| 1 |
|
|---|
| 2 |
The following firewall rulesets are examples of rulesets that are compatible |
|---|
| 3 |
with psad. Basically, the only criteria is have the firewall log and |
|---|
| 4 |
drop packets that should not be allowed through. Then a port scan will |
|---|
| 5 |
manifest itself within /var/log/messages as packets are dropped and logged, |
|---|
| 6 |
at which time these messages will be written to the /var/lib/psad/psadfifo |
|---|
| 7 |
named pipe and analyzed by psad. |
|---|
| 8 |
|
|---|
| 9 |
|
|---|
| 10 |
### iptables: |
|---|
| 11 |
|
|---|
| 12 |
Chain INPUT (policy ACCEPT) |
|---|
| 13 |
target prot opt source destination |
|---|
| 14 |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED |
|---|
| 15 |
ACCEPT tcp -- 129.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN |
|---|
| 16 |
ACCEPT tcp -- 208.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN |
|---|
| 17 |
ACCEPT tcp -- 24.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN |
|---|
| 18 |
ACCEPT tcp -- 208.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN |
|---|
| 19 |
ACCEPT tcp -- 0.0.0.0/0 64.44.21.15 tcp dpt:25 flags:SYN,RST,ACK/SYN |
|---|
| 20 |
ACCEPT tcp -- 0.0.0.0/0 64.44.21.15 tcp dpt:80 flags:SYN,RST,ACK/SYN |
|---|
| 21 |
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level warning prefix `DROP ' |
|---|
| 22 |
DROP all -- 0.0.0.0/0 0.0.0.0/0 |
|---|
| 23 |
|
|---|
| 24 |
Chain FORWARD (policy ACCEPT) |
|---|
| 25 |
target prot opt source destination |
|---|
| 26 |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED |
|---|
| 27 |
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level warning prefix `DROP ' |
|---|
| 28 |
DROP all -- 0.0.0.0/0 0.0.0.0/0 |
|---|
| 29 |
|
|---|
| 30 |
Chain OUTPUT (policy ACCEPT) |
|---|
| 31 |
target prot opt source destination |
|---|
