Psad Installation And Configuration

Psad installation and configuration Reference: http://www.cipherdyne.org/psad/ # Download the latest version of psad from http://www.cipherdyne.org/psad/download/ cd /tmp wget http://www.cipherdyne.org/psad/download/psad-2.1-1.i386.rpm rpm -Uvh psad-2.1-1.i386.rpm rm -rf psad-2.1-1.i386.rpm cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig vi /etc/psad/psad.conf # Adjust the values as shown ###### EMAIL_ADDRESSES [email protected], [email protected]; HOSTNAME vend-x.com; # If there is only one network interface on the box, then just set this variable to "NOT_USED". HOME_NET NOT_USED; EMAIL_ALERT_DANGER_LEVEL 1; ENABLE_AUTO_IDS Y; AUTO_IDS_DANGER_LEVEL 1; ENABLE_SCAN_ARCHIVE Y; DISK_MAX_PERCENTAGE 85; FLUSH_IPT_AT_INIT N; ####### Automate Signature Updates crontab -e ### 0 0 * * * /usr/sbin/psad -sig-update && /sbin/service psad restart ### # Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail poiting to your mail executable eg. ln -s /usr/lib/sendmail /bin/mail /etc/rc.d/init.d/psad start /usr/sbin/psad -sig-update /sbin/chkconfig psad on # Check psad statistics after 5-10 mins by running this command /usr/sbin/psad --Status # Setup Cronjob to delete Psad scan archive older than 7 days

crontab -e 0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf # Fwsnort Installation Reference: http://www.cipherdyne.org/fwsnort # Download fwsnort from http://www.cipherdyne.org/fwsnort/download/ cd /tmp wget http://www.cipherdyne.com/fwsnort/download/fwsnort-1.0.4.tar.gz tar zxvf fwsnort-1.0.4.tar.gz cd /tmp/fwsnort-1.0.4 perl install.pl cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig vi /etc/fwsnort/fwsnort.conf ###### # Modify the uname location as follows unameCmd /bin/uname; ###### /usr/sbin/fwsnort --no-ipt-sync --verbose # Check log file for errors and correct accordingly tail -f /var/log/fwsnort.log #If you encounter the following errors ### #[*] It does not appear that string match support has been compiled into # Netfilter. Fwsnort will not be of very much use without this. # ** NOTE: If you want to have fwsnort generate a Netfilter policy # anyway, specify the --no-ipt-test option. Exiting. #[root@extranet tmp]# tail -f /var/log/fwsnort.log #[-] Netfilter ipv4options extension not available, disabling ipopts translation. # then run this # Update signatures /usr/sbin/fwsnort --update-rules #Then run this /usr/sbin/fwsnort --no-ipt-test --verbose # Run the generated Netfilter script /etc/fwsnort/fwsnort.sh # Enable auto-update of firewall rules crontab -e 1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh

/etc/fwsnort/fwsnort.sh > /dev/null 2>&1 # Enable auto-update of fwsnort signatures crontab -e 0 0 * * * /usr/sbin/fwsnort --update-rules /etc/rc.d/init.d/psad restart rm -rf /tmp/fwsnort-0.8.1.tar.gz rm -rf /tmp/fwsnort-0.8.1 # Enabling whitelisting and Special danger levels for IPs and Port. Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone. # Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file before starting the nessus scan.Please ensure that you restart psad after adding the IP address.