Setup IDS with PSAD on Debian 7

PSAD is an Intrusion detection and log analysis tool that works with iptables. The tool basically looks at iptables logs for possible “attacks” and performs and action if it finds something suspicious, for example a port scan done with nmap to your server, an attempt to establish a remote desktop connection, etc.

1 – The first step is to enable logging in iptables, this is done by adding these rules:

2 –  Install PSAD with apt-get

3 – Configuring PSAD. Once the install is done (should take only a couple of seconds) you can start configuring PSAD, the config file is located on /etc/psad/psad.conf by default so we just use vi, nano or your favorite editor to make the changes to it.

The psad.conf file is way to long to put it all here so I’ll just show you the changes I made to it and explain a little bit why I made them, but I highly encourage you to go trough it and try to understand all or most of the settings in the config file. Psad man page can help a lot here.

Note: The lines number you see on these code snippets are the actual line numbers on the config file.

And that’s pretty much all I have changed from the default psad.conf file and that seems to be working fine for now. Some things you might want to watch for are the danger level and the email alerts, if you set it to a very restrictive danger level (meaning only a single packet will trigger it) and you set it to receive email for every “problem” then you’ll get spammed pretty hard, so play around with these two settings until you reach a healthy balance.

4 – White listing. Here we can whitelist the server IP address and in case you have another management server or PC you can whitelist that too, it is always a good idea to conduct regular scans on your server to find possible vulnerabilities, and you don’t want an IPS messing with your legitimate scans. The file is located on /etc/psad/auto_dl and contains the following (just change it to your IPs)

5 – Updating the signatures. Since an IPS is only as good as its signatures, you don’t want to run on old out-of-date signatures. We can add a new cron job to automatically update and load PSAD signatures with this commands (I do it weekly)

6 – Restart the service. We now have the iptables rules to log traffic, the psad.conf ready with all our settings and the cron job to update signatures weekly, all we have left is to restart the service with the following command:

 

Now you have a fully functional IDS/IPS to detect and block port scanners and the like, you can test it with nmap, try scanning your server from your PC and you’ll get an email straight away telling you that your IP has been blocked. But be careful! you’ll be out of your server for a month 😥  and since you don’t want that what you can do is schedule a command, let’s say 15 min after you’re planning to get your port scan done, with the following: (replace your public IP there)

What this does is un-blocking your IP address after you tried scanning it. So you do the scan, get blocked by psad, receive an email with the info and then 15min later that script removed the ban against your public IP.

 

Some other useful commands are:

List all the psad iptables rules –> psad -L

Remove an IP from the blocking rule –> psad –fw-rm-block-ip

Block and IP –> psad –fw-block-ip

Flush all blocked IPs –> psad -F

Check firewall configuration –> psad –fw-analyze

For more info visit their site http://cipherdyne.org you can also check the man pages online on their site.

 

Got any comments? contactm e (_a t) dr 0u. c o m

Use this at your own risk

#debian#ids#iptables#linux#psad