| 12 | | Done. Enough said. :) This will result in a functional installation |
|---|
| 13 | | of psad on your system. It is safe to run the install.pl script even |
|---|
| 14 | | if you already have psad installed on your system. The configuration |
|---|
| 15 | | can (optionally) be preserved from the previous installation (you will |
|---|
| 16 | | be prompted for this if an existing psad installation is detected). |
|---|
| 17 | | For more information, read on: |
|---|
| 18 | | |
|---|
| 19 | | ======================================================================= |
|---|
| 20 | | |
|---|
| | 16 | ============================================================================== |
|---|
| 23 | | psad makes use of log messages that are generated by iptables as it |
|---|
| 24 | | logs (and drops) packets. Hence if your firewall is not configured to |
|---|
| 25 | | log packets, then psad will NOT detect port scans or anything else. |
|---|
| 26 | | Usually the best and most secure way to configure your firewall is to |
|---|
| 27 | | first put the minimal rules needed to allow only necessary traffic to |
|---|
| 28 | | and from your machine, and then have default drop-and-log rules toward |
|---|
| 29 | | the end of the firewall ruleset. Some example firewall rulesets that |
|---|
| 30 | | are compatible with psad are contained within the file FW_EXAMPLE_RULES. |
|---|
| 31 | | Note that psad is not compatible with the ipchains or ipfw firewalls |
|---|
| 32 | | that are included within pre-2.4.x Linux kernels. |
|---|
| | 19 | psad makes use of log messages that are generated by iptables as it logs |
|---|
| | 20 | (and drops) packets. Hence if your firewall is not configured to log packets, |
|---|
| | 21 | then psad will NOT detect port scans or anything else. Usually the best and |
|---|
| | 22 | most secure way to configure your firewall is to first put the minimal rules |
|---|
| | 23 | needed to allow only necessary traffic to and from your machine, and then have |
|---|
| | 24 | default LOG and DROP rules toward the end of the firewall ruleset. Some |
|---|
| | 25 | example firewall rulesets that are compatible with psad are contained within |
|---|
| | 26 | the file FW_EXAMPLE_RULES, and the "iptables.sh" script available at the |
|---|
| | 27 | following link contains a script to build a compatible iptables policy: |
|---|
| 34 | | A note on iptables: As of kernel version 2.4.13, there is a bug in the |
|---|
| 35 | | connection tracking code that denies packets that are part of legitimate |
|---|
| 36 | | tcp sessions. Since these packets are denied, psad interprets them as |
|---|
| 37 | | potentially belonging to a scan. The source of the problem is an |
|---|
| 38 | | inappropriately low timeout value, and fortunately this problem is easily |
|---|
| 39 | | fixed by the trivial kernel patch "conntrack_patch" included with the |
|---|
| 40 | | psad source code. If you start noticing lots of ACK/FIN, ACK, and even |
|---|
| 41 | | RST packets being denied by iptables from ips that are part of legtimate |
|---|
| 42 | | sessions, then you may want to apply the patch. This will of course |
|---|
| 43 | | require that the patch be applied and then the kernel to be recompiled. |
|---|
| 44 | | For more information on how to do this, see the Kernel-HOWTO available |
|---|
| 45 | | at: http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html. |
|---|
| | 29 | http://www.cipherdyne.org/LinuxFirewalls/ch01/iptables.sh.tar.gz |
|---|
| 47 | | Before executing the install.pl script, edit the config section |
|---|
| 48 | | at the beginning. Sensible defaults are provided so hopefully |
|---|
| 49 | | there will be a minimal number of things to change to get psad to work |
|---|
| 50 | | on your system, but if system binaries are in places the scripts don't |
|---|
| 51 | | know about then you will need to provide the correct paths. After the |
|---|
| 52 | | config section is the way you want it, just run 'install.pl', and |
|---|
| 53 | | then run '/etc/init.d/psad-init start' to start psad, kmsgsd, |
|---|
| 54 | | and psadwatchd, or just run them from the command line. The install.pl |
|---|
| 55 | | script installs psad, kmsgsd, and psadwatchd in /usr/sbin/ by |
|---|
| 56 | | default. |
|---|
| | 31 | Note that psad is only compatible (as of version 2.1.3) with iptables |
|---|
| | 32 | firewalls, but support for other firewall logging formats (such as logs |
|---|
| | 33 | generated by ipfw and pf) is coming soon. |
|---|
| 58 | | You can install a new version of psad over an existing one; just |
|---|
| 59 | | run install.pl. The installation script will preserve any old |
|---|
| 60 | | configuration parameters when installing the new versions of psad, |
|---|
| 61 | | psadwatchd, and kmsgsd. If you don't need or want any old |
|---|
| 62 | | configurations to be preserved, just execute "./install.pl -n". |
|---|
| | 35 | DEPENDENCIES: |
|---|
| | 36 | psad requires several perl modules that may or may not already be |
|---|
| | 37 | installed on your Linux system. These modules are included in the deps/ |
|---|
| | 38 | directory in the psad sources, and the list of modules is: |
|---|
| | 49 | psad also includes a whois client written by Marco d'Itri (see the deps/whois |
|---|
| | 50 | directory). This client does better than others at collecting the correct |
|---|
| | 51 | whois information for a given IP address. |
|---|
| | 52 | |
|---|
| | 53 | CONNECTION TRACKING: |
|---|
| | 54 | As of kernel version 2.4.13, there is a bug in the connection tracking |
|---|
| | 55 | code that can drop packets that are part of legitimate TCP connections that |
|---|
| | 56 | have entered into the CLOSE_WAIT state depending on how late they arrive. |
|---|
| | 57 | Since these packets are drop whenever the iptables policy is configured in |
|---|
| | 58 | a default drop stance, psad interprets them as potentially belonging to a |
|---|
| | 59 | scan. The source of the problem is an inappropriately low timeout value, and |
|---|
| | 60 | fortunately this problem is mostly fixed (or at least minimized) by the |
|---|
| | 61 | trivial kernel patch "conntrack_patch" included with the psad source code. |
|---|
| | 62 | If you start noticing lots of ACK/FIN, ACK, and even RST packets being denied |
|---|
| | 63 | by iptables from legtimate sessions, then you may want to apply this patch. |
|---|
| | 64 | This will of course require the kernel to be recompiled. For more information |
|---|
| | 65 | on how to do this, see the Kernel-HOWTO available at: |
|---|
| | 66 | http://www.digitalhermit.com/linux/Kernel-Build-HOWTO.html |
|---|
| | 67 | |
|---|
| | 68 | UPGRADES: |
|---|
| | 69 | You can install a new version of psad over an existing one; just run |
|---|
| | 70 | install.pl. The installation script will preserve any old configuration |
|---|
| | 71 | parameters when installing the new versions of psad, psadwatchd, and kmsgsd. |
|---|
| | 72 | |
|---|
| | 73 | UN-INSTALLING: |
|---|
