. Get updates when new tutorials and tips are published. You can unsubscribe anytime with a click.

Your comments are welcomed!

This site actively encourages commenting on any post. Comments are not pre-moderated, but this community does not tolerate direct or indirect attacks, name-calling or insults. Please, read terms of use and Comment Policy at privacy policy.

comments powered by Disqus
Install and Config Fail2Ban in Debian 7 Wheezy Upgrade Debian 6 Squeeze to 7 Wheezy