8/10/2019 securedebina4.pdf

1/7

Enable logging to iptables

Setup

Install and Config Psad in Debian 7Wheezy

May 18th, 2013 13,244

Psad(Port Scan Attack Detector) is an intrusion prevention

software, written in Perl by Michael Rash. Psad makes use of

iptables and ip6tables log messages to detect, alert, and

(optionally) block port scans and other suspect traffic. So, logging

must be enabled to iptables firewall in order Psad to work.

Additionally, Psad can use many signatures from Snortintrusion

detection system.

Michael Rash is the author of Linux Firewalls: Attack Detection

and Response. strongly recommend to read this book.

Port scan itself will not damage your system. But, Port Scan is

usually the first step of an attack. Cracker can use nmap or similar

tools to scan your network before starting an attack in order to

discover ways to break the system.

Generally speaking, you do not need psad (not even iptables) if

your hosting provider offers a dedicated hardware firewall (for

example Cisco ASA 550 series). Of course, you must have the

budget to pay for it and the knowledge to setup and manage it.

To force iptables loggins from dropped traffic:

You may want to save your basic rules:

About the author

Christos Pontikis

452 followers

Follow

12

iptables -A INPUT -j LOGiptables -A FORWARD -j LOG

1 iptables-save > /etc/iptables.up.rules

Find us on Facebook

pontikis.net

3,456 people like pontikis.net.

Facebook social plugin

LikeLike

pontikis.net Tech blog &Web labs

Home Blog Tips Labs About

nstall and Config Psad in Debian 7 Wheezy http://www.pontikis.net/blog/psad-install-config

sur 7 16/10/2014 20

8/10/2019 securedebina4.pdf

2/7

Configuration

Using apt-get, psad (2.2-3.1) will be installed:

Do not use/etc/fail2ban/jail.conf, create/etc/fail2ban/jail.localinstead:

Default/etc/psad/psad.confis provided here. Below are mentioned

ONLY THE CHANGESmade in psad.confwith the default value

commented and the documentation provided by psad author.

So, my settings are:

REMARK: EMAIL_ADDRESSES pontikis@gmail.com;is not needed if you have

forwarded rootmail.

1 apt-get install psad

1 nano /etc/psad/psad.conf

123456789

1011121314

15161718192021222324252627282930

3132333435363738394041

### Supports multiple email addresses (as a com### list).#EMAIL_ADDRESSES root@localhost;EMAIL_ADDRESSES pontikis@gmail.com;

### Machine hostname#HOSTNAME _CHANGEME_;HOSTNAME cosmos.medisign.com;

### Specify the home and external networks. Not### ENABLE_INTF_LOCAL_NETS is enabled, so psad### all of the directly connected subnets and us### the HOME_NET variable.#HOME_NET any;

HOME_NET NOT_USED;

### By default, psad acquires iptables log data### file which the local syslog daemon (usually)### to. If the ENABLE_SYSLOG_FILE variable belo### reconfigures syslog to write iptables log d### /var/lib/psad/psadfifo fifo file where the### written to the file /var/log/psad/fwdata for### systems, having syslog communicate log data### (syslog configs and external factors such as### a role here), so leaving the ENABLE_SYSLOG_F### usually recommended.#IPT_SYSLOG_FILE /var/log/messages;IPT_SYSLOG_FILE /var/log/kern.log;

### If "Y", send a status email message when an

### EMAIL_LIMIT threshold.#EMAIL_LIMIT_STATUS_MSG Y;EMAIL_LIMIT_STATUS_MSG N;

### If "Y", enable automated IDS response (auto### firewall rulesets).#ENABLE_AUTO_IDS N;ENABLE_AUTO_IDS Y;

### Block all traffic from offending IP if dange### level >= to this value

nstall and Config Psad in Debian 7 Wheezy http://www.pontikis.net/blog/psad-install-config

2 sur 7 16/10/2014 20

8/10/2019 securedebina4.pdf

3/7

Whitelist - blacklist

Restart psad

Useful commands

Update signatures periodically

You can blacklist an IP (value = 5) or whitelist an IP (value = 0)

You can blacklist an IP (value = 5) or whitelist an IP (value = 0)

To check psad activity:

psad output: psad -S

remove automatically blocked ip: psad --fw-rm-block-ip

remove automatically blocked ips: psad -F

update signatures: psad --sig-update && psad -H

More details at PSAD man page

42434445464748495051

525354555657

#AUTO_IDS_DANGER_LEVEL 5;AUTO_IDS_DANGER_LEVEL 3;

### Set the auto-blocked timeout in seconds (the### is one hour).#AUTO_BLOCK_TIMEOUT 3600;AUTO_BLOCK_TIMEOUT 86400;

### By setting this variable to N, all auto-bloc### suppressed.

#ENABLE_AUTO_IDS_EMAILS Y;ENABLE_AUTO_IDS_EMAILS N;

### system binaries#mailCmd /bin/mail;mailCmd /usr/bin/mail;

1 nano /etc/psad/auto_dl

1234

127.0.0.1 0; # Server IP.144.76.70.100 0; # Server IP.95.211.47.207 0; # Management IP.82.192.71.9 0; # Management IP.

1 systemctl restart psad.service

nstall and Config Psad in Debian 7 Wheezy http://www.pontikis.net/blog/psad-install-config

3 sur 7 16/10/2014 20

8/10/2019 securedebina4.pdf

4/7

Examples

Test psad

Related Posts

Using cron

PSAD sample report:

psad sample report

Using various available web based port scanners or nmapfrom a

"test machine":

the test machine IP will be blocked. Almost immediately, you will

receive an email:

You may also be interested in

Debian 7 Wheezy Dedicated Web Server Setup Step by

Step

Your comments are welcomed!

Your comments are welcomed!

1 crontab -e

123

...@weekly /usr/sbin/psad --sig-update && /usr/sbin/...

1 nmap -sX

1 [psad-status] added iptables auto-block against