Install Psad Intrusion Detection

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.

Install PSAD

To install psad, run the following command:

sudo apt-get install psad

Edit the config file

You need to update some parameters in the psad.conf file first.

sudo vi /etc/psad/psad.conf

Before changing anything, double check to make sure the HOSTNAME parameter is set properly. Then, update the following parameters:

• EMAIL_ADDRESSES: Put your email address there;
• HOSTNAME: Change this value using your hostname;
• ENABLE_AUTO_IDS: Change this to Y if you like PSAD to take any actions;
• ENABLE_AUTO_IDS_EMAILS: Change this to Y if you want to receive emails if psad detect an intrusion;

Add iptables rules

The main requirement for an iptables policy to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:

sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG

More information available at: http://www.cipherdyne.org/psad/docs/fwconfig.html

Restart psad

To update and make sure everything works properly, restart the service:

sudo psad -R
sudo psad --sig-update
sudo psad -H

Check psad

You can check the status of psad using the following command:

sudo psad --Status