root/psad/tags/psad-2.0.9-pre1/INSTALL

Installation notes:

QUICK AND EASY INSTALLATION INSTRUCTIONS:

Just run the psad installation script "install.pl" from the psad
sources directory:


# ./install.pl


Done.  Enough said.  :)  This will result in a functional installation
of psad on your system.  It is safe to run the install.pl script even
if you already have psad installed on your system.  The configuration
can (optionally) be preserved from the previous installation (you will
be prompted for this if an existing psad installation is detected).
For more information, read on:

=======================================================================


IMPORTANT:
    psad makes use of log messages that are generated by iptables as it
logs (and drops) packets.  Hence if your firewall is not configured to
log packets, then psad will NOT detect port scans or anything else.
Usually the best and most secure way to configure your firewall is to
first put the minimal rules needed to allow only necessary traffic to
and from your machine, and then have default drop-and-log rules toward
the end of the firewall ruleset.  Some example firewall rulesets that
are compatible with psad are contained within the file FW_EXAMPLE_RULES.
Note that psad is not compatible with the ipchains or ipfw firewalls
that are included within pre-2.4.x Linux kernels.

A note on iptables:  As of kernel version 2.4.13, there is a bug in the
connection tracking code that denies packets that are part of legitimate
tcp sessions.  Since these packets are denied, psad interprets them as
potentially belonging to a scan.  The source of the problem is an
inappropriately low timeout value, and fortunately this problem is easily
fixed by the trivial kernel patch "conntrack_patch" included with the
psad source code.  If you start noticing lots of ACK/FIN, ACK, and even
RST packets being denied by iptables from ips that are part of legtimate
sessions, then you may want to apply the patch.  This will of course
require that the patch be applied and then the kernel to be recompiled.
For more information on how to do this, see the Kernel-HOWTO available
at: http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html.

    Before executing the install.pl script, edit the config section
at the beginning.  Sensible defaults are provided so hopefully
there will be a minimal number of things to change to get psad to work
on your system, but if system binaries are in places the scripts don't
know about then you will need to provide the correct paths.  After the
config section is the way you want it, just run 'install.pl', and
then run '/etc/init.d/psad-init start' to start psad, kmsgsd,
and psadwatchd, or just run them from the command line.  The install.pl
script installs psad, kmsgsd, and psadwatchd in /usr/sbin/ by
default.

    You can install a new version of psad over an existing one; just
run install.pl.  The installation script will preserve any old
configuration parameters when installing the new versions of psad,
psadwatchd, and kmsgsd.  If you don't need or want any old
configurations to be preserved, just execute "./install.pl -n".

    Even though it is a good idea to edit the config sections
of each of the programs included with psad, both install.pl and psad
attempt to use the correct system binaries even if an incorrect path
is given.  This is accomplished by simply using the path provided by
'which <system binary>' if the binary is not found in the place
specified in the config section.

    psad can be completely removed from the system by executing
install.pl with the --uninstall option.

$Id$