wiki:PSAD

Portscan Attack Detection

This Howto will describe a way to setup up portscan detection for Vuurmuur, using the excellent Port Scan Attack Detector by Michael Rash. You can get it from http://www.cipherdyne.com/projects/psad/.

Basic setup

First install PSAD and start it. You will receive an email on the address you selected.

To support Vuurmuur you must know that all logmessages created by vuurmuur include 'vrmr:' and the action, so that is DROP, ACCEPT, REJECT, etc. If you want to use all dropped packets for Portscan detection, add:

FW_MSG_SEARCH vrmr: DROP

to /etc/psad/fw_search.conf. For using both DROP and REJECT:

FW_MSG_SEARCH vrmr: DROP
FW_MSG_SEARCH vrmr: REJECT

Now it should work. You can test using nmap or http://grc.com.

This can however trigger quite a lot of alerts, some of which might not be very interesting. You can also make a more fine grained detection system by creating one or more special rules in Vuurmuur.

drop service any from world.inet to firewall options log,logprefix="PSAD"

Now add to the /etc/psad/fw_search.conf:

FW_MSG_SEARCH vrmr: DROP PSAD

Now only scans from world.inet are detected.

To use the passive OS-detection feature of PSAD 1.4.x you need to enable the logging of tcp-options in 'Vuurmuur config->Logging'.

Blocking offenders

PSAD support blocking hosts that portscan you by adding iptables rules to special chains. Making this work with Vuurmuur takes some attention, and requires PSAD version 1.4.5. This is because PSAD by default will add rules to the INPUT, OUTPUT and FORWARD chains. Since Vuurmuur requires to manage these chains alone, we need to add a little trick. Luckily the author of PSAD helped us so we are not in trouble.

First of all, enable the auto ids mode, which will enable the blocking. These options are all psad.conf:

ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
AUTO_BLOCK_TIMEOUT 3600;

Next, setup the iptables specific options. Note that we use a chain named PSAD-AUTO-IDS here, instead of the default INPUT, OUTPUT and FORWARD.

IPTABLES_BLOCK_METHOD Y;
IPTABLES_AUTO_RULENUM 1;
IPT_AUTO_CHAIN1 DROP, src, filter, PSAD-AUTO-IDS, PSAD_BLOCK_INPUT;
IPT_AUTO_CHAIN2 DROP, dst, filter, PSAD-AUTO-IDS, PSAD_BLOCK_OUTPUT;
IPT_AUTO_CHAIN3 DROP, both, filter, PSAD-AUTO-IDS, PSAD_BLOCK_FORWARD;

That completes the configuration on the PSAD side. Next is Vuurmuur. In Vuurmuur we need to make sure the chain PSAD-AUTO-IDS we supplied to PSAD really exists. To do this add the following rule to Vuurmuur:

Chain service any from any to any options chain="PSAD-AUTO-IDS"

Apply changes in Vuurmuur, restart PSAD and it should work!

Further thoughts on auto-blocking

The big risk of automatic blocking hosts based on portscans is IP-spoofing. An attacker can scan you while spoofing the ipaddress so it looks as if you are scanned by the DNS-server of your ISP. So what happens? PSAD will add the ipaddress to it's blocklist, and you cannot reach your DNS-server anymore, effectively causing a DoS.

This risk can easily be prevented by making sure you insert the 'chain' rule in Vuurmuur after important rules like DNS lookups, SSH for administration, etc. Be sure to not compromise the effect of the blocking though. It would be bad if the attacker would still be able to connect to your ssh port. Best practice is to add the 'chain' rule after the most important outgoing rules, but before the rules allowing incoming connections.

Last modified 11 years ago Last modified on 09/03/07 09:57:15