Progmar Marcin Załęczny

Language:

PSAD - Port Scan Attack Detector - in Ubuntu 15.10

PSAD is a tool for detecting port scanning and passive discovering offender's operating system.

Installation: sudo apt-get install psad

Starting the service: sudo service psad start or: sudo systemctl start psad

Next we configure iptables and ip6tables. In the both default policy should be set to DROP and the last rule in the chains INPUT and FORWARD should be the one which logs the packet, for example: ip6tables -A INPUT -j LOG --log-prefix "[ipt]: INPUT6 DROP: " ip6tables -A FORWARD -j LOG --log-prefix "[ipt]: FORWARD6 DROP: " In the lines above the argument --log-prefix followed by a text string is optional. I use it to move logged packets to arbitrary log file (/var/log/iptables.log instead of to /var/log/messages.log). If you decide to move packets to other file than default one, then you should tell psad where to find the logs. You can do it in its config file /etc/psad/psad.conf by setting the variable IPT_SYSLOG_FILE, for example: IPT_SYSLOG_FILE /var/log/iptables.log; After the edition restart the psad.
If you do not want to care about IPv6 packets, then log and drop them in all three chains:

#!/bin/bash

ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -X

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP


# #############################################################################################################
# INPUT
# #############################################################################################################
ip6tables -A INPUT -j LOG --log-prefix "[ipt]: INPUT6 DROP: "
# #############################################################################################################
# #############################################################################################################




# #############################################################################################################
# OUTPUT
# #############################################################################################################
ip6tables -A OUTPUT -j LOG --log-prefix "[ipt]: OUTPUT6 DROP: "
# #############################################################################################################
# #############################################################################################################

# #############################################################################################################
# FORWARD
# #############################################################################################################
ip6tables -A FORWARD -j LOG --log-prefix "[ipt]: FORWARD6 DROP: "
# #############################################################################################################
# #############################################################################################################

Next apply firewall IPv4 and IPv6 scripts and check if both of them make properly functioning configuration for psad: psad --fw-analyze If all is OK, then you should get following output:

[+] Parsing /sbin/iptables INPUT chain rules.
[+] Parsing /sbin/ip6tables INPUT chain rules.
[+] Firewall config looks good.
[+] Completed check of firewall ruleset.
[+] Results in /var/log/psad/fw_check
[+] Exiting.
If something is wrong then you get a short error message and the mail to root account containing detailed description about the error.
The mail you can receive for example by an alpine application: sudo apt-get install alpine sudo alpine

You can check if psad is running by following way:

sudo bash
kill -0 `cat /var/run/psad/psad.pid`
echo $?
If the output will be 0 then it means that psad is running. Otherwise psad is not running or some error occured.

If we are not interested in alerts about IPv6 scanning then we can set following variable to 'N': ENABLE_IPV6_DETECTION N

You can actualize psad's signature database by executing following command: sudo psad --sig-update

Load actualized signature database to running psad: sudo psad -H

Displays detailed information about psad status and its statistics: sudo psad --Status

Make psad process the arbitrary log file and output the status and statistical data for it. The data is similar to the one generated by the --Status option: sudo psad -A -m /path/to/iptables.logs

Configuration variables in file /etc/psad/psad.conf that affect psad reaction to the attack:
ENABLE_AUTO_IDS - specifies if psad works in automatic defense mode or not
AUTO_IDS_DANGER_LEVEL - number in the range [1..5] that specifies minimal danger level that makes psad to take prevention action
AUTO_BLOCK_TIMEOUT - the period of validity of automatic added blocking rules, if set to 0 the rules take effect all the time psad is running (restart either of psad or all computer clears the rules)
IPTABLES_BLOCK_METHOD - if set to 'Y' together with variable ENABLE_AUTO_IDS, then psad adds DROP-ing iptables rules

Prints all DROP-ing rules added by psad in the reply to attack: psad --fw-list

You can add by hand specified ip address to the psad's blocking chain as below: sudo psad --fw-block-ip 10.0.0.10

You can remove by hand specified ip address from the psad's blocking chain as below: sudo psad --fw-rm-block-ip 10.0.0.10

The file /etc/psad/auto_dl contains the set of danger levels assigned to specified IP addresses and networks.

Flushes entire psad blocking chain: sudo psad --Flush