Psad rsyslog ubuntu "Post Scan專用IPS"

Port Scan Attack Detector 簡稱PSAD，一個能偵測Post Scan的行為再加以封鎖的工具，作者把它歸類為NIPS，拿來當HIPS也可以，跟iptables防火牆搭配，藉由分析iptables的log，找出有問題的IP地址加以封鎖。

安裝前要先有裝gcc make，安裝測試環境Ubuntu12.04

wget http://cipherdyne.org/psad/download/psad-2.2.1.tar.gz                   //下載

如果是用apt-get安裝，將是Psad-2.1.7的版本

tar zxvf psad-2.2.1.tar.gz                                                                     //解壓縮

cd psad-2.2.1                                                                                      //安裝目錄

./install.pl                                                                                             //安裝  

在安裝過程中會有一堆問題，都給它 "y"

看到一行網址時給它"n"

最後就是要不要寫入開機檔"y"

接下來對iptables寫入

iptables -A INPUT -j LOG 

iptables -A FORWARD -j LOG 

//IPv6的部份

ip6tables -A INPUT -j LOG 

ip6tables -A FORWARD -j LOG

編輯設定檔
vi /etc/psad/psad.conf

*********************************************************************

### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES XXX@gmail.com;        //附加功能可以用Email通知你，但要加裝postfix

### Machine hostname
HOSTNAME gmail.com;

### Specify the home and external networks. Note that by default the
### ENABLE_INTF_LOCAL_NETS is enabled, so psad automatically detects
### all of the directly connected subnets and uses this information as
### the HOME_NET variable.
HOME_NET 192.168.1.X;               //192.168.1.X or 192.168.1.X/X

### By default, psad acquires iptables log data from the /var/log/messages
### file which the local syslog daemon (usually) writes iptables log messages
### to. If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
### reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad. On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended.
IPT_SYSLOG_FILE /var/log/kern.log;                 //rsyslog的設定方法

### If "Y", send a status email message when an IP has reached the
### EMAIL_LIMIT threshold.
EMAIL_LIMIT_STATUS_MSG N;

### If "Y", enable automated IDS response (auto manages
### firewall rulesets).
ENABLE_AUTO_IDS Y;                            //偵測到是否要封鎖

### Block all traffic from offending IP if danger
### level >= to this value
AUTO_IDS_DANGER_LEVEL 3;                           //偵測敏感度的階級，愈小愈靈敏

### Set the auto-blocked timeout in seconds (the default
### is one hour).
AUTO_BLOCK_TIMEOUT 3600;                               //封鎖IP的時間

### By setting this variable to N, all auto-blocking emails can be
### suppressed.
ENABLE_AUTO_IDS_EMAILS N;

### system binaries
mailCmd /usr/bin/mail;

*****************************************************************

psad -R                                                                          //重新啟動

psad --sig-update                                                            //更新rules

psad -H                                                                            //套用rules後重新啟動

iptables -L          //這是一開始的畫面，要用nmap  X.X.X.X  偵測，它會阻擋