Synopsys

PSAD also known as Port Scan Attack Detector is a collection of lightweight system daemons that run on Linux system and analyze iptables log messages to detect port scans and other suspicious traffic.PSAD is used to change an Intrusion Detection System into an Intrusion Prevention System. PSAD uses Snort rules for the detection of intrusion events. It is specially designed to work with Linux iptables/firewalld to detect suspicious traffic such as, port scans, backdoors and botnet command.

In this tutorial, we will learn how to install and configure PSAD on Ubuntu Linux.

Features

  • Support both IPv4 and IPv6 logs generated by iptables.
  • Detect TCP SYN, FIN, NULL, XMAS scans and many signature rules from the Snort.
  • Email notifications with TCP/UDP/ICMP scan characteristics, reverse dns and whois information.
  • Icmp type and code header field validation.
  • Auto block suspicious IP addresses via iptables and tcpwrappers based on scan level.
  • Free and distributed under the GNU General Public License.

System Requirements

  • Newly deployed Ubuntu 16.04 server with iptables installed.
  • Static IP address 192.168.15.189 setup on your server.

Prepare the System for Deployment

Before starting, your system should be up to date and all installed software is running the latest version.

First, log in to root user and update your system with the following command:

apt-get update -y
apt-get upgrade -y

After updating your system, restart your system.

Install Psad

By default, Psad is available in Ubuntu repository. You can install it by just running the following command:

apt-get install psad

Psad required many dependencies which are installed automatically from Ubuntu repository.

Configure Iptables for Psad

Before configuring Psad, you will need to configure iptable logs to detect any malicious activity on the system.
You can enable logging of packets on input & forward chains of iptables with the following command:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

After enabling logs, run the following command to list the current configuration of iptables:

iptables -L

You should see the following output:

 Chain INPUT (policy ACCEPT) 
 target prot opt source destination 
 LOG all -- anywhere anywhere LOG level warning
 
 Chain FORWARD (policy ACCEPT) 
 target prot opt source destination 
 LOG all -- anywhere anywhere LOG level warning
 
 Chain OUTPUT (policy ACCEPT) 
 target prot opt source destination

Configure Psad

By default, Psad stores their configuration files under /etc/psad directory.
Lets start by editing the main psad configuration /etc/psad/psad.conf as shown below:

nano /etc/psad/psad.conf

Change file as shown below:

 ##Set the email address which you would like to notify when a report is generated.
 
 EMAIL_ADDRESSES hitjethva@gmail.com;
 
 ##Your system hostname 
 HOSTNAME Node1;
 
 ##Specify the home and external networks. 
 HOME_NET 192.168.15.0/24;; 
 EXTERNAL_NET any;
 
 ##Danger levels. These represent the total number of packets required for a scan to reach each danger level. 
 DANGER_LEVEL1 5; ### Number of packets. 
 DANGER_LEVEL2 15; 
 DANGER_LEVEL3 150; 
 DANGER_LEVEL4 1500; 
 DANGER_LEVEL5 10000;
 
 ##By default, psad search for logs in /var/log/messages so change it to /var/log/syslog. 
 IPT_SYSLOG_FILE /var/log/syslog;
 
 We will use PSAD as IDS/IPS, so enable it. 
 ENABLE_AUTO_IDS Y;
 
 ##Specify port which you should tell psad to ignore attempts on these ports. 
 IGNORE_PORTS NONE;

Save and close the file when you are finished. Then update the signatures so that it can correctly recognize known attack types.

psad --sig-update

You should see the following output:

 Length: 45267 (44K) 
 Saving to: 'signatures'
 
 signatures 100%[======================================================================>] 44.21K 58.4KB/s in 0.8s
 
 2017-06-10 10:06:51 (58.4 KB/s) - 'signatures' saved [45267/45267]
 
 [+] New signature file /etc/psad/signatures has been put in place. You can restart psad (or use 'psad -H') to import the new sigs.

