This guide is intended as a relatively easy step by step guide to:
- Install CipherDyne PSAD Intrusion Detection and Log Analysis with iptables on Ubuntu 12.04 LTS or later.
- psad is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
- From version 2.2 it also offers full IPv6 support.
- Tested on Ubuntu 12.04 LTS – 16.04 LTS server.
- Should work on most Ubuntu/Debian based ditro’s.
1. Download and install the latest version of PSAD.
- Download and install the latest version from the Cipherdyne website.
- Visit the CipherDyne PSAD download page and select the latest source tar archive, as of writing this the latest version isPSAD 2.4.3
- To download and install the latest version open a Terminal and enter the following :
sudo su mkdir /tmp/.psad cd /tmp/.psad wget http://cipherdyne.org/psad/download/psad-2.4.3.tar.gz tar -zxvf psad-2.4.3.tar.gz cd psad-2.4.3 ./install.pl cd /tmp rm -R .psad exit
2. Edit the PSAD configuration file.
- Three main settings need to be set in the PSAD configuration file before we can complete the install, edit the others as required.
- open a Terminal Window and enter :
- EMAIL_ADDRESSES – change this to your email address.
- HOSTNAME – this is set during install – but double check and change to a FQDN if needed.
- ENABLE_AUTO_IDS – set this to Y if you could like PSAD to take action – read configuration instructions before setting this to Y.
- ENABLE_AUTO_IDS_EMAILS – set this to Y if you would like to receive email notifications of intrusions that are detected.
3. Add iptables LOG rules for both IPv4 and IPv6.
- For an explanation of this step click here.
- Add the following iptables policies :
iptables -A INPUT -j LOG iptables -A FORWARD -j LOG ip6tables -A INPUT -j LOG ip6tables -A FORWARD -j LOG
4. Reload and update PSAD.
- To restart, update the signature file and reload PSAD to complete the install open a Terminal Window and enter :
psad -R psad --sig-update psad -H
- To check the status of PSAD, open a Terminal Window and enter :