Psad scans your firewall log in real time. It can be configured to automatically drop packets and more. While reading the guides that are available for this I ran into a problem, there was no /etc/syslog.conf. On Ubuntu’s webpage I found this release note. It says that as of Ubuntu 9.10, syslog has been upgraded with rsyslog. This can make setting up psad a little tricky.
This guide has been tested on Ubuntu 10.04 LTS Server and 10.10 Desktop
The first thing to do is install psad:
sudo apt-get install psad
Now edit the config file:
sudo nano /etc/psad/psad.conf
Change “ENABLE_SYSLOG_FILE Y;” to “ENABLE_SYSLOG_FILE N;”. We will not need psad to read our syslog.
Another setting to review right now depending on your environment is “EMAIL_ALERT_DANGER_LEVEL”.
Set the email at the top of the config file or leave the default, root. I have root’s mail set to forward to my real email address. To forward root (or any user’s) mail: place a file named “.forward” in their home folder. Inside the file enter the email address where the mail is to go.
sudo /etc/init.d/psad restart
Next: configure iptables to log the non-legitimate packets. The logging rules need to go after the accept rules but before the drop. Confusing? It was for me.
For example, my default policy for INPUT and FORWARD is to DROP. After this my accept rules for specific ports are appended. Meaning our logging rules must go at the end of the file, before they are dropped because the packets were not accepted by any previous rules.
$IPT -A INPUT -j LOG --log-prefix "firewall1 "
$IPT -A FORWARD -j LOG --log-prefix "firewall1 "
The prefix is going to allow rsyslog to filter the messages. After applying the log rules it is possible to view the end of the syslog to see if logging is working.
sudo tail /var/log/syslog
The last step is for rsyslog to send the messages that contain “firewall1” to psad’s pipe.
sudo nano /etc/rsyslog.d/50-default.conf
We are going to place our rules at the top of the file. That way we can stop “firewall1” messages from making it to any other logs.
:msg, contains, "firewall1" |/var/lib/psad/psadfifo
:msg, contains, "firewall1" ~
Note: the ~ means to discard.
That’s it! Restart rsyslog:
sudo restart rsyslog
To view psad’s status:
sudo psad --Status
Comments and suggestions are welcome!!