Setup PSAD in Ubuntu 9+

Psad scans your firewall log in real time. It can be configured to automatically drop packets and more. While reading the guides that are available for this I ran into a problem, there was no /etc/syslog.conf. On Ubuntu’s webpage I found this release note. It says that as of Ubuntu 9.10, syslog has been upgraded with rsyslog. This can make setting up psad a little tricky.

This guide has been tested on Ubuntu 10.04 LTS Server and 10.10 Desktop

The first thing to do is install psad:

sudo apt-get install psad

Now edit the config file:

sudo nano /etc/psad/psad.conf

Change “ENABLE_SYSLOG_FILE Y;” to “ENABLE_SYSLOG_FILE N;”. We will not need psad to read our syslog.

Another setting to review right now depending on your environment is “EMAIL_ALERT_DANGER_LEVEL”.

Set the email at the top of the config file or leave the default, root. I have root’s mail set to forward to my real email address. To forward root (or any user’s) mail: place a file named “.forward” in their home folder. Inside the file enter the email address where the mail is to go.

Restart psad:

sudo /etc/init.d/psad restart

Next: configure iptables to log the non-legitimate packets. The logging rules need to go after the accept rules but before the drop. Confusing? It was for me.

For example, my default policy for INPUT and FORWARD is to DROP. After this my accept rules for specific ports are appended. Meaning our logging rules must go at the end of the file, before they are dropped because the packets were not accepted by any previous rules.

$IPT -A INPUT -j LOG --log-prefix "firewall1 "
$IPT -A FORWARD -j LOG --log-prefix "firewall1 "

The prefix is going to allow rsyslog to filter the messages. After applying the log rules it is possible to view the end of the syslog to see if logging is working.

sudo tail /var/log/syslog

The last step is for rsyslog to send the messages that contain “firewall1” to psad’s pipe.

sudo nano /etc/rsyslog.d/50-default.conf

We are going to place our rules at the top of the file. That way we can stop “firewall1” messages from making it to any other logs.

:msg, contains, "firewall1" |/var/lib/psad/psadfifo
:msg, contains, "firewall1" ~

Note: the ~ means to discard.

That’s it! Restart rsyslog:

sudo restart rsyslog

To view psad’s status:

sudo psad --Status

Comments and suggestions are welcome!!

4 Replies to “Setup PSAD in Ubuntu 9+”

  1. Thanks an awful lot for this. Nice, concise, helpful, very true to your “Things go better with hussein” tag line.
    Rollo

  2. Very helpful, another solition is to make rsyslog create a separate file for iptables logs (ej: /var/log/iptables.log), then especify this file in psad.conf (ENABLE_SYSLOG_FILE Y; IPT_SYSLOG_FILE /var/log/iptables.log;)

Leave a Reply

Your email address will not be published. Required fields are marked *