How to Install and Use PSAD IDS on Ubuntu Linux



Synopsys

PSAD also known as Port Scan Attack Detector is a collection of lightweight system daemons that run on Linux system and analyze iptables log messages to detect port scans and other suspicious traffic.PSAD is used to change an Intrusion Detection System into an Intrusion Prevention System. PSAD uses Snort rules for the detection of intrusion events. It is specially designed to work with Linux iptables/firewalld to detect suspicious traffic such as, port scans, backdoors and botnet command.

In this tutorial, we will learn how to install and configure PSAD on Ubuntu Linux.

Features

  • Support both IPv4 and IPv6 logs generated by iptables.
  • Detect TCP SYN, FIN, NULL, XMAS scans and many signature rules from the Snort.
  • Email notifications with TCP/UDP/ICMP scan characteristics, reverse dns and whois information.
  • Icmp type and code header field validation.
  • Auto block suspicious IP addresses via iptables and tcpwrappers based on scan level.
  • Free and distributed under the GNU General Public License.

System Requirements

  • Newly deployed Ubuntu 16.04 server with iptables installed.
  • Static IP address 192.168.15.189 setup on your server.

Prepare the System for Deployment

Before starting, your system should be up to date and all installed software is running the latest version.

First, log in to root user and update your system with the following command:

apt-get update -y
apt-get upgrade -y

After updating your system, restart your system.

Install Psad

By default, Psad is available in Ubuntu repository. You can install it by just running the following command:

apt-get install psad

Psad required many dependencies which are installed automatically from Ubuntu repository.

Configure Iptables for Psad

Before configuring Psad, you will need to configure iptable logs to detect any malicious activity on the system.
You can enable logging of packets on input & forward chains of iptables with the following command:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

After enabling logs, run the following command to list the current configuration of iptables:

iptables -L

You should see the following output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Configure Psad

By default, Psad stores their configuration files under /etc/psad directory.
Lets start by editing the main psad configuration /etc/psad/psad.conf as shown below:

nano /etc/psad/psad.conf

Change file as shown below:

##Set the email address which you would like to notify when a report is generated. 

EMAIL_ADDRESSES             hitjethva@gmail.com;

##Your system hostname
HOSTNAME                    Node1;

##Specify the home and external networks.
HOME_NET                    192.168.15.0/24;;
EXTERNAL_NET                any;

##Danger levels.  These represent the total number of packets required for a scan to reach each danger level.
DANGER_LEVEL1               5;    ### Number of packets.
DANGER_LEVEL2               15;
DANGER_LEVEL3               150;
DANGER_LEVEL4               1500;
DANGER_LEVEL5               10000;

##By default, psad search for logs in  /var/log/messages so change it to /var/log/syslog.
IPT_SYSLOG_FILE             /var/log/syslog;

We will use PSAD as IDS/IPS, so enable it.
ENABLE_AUTO_IDS Y;

##Specify port which you should tell psad to ignore attempts on these ports.
IGNORE_PORTS                NONE;

Save and close the file when you are finished. Then update the signatures so that it can correctly recognize known attack types.

psad --sig-update

You should see the following output:

Length: 45267 (44K) 
Saving to: 'signatures'

signatures                            100%[======================================================================>]  44.21K  58.4KB/s    in 0.8s    

2017-06-10 10:06:51 (58.4 KB/s) - 'signatures' saved [45267/45267]

[+] New signature file /etc/psad/signatures has been put in
    place. You can restart psad (or use 'psad -H') to import the
    new sigs.

Start Psad

Once everything is configured, restart the psad service to implement your configuration changes.

systemctl restart psad

Now, check the current status of psad detected events with the following command:

psad -S

You should see that nothing has been found yet in the following output:

[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on Node1
[+] psad (pid: 14777)  %CPU: 0.0  %MEM: 2.1
    Running since: Sat Jun 10 10:10:21 2017
    Command line arguments: [none specified]
    Alert email address(es): root@localhost

[+] Version: psad v2.2.3

[+] Top 50 signature matches:
        [NONE]

[+] Top 25 attackers:
        [NONE]

[+] Top 20 scanned ports:

      udp 33577 2 packets

[+] iptables log prefix counters:
        [NONE]

    Total protocol packet counters:
         udp: 2 pkts

[+] IP Status Detail:
        [NONE]

    Total scan sources: 0
    Total scan destinations: 0

[+] These results are available in: /var/log/psad/status.out

Test Psad

Psad is now up and running. It’s time to test Psad.

On the remote machine, scan your server’s port using Nmap tool.

If Nmap is not installed, run the following command to install Nmap:

apt-get install nmap

Next, run the following command to scan server’s port:

nmap -PN -sS 192.168.15.189

You should see the following output:

Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-10 10:15 IST
Nmap scan report for Node1 (192.168.15.189)
Host is up (0.0076s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
MAC Address: 08:00:27:7C:5B:40 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds

On your server machine, check the status of Psad with the following command:

psad -S

The IP address of the attacker 192.168.15.196 is blocked by the PSAD daemon as shown below:

[+] Top 25 attackers:
      192.168.15.196  DL: 3, Packets: 1087, Sig count: 41
      192.168.15.1    DL: 2, Packets: 24, Sig count: 0
      0.0.0.0         DL: 1, Packets: 8, Sig count: 0

[+] Top 20 scanned ports:
      tcp 50000 2 packets
      tcp 1782  2 packets
      tcp 17    2 packets
      tcp 543   2 packets
      tcp 55600 2 packets
      tcp 6106  2 packets
      tcp 19101 2 packets
      tcp 4567  2 packets
      tcp 1137  2 packets
.
.
.
[+] iptables log prefix counters:
        [NONE]

    iptables auto-blocked IPs:
      192.168.15.1 (3119 seconds remaining)
      192.168.15.196 (3341 seconds remaining)

    Total protocol packet counters:
         tcp: 1085 pkts
         udp: 26 pkts

[+] IP Status Detail:

SRC:  192.168.15.196, DL: 3, Dsts: 1, Pkts: 1085, Total protocols: 1, Unique sigs: 33, Email alerts: 1, Local IP

    DST: 192.168.15.189, Local IP
        Scanned ports: TCP 1-65389, Pkts: 1085, Chain: INPUT, Intf: eth0

You can also see the attacker’s IP address blocked by the IPtables rule with the following command:

iptables -L

Output:

[+] Listing chains from IPT_AUTO_CHAIN keywords...

Chain PSAD_BLOCK_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   27  3283 DROP       all  --  *      *       192.168.15.196       0.0.0.0/0           
    0     0 DROP       all  --  *      *       192.168.15.1         0.0.0.0/0           

Chain PSAD_BLOCK_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   540 DROP       all  --  *      *       0.0.0.0/0            192.168.15.196      
   46  2426 DROP       all  --  *      *       0.0.0.0/0            192.168.15.1        

Chain PSAD_BLOCK_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.15.196      
    0     0 DROP       all  --  *      *       192.168.15.196       0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.15.1        
    0     0 DROP       all  --  *      *       192.168.15.1         0.0.0.0/0           

If you want to allow all the IP addreses blocked by Psad run the following command:

psad -F

If you want to allow specific IP address blockd by Psad run the following command:

psad --fw-rm-block-ip 192.168.15.196

You can also know more about psad command examples and options with the following command:

man psad

Conclusion

In the above article, we have learned how to install and use Psad tool for blocking port scan attacks on Linux system. I hope you can now easily install and configure Psad to block malicious IP addresses.

References


Comments

No comments yet. Be the first to chime in!