zondag 9 september 2012

Install and configure a working port scan attack daemon PSAD on a Ubuntu 12.04
desktop with one network interface.There are not that many handson websites dealing with psad for a specific linux distro.And the ones who exist miss some essential details to get things working.
So i thought ,why not write a quick recipy that quickly gives you  both a working iptables script and psad.

I assume you have Ubuntu 12.04 installed and xtables-addons.

For the installation of psad and dependancies i also refer to the following website:

http://bodhizazen.net/Tutorials/psad

Although i prefer to install packages from a official repository as much as possible
your mileage may vary.You can perfectly well use ufw or the iptables example from the above mentioned website although I used the desk firewall example from the nixcraft website:

http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/


Configure psad:


sudo nano -w /etc/psad/psad.conf  ###de rest of the default settings will do fine

HOME_NET                    NOT_USED;
EXTERNAL_NET                any;
ENABLE_SNORT_SIG_STRICT     N;
ENABLE_AUTO_IDS             Y;
ENABLE_AUTO_IDS_REGEX       N;  ### if you say Y here psad will not auto-block
IPTABLES_BLOCK_METHOD       Y;
TCPWRAPPERS_BLOCK_METHOD    N;
AUTO_IDS_DANGER_LEVEL 2;

Make sure your router is whitelisted:
sudo nano  -w /etc/psad/auto_dl.conf
and append:
eg: 192.192.178.1.1 0; ### all is well explained in the file though, zero means:ignore

Remove rsyslog,install sysklogd,run the iptables script,restart psad
sudo apt-get install sysklogd
 append to /etc/syslog.conf: kern.info       |/var/lib/psad/psadfifo
chmod +x desk.fw
./desk.fw
sudo psad --sig-update && sudo psad -H
sudo /etc/init.d/sysklogd restart

Now it´s time to go to a site such as nmap onlie in order to test psad.
After a while online without directly provoking a psad reaction yourself you could see something like this:
sudo psad -H ### which displays the psad block chains

Chain PSAD_BLOCK_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all  --  *      *       62.58.48.30          0.0.0.0/0          
    0     0 DROP       all  --  *      *       111.1.76.214         0.0.0.0/0          
    0     0 DROP       all  --  *      *       174.36.4.18          0.0.0.0/0          

Chain PSAD_BLOCK_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0            62.58.48.30        
    0     0 DROP       all  --  *      *       0.0.0.0/0            111.1.76.214       
    0     0 DROP       all  --  *      *       0.0.0.0/0            174.36.4.18        

Chain PSAD_BLOCK_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DROP       all  --  *      *       0.0.0.0/0            62.58.48.30        
    0     0 DROP       all  --  *      *       62.58.48.30          0.0.0.0/0          
    0     0 DROP       all  --  *      *       0.0.0.0/0            111.1.76.214       
    0     0 DROP       all  --  *      *       111.1.76.214         0.0.0.0/0          
    0     0 DROP       all  --  *      *       0.0.0.0/0            174.36.4.18        
    0     0 DROP       all  --  *      *       174.36.4.18          0.0.0.0/0 





$host 85.190.0.3
$3.0.190.85.in-addr.arpa domain name pointer proxyscan.freenode.net





Gepost door op

Geen opmerkingen:

Een reactie posten

Abonneren op: Reacties posten (Atom)