Install Psad Intrusion Detection
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
Install PSAD
To install psad, run the following command:
sudo apt-get install psad
Edit the config file
You need to update some parameters in the psad.conf
file first.
sudo vi /etc/psad/psad.conf
Before changing anything, double check to make sure the HOSTNAME
parameter is set properly. Then, update the following parameters:
- EMAIL_ADDRESSES: Put your email address there;
- HOSTNAME: Change this value using your hostname;
- ENABLE_AUTO_IDS: Change this to
Y
if you like PSAD to take any actions; - ENABLE_AUTO_IDS_EMAILS: Change this to
Y
if you want to receive emails if psad detect an intrusion;
Add iptables rules
The main requirement for an iptables policy to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
sudo iptables -A INPUT -j LOG sudo iptables -A FORWARD -j LOG
More information available at: http://www.cipherdyne.org/psad/docs/fwconfig.html
Restart psad
To update and make sure everything works properly, restart the service:
sudo psad -R sudo psad --sig-update sudo psad -H
Check psad
You can check the status of psad using the following command:
sudo psad --Status