Increase security with Iptables and PSAD

Submitted by Vlad on Mon, 03/29/2010 - 22:45

Tags: security, psad, iptables, firewall;

According to CipherDyne Psad is a lightweight daemon that analyses in real time the iptables log messages, trying to detect suspicious traffic.

In Ubuntu Karmic Koala psad install is as easy as:

apt-get install psad

The configuration file is located at /etc/psad/psad.conf and it's very explicit. A few things you have to modify though, look for the following fields and modify them accordingly:

EMAIL_ADDRESSES yourname@yoursite.com;
HOME_NET NOT_USED;
EXTERNAL_NET any;
EMAIL_ALERT_DANGER_LEVEL 5;
ALERT_ALL N;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 3;
IPTABLES_BLOCK_METHOD Y;

In order for it to work iptables needs to log everything. This is accomplished by making sure you have the following lines in your firewall rules file (check my post "Secure SSH, Firewall and prepare the system" for an example):

-A INPUT -j LOG
-A FORWARD -j LOG

User login

Subscribe to the blog feed

Friends

Recent blog posts

Books

The book includes detailed instructions for each of the processes it describes: downloading and installing the application, configuring and using modules, and much more. It provides a step-by-step tutorial to replace your existing web server with Nginx. With commented configuration sections and in-depth module descriptions, you will be able to make the most of the performance potential offered by Nginx.

Source: Packt Publishing

VladGh.com