How to Block Port Scan Attacks with Psad on Ubuntu/Debian
psad, Port Scan Attacks Detector, is used to detect the port scan attacks and other suspicious traffic by analyzing the iptables of Linux systems. It is an Intrusion Detection System written in Perl. It analyzes the iptables and ip6tables log messages regularly to detect, alert and block the port scans if necessary.
A Cracker can use nmap or similar tools to scan your network for any open ports before starting attack and find the ways to break your system. Using psad we can find the port scan attacks and other suspicious activity.
Install psad on Ubuntu / Debian
sk@server1:~$ sudo apt-get update sk@server1:~$ sudo apt-get install psad
During installation, you will be asked to configure the postfix mail system in order to notify the port scan attacks via mail if any.
Open up /etc/rsyslog.conf file.
sk@server1:~$ sudo nano /etc/rsyslog.conf
Add the following line.
Save and exit the file. Restart the rsyslog service using following command.
sk@server1:~$ sudo /etc/init.d/rsyslog restart
Open up /etc/psad/psad.conf file using any editor.
sk@server1:~$ sudo nano /etc/psad/psad.conf
Setup the valid email id.
### Supports multiple email addresses (as a comma separated### list). EMAIL_ADDRESSES firstname.lastname@example.org;
Enter FQDN of your machine.
### Machine hostname HOSTNAME server1.unixmen.com;
If you have only one network interface, set HOME_NET to NOT_USED as shown below.
If you want to ignore some ports like like UDP 53, modify as below.
If you want IDS to block attacks automatically, set the following values to Y.
ENABLE_AUTO_IDS Y; IPTABLES_BLOCK_METHOD Y;
There are so many options are available in psad. Most of them are self-explanatory. Read carefully and set as your requirements. Here what you have seen above is just a basic setup of psad. Save and exit the psad config file. Start the psad service.
sk@server1:~$ sudo /etc/init.d/psad restart
Update Firewall Rules for ipv4 and ipv6
sk@server1:~$ sudo iptables -A INPUT -j LOG sk@server1:~$ sudo iptables -A FORWARD -j LOG sk@server1:~$ sudo ip6tables -A INPUT -j LOG sk@server1:~$ sudo ip6tables -A FORWARD -j LOG
Now restart, update the signature file and reload psad using the following commands.
sk@server1:~$ sudo psad -R sk@server1:~$ sudo psad --sig-update sk@server1:~$ sudo psad -H
View Port Scan Report
Enter the following command to view the port scan report.
sk@server1:~$ sudo psad -S
The port scan report will be stored in /var/log/psad/status.out file. You can view it later if you want.
sk@server1:~$ sudo cat /var/log/psad/status.out
Allow Blocked IP’s
If PSAD found and blocked any ip addresses, you can allow it using the command:
sk@server1:~$ sudo psad -F
However the above command will allow all blocked ip’s. If you want to allow a particular ip address, enter the following command.
sk@server1:~$ sudo psad --fw-rm-block-ip <IP-Address>
You can view the detailed log of a particular interface ex.192.168.1.200 using the following command.
sk@server1:~$ sudo ls /var/log/psad/192.168.1.200
To know more about psad command examples and options, see the man pages.
sk@server1:~$ man psad
Thats it. Happy Monitoring!!!
Like us on Facebook
We need your assistance to stay live
This week Top Posts
- Top Things To Do After Installing Ubuntu 13.10 'Saucy Salamander' : Ubuntu 13.10 Saucy Salamander will be released on coming October 17th with many new salient featur...0 comments |
- Install Fail2Ban On Ubuntu Server 13.04/13.10 : Introduction Fail2Ban is an intrusion prevention framework written in the Python programming l...0 comments |
- 5 Android Apps that’s Going to Make Running Your Business Less Stressful : Running a business can be very stressful. You have to think about team collaboration, making sure th...0 comments |
- Install Crashplan backup tool in Linux : CashPlan is an automated backup solution that either uses the CrashPlan Central server or any other ...0 comments |
- install Git in Ubuntu : Git is a distributed revision control system with an emphasis on speed. Git was initially designed a...0 comments |
- Install Corosync and Pacemaker On CentOS 6.5 : I will show you in this tutorial how to install your first cluster Corosync and the Linux Cluster Ma...0 comments |
- Install Uget Download Manager In Ubuntu, Fedora, Debian
- Download Elementary OS ‘Luna’ Official Wallpapers
- Install Power Commands 0.1.5 On Ubuntu 14.04/13.10/12.10/12.04
- 5 Android Apps that’s Going to Make Running Your Business Less Stressful
- Puppet agent Install Using Script
- Install Corosync and Pacemaker On CentOS 6.5
- Install Fail2Ban On Ubuntu Server 13.04/13.10
- How To Install Google Chrome in Fedora 20, 19, 18
- How to surf using Tor Browser Bundle
- New Games got Greenlit on Linux by Steam Today!
This work by unixmen.com is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Copyright © 2008-2013 Unixmen.com .