Port Scan Attack Detector (psad) allow us detect and block possible port scan or suspicious traffic in real time. psad is designed for work with iptables, configuring syslog to send log messages from the facility kern.info to /var/lib/psad/psadfifo, to analyze netfilter log messages. psad comes with some snort rules to detect traffic pattern from DDoS tools, backdoors, malicious software and advanced tcp flags used with port scanning (Null, FIN, Xmas) http://nmap.org/book/man-port-scanning-techniques.html


With psad it’s possible configure different types of level alerts, depending of the number of packages received we can personalize and do actions for the different levels.
When psad alert us via email, include the next information from the scanning:

– Scanned port and the number of packets.
– TCP flags.
– Source IP address.
– Reverse DNS from the IP address if is available.
– Date of the scan.
– The scan signature.
– Whois information about source IP address.

One mail alert example:

We can configure psad to execute iptables rules to block the source IP address for a time (by default 3600 seconds), for every iptables action it’ll alert us via email.

– Install psad:


# apt-get install psad

– Edit syslog to send netfilter log messages to psad:


# vi /etc/rsyslog.conf

kern.info |/var/lib/psad/psadfifo

– Restart rsyslog:


# /etc/init.d/rsyslog restart

– Edit psad main config file:


# vi /etc/psad/psad.conf

# Mail to send alerts
 EMAIL_ADDRESSES ivan@opentodo.net;

# Machine hostname
 HOSTNAME www.opentodo.net;

# Specify the internal and external networks
 HOME_NET NOT_USED;
 EXTERNAL_NET any;

# Used to define string to search droped packets
 FW_MSG_SEARCH DROP;

#Syslog daemon used
 SYSLOG_DAEMON syslogd;

# Danger levels. These represent the total number of
 # packets required for a scan to reach each danger level.
 # A scan may also reach a danger level if the scan trips
 # a signature or if the scanning ip is listed in
 # auto_ips so a danger level is automatically assigned.

DANGER_LEVEL1 5; ### Number of packets.
 DANGER_LEVEL2 35;
 DANGER_LEVEL3 150;
 DANGER_LEVEL4 1500;
 DANGER_LEVEL5 10000;

### Set the interval (in seconds) psad will use to sleep before
 ### checking for new iptables log messages
 CHECK_INTERVAL 5;

### Set the minimum range of ports that must be scanned before
 ### psad will send an alert. The default is 1 so that at
 ### least two port must be scanned (p2-p1 >= 1). This can be set
 ### to 0 if you want psad to be extra paranoid, or 30000 if not.
 PORT_RANGE_SCAN_THRESHOLD 1;

# Define a set of ports to ignore, very useful with port knocking
 IGNORE_PORTS udp/53;

# Minimum danger level that the scan will generate an alert
 # or log message
 MIN_DANGER_LEVEL 2;

### If "Y", enable automated IDS response (auto manages
 ### firewall rulesets).
 ENABLE_AUTO_IDS Y;

### Block all traffic from offending IP if danger
 ### level >= to this value
 AUTO_IDS_DANGER_LEVEL 2;

### Set the auto-blocked timeout in seconds (the default
 ### is one hour).
 AUTO_BLOCK_TIMEOUT 3600;

### By setting this variable to N, all auto-blocking emails can be
 ### suppressed.
 ENABLE_AUTO_IDS_EMAILS Y;

### Enable iptables blocking (only gets enabled if
 ### ENABLE_AUTO_IDS is also set)
 IPTABLES_BLOCK_METHOD Y;

### Specify chain names to which iptables blocking rules will be
 ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the
 ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number
 ### to add an additional IPT_AUTO_CHAIN requirement. The format for this
 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \
 ### <To_chain>,<Rule_position>.
 ### "Target": Can be any legitimate Netfilter target, but should usually
 ### just be "DROP".
 ### "Direction": Can be "src", "dst", or "both", which correspond to the
 ### INPUT, OUTPUT, and FORWARD chains.
 ### "Table": Can be any Netfilter table, but the default is "filter".
 ### "From_chain": Is the chain from which packets will be jumped.
 ### "Jump_rule_position": Defines the position within the From_chain where
 ### the jump rule is added.
 ### "To_chain": Is the chain to which packets will be jumped. This is the
 ### main chain where psad rules are added.
 ### "Rule_position": Defines the position where rule are added within the
 ### To_chain.

IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
 IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;

– Create new iptables chains:

 iptables -N PSAD_BLOCK_INPUT
 iptables -N PSAD_BLOCK_OUTPUT

– Configuring iptables rules:


iptables -A INPUT -j PSAD_BLOCK_INPUT
 iptables -A OUTPUT -j PSAD_BLOCK_OUTPUT
 iptables -A INPUT -j LOG
 iptables -A OUTPUT -j LOG

– Restart psad:


# /etc/init.d/psad restart

– Optionally if you have to ignore an address range or set manually a danger level, you can edit the configuration file auto_dl:


# vi /etc/psad/auto_dl

#10.111.21.23 5; # Very bad IP.
 127.0.0.1 0; # Ignore this IP.

– You can monitor the ip address banned with the next command:

 # psad --fw-list

– Also you can see a set of information like top of scanned ports, top of ip address attackers or the status of psad executing:


# psad -S

or you can see manually the output in the file /var/log/psad/status.out

Web of the project:

http://www.cipherdyne.org/psad

Tagged on:             

One thought on “Blocking Port Scan Attacks with psad

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Follow

Get every new post delivered to your Inbox

Join other followers: