How to Block Port Scan Attacks with Psad on Ubuntu/Debian

psad, Port Scan Attacks Detector, is used to detect the port scan attacks and other suspicious traffic by analyzing the iptables of Linux systems.  It is an Intrusion Detection System written in Perl. It analyzes the iptables and ip6tables log messages regularly to detect, alert and block the port scans if necessary.

A Cracker can use nmap or similar tools to scan your network for any open ports before starting attack and find the ways to break your system. Using psad we can find the port scan attacks and other suspicious activity.

Install psad on Ubuntu / Debian

sk@server1:~$ sudo apt-get update 
sk@server1:~$ sudo apt-get install psad

During installation, you will be asked to configure the postfix mail system in order to notify the port scan attacks via mail if any.

sk@server1: ~_001Select the mail type.

sk@server1: ~_002Enter your mail domain name ex.unixmen.com.

sk@server1: ~_004Now psad has been installed.

Rsyslog Configuration

Open up /etc/rsyslog.conf file.

sk@server1:~$ sudo nano /etc/rsyslog.conf

Add the following line.

kern.info |/var/lib/psad/psadfifo

Save and exit the file. Restart the rsyslog service using following command.

sk@server1:~$ sudo /etc/init.d/rsyslog restart

Psad Configuration

Open up /etc/psad/psad.conf file using any editor.

sk@server1:~$ sudo nano /etc/psad/psad.conf

Setup the valid email id.

### Supports multiple email addresses (as a comma separated### list).
EMAIL_ADDRESSES             sk@unixmen.com;

Enter FQDN of your machine.

### Machine hostname
HOSTNAME                    server1.unixmen.com;

If you have only one network interface, set HOME_NET to NOT_USED as shown below.

HOME_NET                    NOT_USED;

If you want to ignore some ports like like UDP 53, modify as below.

IGNORE_PORTS                udp/53;

If you want IDS to block attacks automatically, set the following values to Y.

ENABLE_AUTO_IDS             Y;
IPTABLES_BLOCK_METHOD       Y;

There are so many options are available in psad. Most of them are self-explanatory. Read carefully and set as your requirements. Here what you have seen above is just a basic setup of psad.  Save and exit the psad config file. Start the psad service.

sk@server1:~$ sudo /etc/init.d/psad restart

Update Firewall Rules for ipv4 and ipv6

sk@server1:~$ sudo iptables -A INPUT -j LOG
sk@server1:~$ sudo iptables -A FORWARD -j LOG
sk@server1:~$ sudo ip6tables -A INPUT -j LOG
sk@server1:~$ sudo ip6tables -A FORWARD -j LOG

Now restart, update the signature file and reload psad using the following commands.

sk@server1:~$ sudo psad -R
sk@server1:~$ sudo psad --sig-update
sk@server1:~$ sudo psad -H

View Port Scan Report

Enter the following command to view the port scan report.

sk@server1:~$ sudo psad -S

The port scan report will be stored in /var/log/psad/status.out file. You can view it later if you want.

sk@server1:~$ sudo cat /var/log/psad/status.out

Allow Blocked IP’s

If PSAD found and blocked any ip addresses, you can allow it using the command:

sk@server1:~$ sudo psad -F

However the above command will allow all blocked ip’s. If you want to allow a particular ip address, enter the following command.

sk@server1:~$ sudo psad --fw-rm-block-ip <IP-Address>

You can view the detailed log of a particular interface ex.192.168.1.200 using the following command.

sk@server1:~$ sudo ls /var/log/psad/192.168.1.200

To know more about psad command examples and options, see the man pages.

sk@server1:~$ man psad

Thats it. Happy Monitoring!!!