PSAD also known as Port Scan Attack Detector is a collection of lightweight system daemons that run on Linux system and analyze iptables log messages to detect port scans and other suspicious traffic.PSAD is used to change an Intrusion Detection System into an Intrusion Prevention System. PSAD uses Snort rules for the detection of intrusion events. It is specially designed to work with Linux iptables/firewalld to detect suspicious traffic such as, port scans, backdoors and botnet command.
In this tutorial, we will learn how to install and configure PSAD on Ubuntu Linux.
- Support both IPv4 and IPv6 logs generated by iptables.
- Detect TCP SYN, FIN, NULL, XMAS scans and many signature rules from the Snort.
- Email notifications with TCP/UDP/ICMP scan characteristics, reverse dns and whois information.
- Icmp type and code header field validation.
- Auto block suspicious IP addresses via iptables and tcpwrappers based on scan level.
- Free and distributed under the GNU General Public License.
- Newly deployed Ubuntu 16.04 server with iptables installed.
- Static IP address 192.168.15.189 setup on your server.
Prepare the System for Deployment
Before starting, your system should be up to date and all installed software is running the latest version.
First, log in to root user and update your system with the following command:
apt-get update -y
apt-get upgrade -y
After updating your system, restart your system.
By default, Psad is available in Ubuntu repository. You can install it by just running the following command:
apt-get install psad
Psad required many dependencies which are installed automatically from Ubuntu repository.
Configure Iptables for Psad
Before configuring Psad, you will need to configure iptable logs to detect any malicious activity on the system.
You can enable logging of packets on input & forward chains of iptables with the following command:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
After enabling logs, run the following command to list the current configuration of iptables:
You should see the following output:
Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination
By default, Psad stores their configuration files under
Lets start by editing the main psad configuration
/etc/psad/psad.conf as shown below:
Change file as shown below:
##Set the email address which you would like to notify when a report is generated. EMAIL_ADDRESSES email@example.com; ##Your system hostname HOSTNAME Node1; ##Specify the home and external networks. HOME_NET 192.168.15.0/24;; EXTERNAL_NET any; ##Danger levels. These represent the total number of packets required for a scan to reach each danger level. DANGER_LEVEL1 5; ### Number of packets. DANGER_LEVEL2 15; DANGER_LEVEL3 150; DANGER_LEVEL4 1500; DANGER_LEVEL5 10000; ##By default, psad search for logs in /var/log/messages so change it to /var/log/syslog. IPT_SYSLOG_FILE /var/log/syslog; We will use PSAD as IDS/IPS, so enable it. ENABLE_AUTO_IDS Y; ##Specify port which you should tell psad to ignore attempts on these ports. IGNORE_PORTS NONE;
Save and close the file when you are finished. Then update the signatures so that it can correctly recognize known attack types.
You should see the following output:
Length: 45267 (44K) Saving to: 'signatures' signatures 100%[======================================================================>] 44.21K 58.4KB/s in 0.8s 2017-06-10 10:06:51 (58.4 KB/s) - 'signatures' saved [45267/45267] [+] New signature file /etc/psad/signatures has been put in place. You can restart psad (or use 'psad -H') to import the new sigs.
Once everything is configured, restart the psad service to implement your configuration changes.
systemctl restart psad
Now, check the current status of psad detected events with the following command:
You should see that nothing has been found yet in the following output:
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on Node1 [+] psad (pid: 14777) %CPU: 0.0 %MEM: 2.1 Running since: Sat Jun 10 10:10:21 2017 Command line arguments: [none specified] Alert email address(es): root@localhost [+] Version: psad v2.2.3 [+] Top 50 signature matches: [NONE] [+] Top 25 attackers: [NONE] [+] Top 20 scanned ports: udp 33577 2 packets [+] iptables log prefix counters: [NONE] Total protocol packet counters: udp: 2 pkts [+] IP Status Detail: [NONE] Total scan sources: 0 Total scan destinations: 0 [+] These results are available in: /var/log/psad/status.out
Psad is now up and running. It’s time to test Psad.
On the remote machine, scan your server’s port using Nmap tool.
If Nmap is not installed, run the following command to install Nmap:
apt-get install nmap
Next, run the following command to scan server’s port:
nmap -PN -sS 192.168.15.189
You should see the following output:
Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-10 10:15 IST Nmap scan report for Node1 (192.168.15.189) Host is up (0.0076s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds
On your server machine, check the status of Psad with the following command:
The IP address of the attacker 192.168.15.196 is blocked by the PSAD daemon as shown below:
[+] Top 25 attackers: 192.168.15.196 DL: 3, Packets: 1087, Sig count: 41 192.168.15.1 DL: 2, Packets: 24, Sig count: 0 0.0.0.0 DL: 1, Packets: 8, Sig count: 0 [+] Top 20 scanned ports: tcp 50000 2 packets tcp 1782 2 packets tcp 17 2 packets tcp 543 2 packets tcp 55600 2 packets tcp 6106 2 packets tcp 19101 2 packets tcp 4567 2 packets tcp 1137 2 packets . . . [+] iptables log prefix counters: [NONE] iptables auto-blocked IPs: 192.168.15.1 (3119 seconds remaining) 192.168.15.196 (3341 seconds remaining) Total protocol packet counters: tcp: 1085 pkts udp: 26 pkts [+] IP Status Detail: SRC: 192.168.15.196, DL: 3, Dsts: 1, Pkts: 1085, Total protocols: 1, Unique sigs: 33, Email alerts: 1, Local IP DST: 192.168.15.189, Local IP Scanned ports: TCP 1-65389, Pkts: 1085, Chain: INPUT, Intf: eth0
You can also see the attacker’s IP address blocked by the IPtables rule with the following command:
[+] Listing chains from IPT_AUTO_CHAIN keywords... Chain PSAD_BLOCK_INPUT (1 references) pkts bytes target prot opt in out source destination 27 3283 DROP all -- * * 192.168.15.196 0.0.0.0/0 0 0 DROP all -- * * 192.168.15.1 0.0.0.0/0 Chain PSAD_BLOCK_OUTPUT (1 references) pkts bytes target prot opt in out source destination 9 540 DROP all -- * * 0.0.0.0/0 192.168.15.196 46 2426 DROP all -- * * 0.0.0.0/0 192.168.15.1 Chain PSAD_BLOCK_FORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 192.168.15.196 0 0 DROP all -- * * 192.168.15.196 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 192.168.15.1 0 0 DROP all -- * * 192.168.15.1 0.0.0.0/0
If you want to allow all the IP addreses blocked by Psad run the following command:
If you want to allow specific IP address blockd by Psad run the following command:
psad --fw-rm-block-ip 192.168.15.196
You can also know more about psad command examples and options with the following command:
In the above article, we have learned how to install and use Psad tool for blocking port scan attacks on Linux system. I hope you can now easily install and configure Psad to block malicious IP addresses.