Articles taggués ‘psad’

How To Use psad to Detect Network Intrusion Attempts on an Ubuntu VPS

28/10/2015 Comments off

Source: DigitalOcean – Justin Ellingwood


Being able to detect network activity that may indicate an intrusion attempt can help you take appropriate actions before an event occurs. Intrusion detection systems are available for this specific reason.

Intrusion detection systems are used to log suspicious connections and report when it looks like unusual activity is taking place. Some programs are used purely as a notification system, while others can actively attempt to block traffic that appear to be intent on causing harm.

The psad tool, which stands for port scan attack detection, is a piece of software that actively monitors your firewall logs to determine if a scan or attack event is in progress. It can then alert administrators, or take active steps to deter the threat.

In this guide, we will be exploring how to install and configure psad on an Ubuntu 12.04 VPS. The procedures should be fairly similar on other distributions.

Install psad

The psad intrusion detection system is available in Ubuntu’s default repositories, so it can be easily acquired through apt:

sudo apt-get update
sudo apt-get install psad

In order to configure mail delivery to alert the administrator, you will be asked to configure the postfix mail server.

In most cases, you can select « Internet Site », and then enter the domain name associated with your server. This will be the domain portion of the name used in the « From » field in emails generated by psad.

Configure IPTables Rules

The way that psad detects activity on your server’s ports is by monitoring the logs produced by a firewall application. Ubuntu ships with the iptables firewall by default, but it is completely unconfigured and is not monitoring or blocking anything by default.

Lire la suite…

psad: Intrusion Detection and Log Analysis with iptables

28/10/2015 Comments off

Source CipherDyne

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

Network diagram to illustrate the deployment of psad along with an iptables firewall

psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap. When combined with fwsnort and the Netfilter string match extension, psad is capable of detecting many attacks described in the Snort rule set that involve application layer data. In addition, psad makes use of various packet header fields associated with TCP SYN packets to passively fingerprint remote operating systems (in a manner similar to p0f) from which scans originate. Further, psad can be integrated with Logstash, and also offers support for UFW firewalls [1]. For more information, see the complete list of features offered by psad.

Lire la suite…