Psad (Port Scan Attack Detector) is an intrusion prevention software, written in Perl by Michael Rash. Psad makes use of iptables and ip6tables log messages to detect, alert, and (optionally) block port scans and other suspect traffic. So, logging must be enabled to iptables firewall in order Psad to work.
Additionally, Psad can use many signatures from Snort intrusion detection system.
Michael Rash is the author of Linux Firewalls: Attack Detection and Response. I strongly recommend to read this book.
Port scan itself will not damage your system. But, Port Scan is usually the first step of an attack. Cracker can use nmap or similar tools to scan your network before starting an attack in order to discover ways to break the system.
Generally speaking, you do not need psad (not even iptables) if your hosting provider offers a dedicated hardware firewall (for example Cisco ASA 550 series). Of course, you must have the budget to pay for it and the knowledge to setup and manage it.
Enable logging to iptables
To force iptables loggins from dropped traffic:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
You may want to save your basic rules:
iptables-save > /etc/iptables.up.rules
Setup
Using apt-get, psad (2.2-3.1) will be installed:
apt-get install psad
Configuration
Do not use /etc/fail2ban/jail.conf, create /etc/fail2ban/jail.local instead:
nano /etc/psad/psad.conf
Default /etc/psad/psad.conf is provided here:
Below are mentioned ONLY THE CHANGES made in psad.conf with the default value commented and the documentation provided by psad author.
So, my settings are:
REMARK: EMAIL_ADDRESSES pontikis@gmail.com; is not needed if you have forwarded root mail.
### Supports multiple email addresses (as a comma separated
### list).
#EMAIL_ADDRESSES root@localhost;
EMAIL_ADDRESSES pontikis@gmail.com;
### Machine hostname
#HOSTNAME _CHANGEME_;
HOSTNAME cosmos.medisign.com;
### Specify the home and external networks. Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
#HOME_NET any;
HOME_NET NOT_USED;
### By default, psad acquires iptables log data from the /var/log/messages
### file which the local syslog daemon (usually) writes iptables log messages
### to. If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
### reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad. On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended.
#IPT_SYSLOG_FILE /var/log/messages;
IPT_SYSLOG_FILE /var/log/kern.log;
### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
#EMAIL_LIMIT_STATUS_MSG Y;
EMAIL_LIMIT_STATUS_MSG N;
### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
#ENABLE_AUTO_IDS N;
ENABLE_AUTO_IDS Y;
### Block all traffic from offending IP if danger
### level >= to this value
#AUTO_IDS_DANGER_LEVEL 5;
AUTO_IDS_DANGER_LEVEL 3;
### Set the auto-blocked timeout in seconds (the default
### is one hour).
#AUTO_BLOCK_TIMEOUT 3600;
AUTO_BLOCK_TIMEOUT 86400;
### By setting this variable to N, all auto-blocking emails can be
### suppressed.
#ENABLE_AUTO_IDS_EMAILS Y;
ENABLE_AUTO_IDS_EMAILS N;
### system binaries
#mailCmd /bin/mail;
mailCmd /usr/bin/mail;
Whitelist – blacklist
You can blacklist an IP (value = 5) or whitelist an IP (value = 0)
nano /etc/psad/auto_dl
127.0.0.1 0; # Server IP.
144.76.70.100 0; # Server IP.
95.211.47.207 0; # Management IP.
82.192.71.9 0; # Management IP.
Restart psad
You can blacklist an IP (value = 5) or whitelist an IP (value = 0)
systemctl restart psad.service
Useful commands
To check psad activity:
- psad output:
psad -S
- remove automatically blocked ip:
psad --fw-rm-block-ip <ip>
- remove automatically blocked ips:
psad -F
- update signatures:
psad --sig-update && psad -H
More details at PSAD man page
Update signatures periodically
Using cron
crontab -e
...
@weekly /usr/sbin/psad --sig-update && /usr/sbin/psad -H | mail -s "psad signatures updated on COSMOS" pontikis@gmail.com # Weekly update of psad signatures
...
Examples
PSAD sample report:
Test psad
Using various available web based port scanners or nmap from a “test machine”:
nmap -sX <your-ip-here>
the test machine IP will be blocked. Almost immediately, you will receive an email:
[psad-status] added iptables auto-block against <test machine IP> for 86400 seconds
Entrepreneur | Full-stack developer | Founder of MediSign Ltd. I have over 15 years of professional experience designing and developing web applications. I am also very experienced in managing (web) projects.