securedebina4.pdf
TRANSCRIPT
-
8/10/2019 securedebina4.pdf
1/7
Enable logging to iptables
Setup
Install and Config Psad in Debian 7Wheezy
May 18th, 2013 13,244
Psad(Port Scan Attack Detector) is an intrusion prevention
software, written in Perl by Michael Rash. Psad makes use of
iptables and ip6tables log messages to detect, alert, and
(optionally) block port scans and other suspect traffic. So, logging
must be enabled to iptables firewall in order Psad to work.
Additionally, Psad can use many signatures from Snortintrusion
detection system.
Michael Rash is the author of Linux Firewalls: Attack Detection
and Response. strongly recommend to read this book.
Port scan itself will not damage your system. But, Port Scan is
usually the first step of an attack. Cracker can use nmap or similar
tools to scan your network before starting an attack in order to
discover ways to break the system.
Generally speaking, you do not need psad (not even iptables) if
your hosting provider offers a dedicated hardware firewall (for
example Cisco ASA 550 series). Of course, you must have the
budget to pay for it and the knowledge to setup and manage it.
To force iptables loggins from dropped traffic:
You may want to save your basic rules:
About the author
Christos Pontikis
452 followers
Follow
12
iptables -A INPUT -j LOGiptables -A FORWARD -j LOG
1 iptables-save > /etc/iptables.up.rules
Find us on Facebook
pontikis.net
3,456 people like pontikis.net.
Facebook social plugin
LikeLike
pontikis.net Tech blog &Web labs
Home Blog Tips Labs About
nstall and Config Psad in Debian 7 Wheezy http://www.pontikis.net/blog/psad-install-config
sur 7 16/10/2014 20
-
8/10/2019 securedebina4.pdf
2/7
Configuration
Using apt-get, psad (2.2-3.1) will be installed:
Do not use/etc/fail2ban/jail.conf, create/etc/fail2ban/jail.localinstead:
Default/etc/psad/psad.confis provided here. Below are mentioned
ONLY THE CHANGESmade in psad.confwith the default value
commented and the documentation provided by psad author.
So, my settings are:
REMARK: EMAIL_ADDRESSES [email protected];is not needed if you have
forwarded rootmail.
1 apt-get install psad
1 nano /etc/psad/psad.conf
123456789
1011121314
15161718192021222324252627282930
3132333435363738394041
### Supports multiple email addresses (as a com### list).#EMAIL_ADDRESSES root@localhost;EMAIL_ADDRESSES [email protected];
### Machine hostname#HOSTNAME _CHANGEME_;HOSTNAME cosmos.medisign.com;
### Specify the home and external networks. Not### ENABLE_INTF_LOCAL_NETS is enabled, so psad### all of the directly connected subnets and us### the HOME_NET variable.#HOME_NET any;
HOME_NET NOT_USED;
### By default, psad acquires iptables log data### file which the local syslog daemon (usually)### to. If the ENABLE_SYSLOG_FILE variable belo### reconfigures syslog to write iptables log d### /var/lib/psad/psadfifo fifo file where the### written to the file /var/log/psad/fwdata for### systems, having syslog communicate log data### (syslog configs and external factors such as### a role here), so leaving the ENABLE_SYSLOG_F### usually recommended.#IPT_SYSLOG_FILE /var/log/messages;IPT_SYSLOG_FILE /var/log/kern.log;
### If "Y", send a status email message when an
### EMAIL_LIMIT threshold.#EMAIL_LIMIT_STATUS_MSG Y;EMAIL_LIMIT_STATUS_MSG N;
### If "Y", enable automated IDS response (auto### firewall rulesets).#ENABLE_AUTO_IDS N;ENABLE_AUTO_IDS Y;
### Block all traffic from offending IP if dange### level >= to this value
nstall and Config Psad in Debian 7 Wheezy http://www.pontikis.net/blog/psad-install-config
2 sur 7 16/10/2014 20
-
8/10/2019 securedebina4.pdf
3/7
Whitelist - blacklist
Restart psad
Useful commands
Update signatures periodically
You can blacklist an IP (value = 5) or whitelist an IP (value = 0)
You can blacklist an IP (value = 5) or whitelist an IP (value = 0)
To check psad activity:
psad output: psad -S
remove automatically blocked ip: psad --fw-rm-block-ip
remove automatically blocked ips: psad -F
update signatures: psad --sig-update && psad -H
More details at PSAD man page
42434445464748495051
525354555657
#AUTO_IDS_DANGER_LEVEL 5;AUTO_IDS_DANGER_LEVEL 3;
### Set the auto-blocked timeout in seconds (the### is one hour).#AUTO_BLOCK_TIMEOUT 3600;AUTO_BLOCK_TIMEOUT 86400;
### By setting this variable to N, all auto-bloc### suppressed.
#ENABLE_AUTO_IDS_EMAILS Y;ENABLE_AUTO_IDS_EMAILS N;
### system binaries#mailCmd /bin/mail;mailCmd /usr/bin/mail;
1 nano /etc/psad/auto_dl
1234
127.0.0.1 0; # Server IP.144.76.70.100 0; # Server IP.95.211.47.207 0; # Management IP.82.192.71.9 0; # Management IP.
1 systemctl restart psad.service
nstall and Config Psad in Debian 7 Wheezy http://www.pontikis.net/blog/psad-install-config
3 sur 7 16/10/2014 20
-
8/10/2019 securedebina4.pdf
4/7
Examples
Test psad
Related Posts
Using cron
PSAD sample report:
psad sample report
Using various available web based port scanners or nmapfrom a
"test machine":
the test machine IP will be blocked. Almost immediately, you will
receive an email:
You may also be interested in
Debian 7 Wheezy Dedicated Web Server Setup Step by
Step
Your comments are welcomed!
Your comments are welcomed!
1 crontab -e
123
...@weekly /usr/sbin/psad --sig-update && /usr/sbin/...
1 nmap -sX
1 [psad-status] added iptables auto-block against