How to Block Port Scan Attacks with Psad on Ubuntu/Debian

psad, Port Scan Attacks Detector, is used to detect the port scan attacks and other suspicious traffic by analyzing the iptables of Linux systems.  It is an Intrusion Detection System written in Perl. It analyzes the iptables and ip6tables log messages regularly to detect, alert and block the port scans if necessary.

A Cracker can use nmap or similar tools to scan your network for any open ports before starting attack and find the ways to break your system. Using psad we can find the port scan attacks and other suspicious activity.

Install psad on Ubuntu / Debian

[email protected]:~$ sudo apt-get update 
[email protected]:~$ sudo apt-get install psad

During installation, you will be asked to configure the postfix mail system in order to notify the port scan attacks via mail if any.

sk@server1: ~_001Select the mail type.

sk@server1: ~_002Enter your mail domain name

sk@server1: ~_004Now psad has been installed.

Rsyslog Configuration

Open up /etc/rsyslog.conf file.

[email protected]:~$ sudo nano /etc/rsyslog.conf

Add the following line. |/var/lib/psad/psadfifo

Save and exit the file. Restart the rsyslog service using following command.

[email protected]:~$ sudo /etc/init.d/rsyslog restart

Psad Configuration

Open up /etc/psad/psad.conf file using any editor.

[email protected]:~$ sudo nano /etc/psad/psad.conf

Setup the valid email id.

### Supports multiple email addresses (as a comma separated### list).
EMAIL_ADDRESSES             [email protected];

Enter FQDN of your machine.

### Machine hostname
HOSTNAME          ;

If you have only one network interface, set HOME_NET to NOT_USED as shown below.

HOME_NET                    NOT_USED;

If you want to ignore some ports like like UDP 53, modify as below.

IGNORE_PORTS                udp/53;

If you want IDS to block attacks automatically, set the following values to Y.

ENABLE_AUTO_IDS             Y;

There are so many options are available in psad. Most of them are self-explanatory. Read carefully and set as your requirements. Here what you have seen above is just a basic setup of psad.  Save and exit the psad config file. Start the psad service.

[email protected]:~$ sudo /etc/init.d/psad restart

Update Firewall Rules for ipv4 and ipv6

[email protected]:~$ sudo iptables -A INPUT -j LOG
[email protected]:~$ sudo iptables -A FORWARD -j LOG
[email protected]:~$ sudo ip6tables -A INPUT -j LOG
[email protected]:~$ sudo ip6tables -A FORWARD -j LOG

Now restart, update the signature file and reload psad using the following commands.

[email protected]:~$ sudo psad -R
[email protected]:~$ sudo psad --sig-update
[email protected]:~$ sudo psad -H

View Port Scan Report

Enter the following command to view the port scan report.

[email protected]:~$ sudo psad -S

The port scan report will be stored in /var/log/psad/status.out file. You can view it later if you want.

[email protected]:~$ sudo cat /var/log/psad/status.out

Allow Blocked IP’s

If PSAD found and blocked any ip addresses, you can allow it using the command:

[email protected]:~$ sudo psad -F

However the above command will allow all blocked ip’s. If you want to allow a particular ip address, enter the following command.

[email protected]:~$ sudo psad --fw-rm-block-ip <IP-Address>

You can view the detailed log of a particular interface ex. using the following command.

[email protected]:~$ sudo ls /var/log/psad/

To know more about psad command examples and options, see the man pages.

[email protected]:~$ man psad

Thats it. Happy Monitoring!!!