Install and Config Psad in Debian 7 Wheezy

Contents hide

1 Enable logging to iptables

2 Setup

3 Configuration

4 Whitelist – blacklist

5 Restart psad

6 Useful commands

7 Update signatures periodically

8 Examples

9 Test psad

Psad (Port Scan Attack Detector) is an intrusion prevention software, written in Perl by Michael Rash. Psad makes use of iptables and ip6tables log messages to detect, alert, and (optionally) block port scans and other suspect traffic. So, logging must be enabled to iptables firewall in order Psad to work.

Additionally, Psad can use many signatures from Snort intrusion detection system.

Michael Rash is the author of Linux Firewalls: Attack Detection and Response. I strongly recommend to read this book.

Port scan itself will not damage your system. But, Port Scan is usually the first step of an attack. Cracker can use nmap or similar tools to scan your network before starting an attack in order to discover ways to break the system.

Generally speaking, you do not need psad (not even iptables) if your hosting provider offers a dedicated hardware firewall (for example Cisco ASA 550 series). Of course, you must have the budget to pay for it and the knowledge to setup and manage it.

Enable logging to iptables

To force iptables loggins from dropped traffic:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

You may want to save your basic rules:

iptables-save > /etc/iptables.up.rules

Setup

Using apt-get, psad (2.2-3.1) will be installed:

apt-get install psad

Configuration

Do not use /etc/fail2ban/jail.conf, create /etc/fail2ban/jail.local instead:

nano /etc/psad/psad.conf

Default /etc/psad/psad.conf is provided here:

psad.conf.default Download

Below are mentioned ONLY THE CHANGES made in psad.conf with the default value commented and the documentation provided by psad author.

So, my settings are:

REMARK: EMAIL_ADDRESSES pontikis@gmail.com; is not needed if you have forwarded root mail.

### Supports multiple email addresses (as a comma separated
### list).
#EMAIL_ADDRESSES             root@localhost;
EMAIL_ADDRESSES             pontikis@gmail.com;

### Machine hostname
#HOSTNAME                    _CHANGEME_;
HOSTNAME                    cosmos.medisign.com;

### Specify the home and external networks.  Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
#HOME_NET                    any;
HOME_NET                    NOT_USED;

### By default, psad acquires iptables log data from the /var/log/messages
### file which the local syslog daemon (usually) writes iptables log messages
### to.  If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
### reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad.  On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended.
#IPT_SYSLOG_FILE             /var/log/messages;
IPT_SYSLOG_FILE             /var/log/kern.log;

### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
#EMAIL_LIMIT_STATUS_MSG      Y;
EMAIL_LIMIT_STATUS_MSG      N;

### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
#ENABLE_AUTO_IDS             N;
ENABLE_AUTO_IDS             Y;

### Block all traffic from offending IP if danger
### level >= to this value
#AUTO_IDS_DANGER_LEVEL       5;
AUTO_IDS_DANGER_LEVEL       3;

### Set the auto-blocked timeout in seconds (the default
### is one hour).
#AUTO_BLOCK_TIMEOUT          3600;
AUTO_BLOCK_TIMEOUT          86400;

### By setting this variable to N, all auto-blocking emails can be
### suppressed.
#ENABLE_AUTO_IDS_EMAILS      Y;
ENABLE_AUTO_IDS_EMAILS      N;

### system binaries
#mailCmd          /bin/mail;
mailCmd          /usr/bin/mail;

Whitelist – blacklist

You can blacklist an IP (value = 5) or whitelist an IP (value = 0)

nano /etc/psad/auto_dl

127.0.0.1       0;          # Server IP.
144.76.70.100       0;          # Server IP.
95.211.47.207       0;          # Management IP.
82.192.71.9       0;          # Management IP.

Restart psad

You can blacklist an IP (value = 5) or whitelist an IP (value = 0)

systemctl restart psad.service

Useful commands

To check psad activity:

psad output: psad -S
remove automatically blocked ip: psad --fw-rm-block-ip <ip>
remove automatically blocked ips: psad -F
update signatures: psad --sig-update && psad -H

More details at PSAD man page

Update signatures periodically

Using cron

crontab -e

...
@weekly /usr/sbin/psad --sig-update && /usr/sbin/psad -H | mail -s "psad signatures updated on COSMOS" pontikis@gmail.com  # Weekly update of psad signatures
...

Examples

PSAD sample report:

sample_psad_report Download

Test psad

Using various available web based port scanners or nmap from a “test machine”:

nmap -sX <your-ip-here>

the test machine IP will be blocked. Almost immediately, you will receive an email:

[psad-status] added iptables auto-block against <test machine IP> for 86400 seconds

Christos Pontikis

Entrepreneur | Full-stack developer | Founder of MediSign Ltd. I have over 15 years of professional experience designing and developing web applications. I am also very experienced in managing (web) projects.