How to Block Port Scan Attacks with Psad on Ubuntu/Debian
psad, Port Scan Attacks Detector, is used to detect the port scan attacks and other suspicious traffic by analyzing the iptables of Linux systems. It is an Intrusion Detection System written in Perl. It analyzes the iptables and ip6tables log messages regularly to detect, alert and block the port scans if necessary.
A Cracker can use nmap or similar tools to scan your network for any open ports before starting attack and find the ways to break your system. Using psad we can find the port scan attacks and other suspicious activity.
Install psad on Ubuntu / Debian
sk@server1:~$ sudo apt-get update sk@server1:~$ sudo apt-get install psad
During installation, you will be asked to configure the postfix mail system in order to notify the port scan attacks via mail if any.
Open up /etc/rsyslog.conf file.
sk@server1:~$ sudo nano /etc/rsyslog.conf
Add the following line.
Save and exit the file. Restart the rsyslog service using following command.
sk@server1:~$ sudo /etc/init.d/rsyslog restart
Open up /etc/psad/psad.conf file using any editor.
sk@server1:~$ sudo nano /etc/psad/psad.conf
Setup the valid email id.
### Supports multiple email addresses (as a comma separated### list). EMAIL_ADDRESSES firstname.lastname@example.org;
Enter FQDN of your machine.
### Machine hostname HOSTNAME server1.unixmen.com;
If you have only one network interface, set HOME_NET to NOT_USED as shown below.
If you want to ignore some ports like like UDP 53, modify as below.
If you want IDS to block attacks automatically, set the following values to Y.
ENABLE_AUTO_IDS Y; IPTABLES_BLOCK_METHOD Y;
There are so many options are available in psad. Most of them are self-explanatory. Read carefully and set as your requirements. Here what you have seen above is just a basic setup of psad. Save and exit the psad config file. Start the psad service.
sk@server1:~$ sudo /etc/init.d/psad restart
Update Firewall Rules for ipv4 and ipv6
sk@server1:~$ sudo iptables -A INPUT -j LOG sk@server1:~$ sudo iptables -A FORWARD -j LOG sk@server1:~$ sudo ip6tables -A INPUT -j LOG sk@server1:~$ sudo ip6tables -A FORWARD -j LOG
Now restart, update the signature file and reload psad using the following commands.
sk@server1:~$ sudo psad -R sk@server1:~$ sudo psad --sig-update sk@server1:~$ sudo psad -H
View Port Scan Report
Enter the following command to view the port scan report.
sk@server1:~$ sudo psad -S
The port scan report will be stored in /var/log/psad/status.out file. You can view it later if you want.
sk@server1:~$ sudo cat /var/log/psad/status.out
Allow Blocked IP’s
If PSAD found and blocked any ip addresses, you can allow it using the command:
sk@server1:~$ sudo psad -F
However the above command will allow all blocked ip’s. If you want to allow a particular ip address, enter the following command.
sk@server1:~$ sudo psad --fw-rm-block-ip <IP-Address>
You can view the detailed log of a particular interface ex.192.168.1.200 using the following command.
sk@server1:~$ sudo ls /var/log/psad/192.168.1.200
To know more about psad command examples and options, see the man pages.
sk@server1:~$ man psad
Thats it. Happy Monitoring!!!
Like us on Facebook
This week Top Posts
- Top Things To Do After Installing Ubuntu 13.10 'Saucy Salamander' : Ubuntu 13.10 Saucy Salamander will be released on coming October 17th with many new salient featur...0 comments |
- Configure Your Browser To Use Tor On Ubuntu/Debian/Linux Mint : Tor, The Onion Router, is a network of Virtual Tunnels that allows users to communicate securely and...2 comments |
- Setup A Full Featured ITIL Management System Using Integria IMS On CentOS 6 : Integria IMS is a fully featured ITIL management system, featuring a ticketing system, inventory/C...4 comments |
- How To Upgrade From Ubuntu 13.04 Raring To Ubuntu 13.10 Saucy Salamander : Ubuntu 13.10 Saucy will be released on October 17th. Hope it will come with lot of improvements and ...0 comments |
- OpenLDAP Installation and Configuration in Ubuntu 12.10/13.04/13.10 And Debian 6/7 : OpenLDAP is a free open source Light Weight Directory Access protocol developed by the OpenLDAP proj...0 comments |
- Install lamp with 1 command in Ubuntu 12.10, 13.04 Raring Ringtail & LinuxMint13 : Updated: 10/09/2012 :LAMP (Linux, Apache, MySQL and PHP) is an open source Web development platform ...0 comments |
- OpenLDAP Installation and Configuration in Ubuntu 12.10/13.04/13.10 And Debian 6/7
- Configure Your Browser To Use Tor On Ubuntu/Debian/Linux Mint
- Setup A Full Featured ITIL Management System Using Integria IMS On CentOS 6
- Install LibreOffice 4.1.3 in Elementary OS ‘Luna’
- How To Install Simple Scan in Crunchbang ‘Waldorf’
- Selene Media Encoder: Convert Audio, Video Files To Most Popular Formats
- Linux Kernel 3.12.2 Is Available For Download! Install / Upgrade Instructions
- CentOS 6.5 Has Been Officially Released!
- Format Junkie: Convert Media Files To All Popular Formats
- Setup Squid Proxy Server On openSUSE 13.1
This work by unixmen.com is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Copyright © 2008-2013 Unixmen.com .