You are on page 1of 3

Psad installation and configuration

Reference: http://www.cipherdyne.org/psad/

# Download the latest version of psad from


http://www.cipherdyne.org/psad/download/

cd /tmp

wget http://www.cipherdyne.org/psad/download/psad-2.1-1.i386.rpm

rpm -Uvh psad-2.1-1.i386.rpm


rm -rf psad-2.1-1.i386.rpm
cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
vi /etc/psad/psad.conf

# Adjust the values as shown

######
EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
HOSTNAME vend-x.com;
# If there is only one network interface on the box, then just set this variable
to "NOT_USED".
HOME_NET NOT_USED;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
ENABLE_SCAN_ARCHIVE Y;
DISK_MAX_PERCENTAGE 85;
FLUSH_IPT_AT_INIT N;
#######

Automate Signature Updates

crontab -e

###
0 0 * * * /usr/sbin/psad -sig-update && /sbin/service psad restart
###

# Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail


poiting to your mail executable
eg.
ln -s /usr/lib/sendmail /bin/mail

/etc/rc.d/init.d/psad start

/usr/sbin/psad -sig-update

/sbin/chkconfig psad on

# Check psad statistics after 5-10 mins by running this command

/usr/sbin/psad --Status

# Setup Cronjob to delete Psad scan archive older than 7 days


crontab -e

0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf

# Fwsnort Installation

Reference: http://www.cipherdyne.org/fwsnort
# Download fwsnort from http://www.cipherdyne.org/fwsnort/download/

cd /tmp

wget http://www.cipherdyne.com/fwsnort/download/fwsnort-1.0.4.tar.gz

tar zxvf fwsnort-1.0.4.tar.gz

cd /tmp/fwsnort-1.0.4

perl install.pl
cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig

vi /etc/fwsnort/fwsnort.conf

######
# Modify the uname location as follows
unameCmd /bin/uname;
######

/usr/sbin/fwsnort --no-ipt-sync --verbose

# Check log file for errors and correct accordingly


tail -f /var/log/fwsnort.log

#If you encounter the following errors


###
#[*] It does not appear that string match support has been compiled into
# Netfilter. Fwsnort will not be of very much use without this.
# ** NOTE: If you want to have fwsnort generate a Netfilter policy
# anyway, specify the --no-ipt-test option. Exiting.
#[root@extranet tmp]# tail -f /var/log/fwsnort.log
#[-] Netfilter ipv4options extension not available, disabling ipopts translation.

# then run this

# Update signatures
/usr/sbin/fwsnort --update-rules

#Then run this


/usr/sbin/fwsnort --no-ipt-test --verbose

# Run the generated Netfilter script

/etc/fwsnort/fwsnort.sh

# Enable auto-update of firewall rules


crontab -e

1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh


/etc/fwsnort/fwsnort.sh > /dev/null 2>&1

# Enable auto-update of fwsnort signatures


crontab -e

0 0 * * * /usr/sbin/fwsnort --update-rules

/etc/rc.d/init.d/psad restart

rm -rf /tmp/fwsnort-0.8.1.tar.gz
rm -rf /tmp/fwsnort-0.8.1

# Enabling whitelisting and Special danger levels for IPs and Port.

Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.

# Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file
before starting the nessus scan.Please ensure that you restart psad after adding
the IP address.