Start Psad

Once everything is configured, restart the psad service to implement your configuration changes.

systemctl restart psad

Now, check the current status of psad detected events with the following command:

psad -S

You should see that nothing has been found yet in the following output:

 [-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on Node1 
 [+] psad (pid: 14777) %CPU: 0.0 %MEM: 2.1 
 Running since: Sat Jun 10 10:10:21 2017 
 Command line arguments: [none specified] 
 Alert email address(es): root@localhost
 
 [+] Version: psad v2.2.3
 
 [+] Top 50 signature matches: 
         [NONE]
 
 [+] Top 25 attackers: 
         [NONE]
 
 [+] Top 20 scanned ports:
 
     udp 33577 2 packets 
 
 [+] iptables log prefix counters:
         [NONE]
 
     Total protocol packet counters: 
         udp: 2 pkts
 
 [+] IP Status Detail: 
         [NONE] 
     Total scan sources: 0 
     Total scan destinations: 0
 
 [+] These results are available in: /var/log/psad/status.out

Test Psad

Psad is now up and running. It’s time to test Psad.

On the remote machine, scan your server’s port using Nmap tool.

If Nmap is not installed, run the following command to install Nmap:

apt-get install nmap

Next, run the following command to scan server’s port:

nmap -PN -sS 192.168.15.189

You should see the following output:

 Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-10 10:15 IST 
 Nmap scan report for Node1 (192.168.15.189) 
 Host is up (0.0076s latency). 
 Not shown: 997 closed ports 
 PORT STATE SERVICE 
 22/tcp open ssh 
 80/tcp open http 
 443/tcp open https 
 MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems)
 
 Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds

On your server machine, check the status of Psad with the following command:

psad -S

The IP address of the attacker 192.168.15.196 is blocked by the PSAD daemon as shown below:

 [+] Top 25 attackers: 
     192.168.15.196 DL: 3, Packets: 1087, Sig count: 41 
     192.168.15.1 DL: 2, Packets: 24, Sig count: 0 
     0.0.0.0 DL: 1, Packets: 8, Sig count: 0
 
 [+] Top 20 scanned ports: 
     tcp 50000 2 packets 
     tcp 1782 2 packets 
     tcp 17 2 packets 
     tcp 543 2 packets 
     tcp 55600 2 packets 
     tcp 6106 2 packets 
     tcp 19101 2 packets 
     tcp 4567 2 packets 
     tcp 1137 2 packets 
 . 
 . 
 . 
 [+] iptables log prefix counters: 
         [NONE] 
     iptables auto-blocked IPs: 
         192.168.15.1 (3119 seconds remaining) 
         192.168.15.196 (3341 seconds remaining)
 
     Total protocol packet counters: 
         tcp: 1085 pkts 
         udp: 26 pkts
 
 [+] IP Status Detail:
 
 SRC: 192.168.15.196, DL: 3, Dsts: 1, Pkts: 1085, Total protocols: 1, Unique sigs: 33, Email alerts: 1, Local IP
 
     DST: 192.168.15.189, Local IP 
         Scanned ports: TCP 1-65389, Pkts: 1085, Chain: INPUT, Intf: eth0

You can also see the attacker’s IP address blocked by the IPtables rule with the following command:

iptables -L

Output:

 [+] Listing chains from IPT_AUTO_CHAIN keywords...
 
 Chain PSAD_BLOCK_INPUT (1 references) 
     pkts bytes target prot opt in out source destination 
         27 3283 DROP all -- * * 192.168.15.196 0.0.0.0/0 
         0 0 DROP all -- * * 192.168.15.1 0.0.0.0/0
 
 Chain PSAD_BLOCK_OUTPUT (1 references) 
     pkts bytes target prot opt in out source destination 
         9 540 DROP all -- * * 0.0.0.0/0 192.168.15.196 
         46 2426 DROP all -- * * 0.0.0.0/0 192.168.15.1
 
 Chain PSAD_BLOCK_FORWARD (1 references) 
     pkts bytes target prot opt in out source destination 
         0 0 DROP all -- * * 0.0.0.0/0 192.168.15.196 
         0 0 DROP all -- * * 192.168.15.196 0.0.0.0/0 
         0 0 DROP all -- * * 0.0.0.0/0 192.168.15.1 
         0 0 DROP all -- * * 192.168.15.1 0.0.0.0/0

If you want to allow all the IP addreses blocked by Psad run the following command:

psad -F

If you want to allow specific IP address blockd by Psad run the following command:

psad --fw-rm-block-ip 192.168.15.196

You can also know more about psad command examples and options with the following command:

man psad

Conclusion

In the above article, we have learned how to install and use Psad tool for blocking port scan attacks on Linux system. I hope you can now easily install and configure Psad to block malicious IP addresses.

References