Changes between Initial Version and Version 1 of PSAD


Ignore:
Timestamp:
09/03/07 09:57:15 (13 years ago)
Author:
Victor Julien
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • PSAD

    v1 v1  
     1= Portscan Attack Detection =
     2
     3This Howto will describe a way to setup up portscan detection for Vuurmuur, using the excellent Port Scan Attack Detector by Michael Rash. You can get it from http://www.cipherdyne.com/projects/psad/.
     4
     5== Basic setup ==
     6
     7First install PSAD and start it. You will receive an email on the address you selected.
     8
     9To support Vuurmuur you must know that all logmessages created by vuurmuur include 'vrmr:' and the action, so that is DROP, ACCEPT, REJECT, etc. If you want to use all dropped packets for Portscan detection, add:
     10{{{
     11FW_MSG_SEARCH vrmr: DROP
     12}}}
     13to /etc/psad/fw_search.conf. For using both DROP and REJECT:
     14{{{
     15FW_MSG_SEARCH vrmr: DROP
     16FW_MSG_SEARCH vrmr: REJECT
     17}}}
     18Now it should work. You can test using nmap or http://grc.com.
     19
     20This can however trigger quite a lot of alerts, some of which might not be very interesting. You can also make a more fine grained detection system by creating one or more special rules in Vuurmuur.
     21{{{
     22drop service any from world.inet to firewall options log,logprefix="PSAD"
     23}}}
     24Now add to the /etc/psad/fw_search.conf:
     25{{{
     26FW_MSG_SEARCH vrmr: DROP PSAD
     27}}}
     28Now only scans from world.inet are detected.
     29
     30To use the passive OS-detection feature of PSAD 1.4.x you need to enable the logging of tcp-options in 'Vuurmuur config->Logging'.
     31
     32== Blocking offenders ==
     33
     34PSAD support blocking hosts that portscan you by adding iptables rules to special chains. Making this work with Vuurmuur takes some attention, and requires PSAD version 1.4.5. This is because PSAD by default will add rules to the INPUT, OUTPUT and FORWARD chains. Since Vuurmuur requires to manage these chains alone, we need to add a little trick. Luckily the author of PSAD helped us so we are not in trouble.
     35
     36First of all, enable the auto ids mode, which will enable the blocking. These options are all psad.conf:
     37{{{
     38ENABLE_AUTO_IDS Y;
     39AUTO_IDS_DANGER_LEVEL 1;
     40AUTO_BLOCK_TIMEOUT 3600;
     41}}}
     42Next, setup the iptables specific options. Note that we use a chain named PSAD-AUTO-IDS here, instead of the default INPUT, OUTPUT and FORWARD.
     43{{{
     44IPTABLES_BLOCK_METHOD Y;
     45IPTABLES_AUTO_RULENUM 1;
     46IPT_AUTO_CHAIN1 DROP, src, filter, PSAD-AUTO-IDS, PSAD_BLOCK_INPUT;
     47IPT_AUTO_CHAIN2 DROP, dst, filter, PSAD-AUTO-IDS, PSAD_BLOCK_OUTPUT;
     48IPT_AUTO_CHAIN3 DROP, both, filter, PSAD-AUTO-IDS, PSAD_BLOCK_FORWARD;
     49}}}
     50That completes the configuration on the PSAD side. Next is Vuurmuur. In Vuurmuur we need to make sure the chain PSAD-AUTO-IDS we supplied to PSAD really exists. To do this add the following rule to Vuurmuur:
     51{{{
     52Chain service any from any to any options chain="PSAD-AUTO-IDS"
     53}}}
     54Apply changes in Vuurmuur, restart PSAD and it should work!
     55
     56=== Further thoughts on auto-blocking ===
     57
     58The big risk of automatic blocking hosts based on portscans is IP-spoofing. An attacker can scan you while spoofing the ipaddress so it looks as if you are scanned by the DNS-server of your ISP. So what happens? PSAD will add the ipaddress to it's blocklist, and you cannot reach your DNS-server anymore, effectively causing a DoS.
     59
     60This risk can easily be prevented by making sure you insert the 'chain' rule in Vuurmuur after important rules like DNS lookups, SSH for administration, etc. Be sure to not compromise the effect of the blocking though. It would be bad if the attacker would still be able to connect to your ssh port. Best practice is to add the 'chain' rule after the most important outgoing rules, but before the rules allowing incoming connections.