Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

These are slightly updated instructions I've not seen anywhere else as Arno's excellent firewall no longer works out of the box with PSAD. Also some notes below for PSAD with the simpler UFW Firewall which also has a gui

sudo apt-get install arno-iptables-firewall psad fwsnort exim4

The basic arno firewall configuration is ok but can be made a little more secure by changing the following variables in /etc/arno-iptables-firewall/firewall.conf:

ECHO_IGNORE=1
IP_FORWARDING=0

Rsyslog settings in /etc/rsyslog.d/arno-iptables-firewall.conf now send all firewall logs to /var/log/arno-iptables-firewall & they are not logged anywhere else (in previous arno versions they used to also show up in /var/log/messages) Various other guides I've seen talk of piping output to /var/lib/psad/psadfifo but the rule PSAD adds in /etc/rsyslog.conf no longer works as rsyslog includes & applies rules in /etc/rsyslog.d/ first.

Settings to change in /etc/psad/psad.conf as by default active response is disabled:

EMAIL_ADDRESSES             myemail@me.com;
IPT_SYSLOG_FILE             /var/log/arno-iptables-firewall;
ENABLE_AUTO_IDS             Y;

If you use the simpler "UFW" Firewall the default psad setting of /var/log/messages for IPT_SYSLOG_FILE will work for you. To install UFW & a gui instead of Arno's firewall:

sudo apt-get install ufw gufw
sudo ufw enable

FWSNORT's standard config is ok - a small script is needed to update the FWSNORT & PSAD signatures once a week. Don't forget to make this executable with chmod +x /path/to/my-script

#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/etc/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
psad --sig-update
psad -H
echo "psad signatures updated"

Not all of the FWSNORT signatures will be spliced into iptables, only the rules which match the services you have running will be added.

Setup a weekly crontab:

sudo crontab -e

& add the following line:

0 15 * * 5 /path/to/update-fwsnort 2>&1 >> /var/log/fwsnort_update.log

To have FWSNORT's rules spliced into iptables on each boot create /etc/init.d/fwsnort

#!/bin/bash
#
### BEGIN INIT INFO
# Provides:          fwsnort
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Load/unload snort signatures for psad
# Description:       update-rc.d -f fwsnort defaults 
### END INIT INFO
/etc/fwsnort/fwsnort.sh
exit 0

& run update-rc.d -f fwsnort defaults

To test your setup run nmap on your IP from a 2nd machine on your LAN or run ShieldsUP & check PSAD's status:

sudo psad -S

If PSAD's status does not register the scan & / or you see an error message in /var/log/psad/fw_check along the lines of "You may just need to add a default logging rule to the INPUT chain" remove both the firewall & psad & flush iptables:

sudo iptables -F

& reinstall the firewall followed by psad & then run psad's iptables check:

sudo psad --fw-analyze

Configure EXIM to send emails through gmail so you receive emails from PSAD,

To test the emails from PSAD are working set the following in /etc/psad/psad.conf:

EMAIL_ALERT_DANGER_LEVEL    1;

& you will receive an email for every scan. Set this alert level to 3-5 for normal operation or you will receive hundreds of emails which can be quite annoying.

Install sysv-rc-conf & turn off the run levels for Exim as the daemon does not need to run to flush the mail queue.

To have your syslog files emailed to you:

sudo apt-get install logcheck syslog-summary

& set your email address in /etc/logcheck/logcheck.conf

See also my guide for OSSEC HIDS (Host Intrusion Detection System)

Last edited by tradetaxfree (2011-10-03 20:33:13)