TOOLS |

PSAD Tutorial – Port Scan Detection in Ubuntu Linux

Using PSAD to Detect Port Scans in Ubuntu Linux can reveal who is hitting your servers and where they are coming from.

Introduction

In this short tutorial I will show you how to quickly get a port scan monitoring system in place.

PSAD has been around since 2001. As is often the case a simple open source tool can provide a great deal of detail about attackers.

How PSAD detects attacks?

Detecting port scans can accomplished by sniffing packets off the wire. This is the method used for many Intrusion Detection Systems. In this case PSAD simply reads syslog. The syslog messages are generated by IPTables firewall logging. The PSAD scripts parse the logs to find relevant information and creates simple reports.

Another alternative tool for defenders is the OSSEC, this host based tool could also be configured to read the firewall logs and parse out results into alerts. You could also send PSAD logs to OSSEC and create some rules to generate alerts, but the native PSAD email alerting and configuration is simple and straightforward to get up and running quickly.

Getting Started with PSAD on Ubuntu Linux

Basically psad is a perl based daemon that monitors the output of iptables logging. Generally it is these 3 simple steps:

1. Installing psad
2. Edit the psad.conf
3. Enable iptables logging

More information is available at the source. For now lets get started:

Step 1: Installing on Ubuntu (tested on 14.04) but will likely work on any version:

#apt update
#apt install psad

Step 2: Edit the PSAD.Conf.

Now it is installed we can edit the /etc/psad/psad.conf file to customise for our requirements. The documentation within the configuration file is excellent. Simply work your way through the 'options setting' as required.

An obvious but useful reminder. If you are running this on production systems always make sure you understand what the different settings will do, and perhaps test on a non-production system before hand!

A couple of things to look at in the configuration file:

EMAIL_ADDRESSES         [email protected]; this is where the email alerts will be sent
HOME_NET                NOT_USED;  ### only one interface on box
IGNORE_PORTS            udp/53; ### You can filter out ports that generate a lot of legitimate traffic.

MIN_DANGER_LEVEL            1;  ## setting alerting levels. I left this at 1 but upped the email alert danger level
### Only send email alert if danger level >= to this value.
EMAIL_ALERT_DANGER_LEVEL    3; ## leaving this at 1 will give you alarms evertime a worm ping's your box. 

IPT_SYSLOG_FILE      /var/log/syslog; ## default is /var/log/messages but on Ubuntu default logs go to /var/log/syslog

Step 3: Enable iptables logging

Ensure you are getting logs from your IPTables. This configuration will depend on whether you have IPTables rules in place, and you will need to be careful not to mess up the firewall rules. Especially if you have a remote server (you have out of band management, right?).

The most basic firewall configuration is the following, however with this set and no other rules you will catching all traffic in your logs. Legitimate traffic as well as port scans.

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

Check out the website for more details. You can some great monitoring in place with PSAD, OSSEC and other open source tools. Understand the problem and find the tool that suits.

Once you start receiving alerts and reports of IP Addresses that are hitting your server, kick off some analysis. Find out where the IP's are coming from including which netblocks, countries and if they are hosting services. Do they look like home users scanning, compromised web servers or perhaps bots. Our IP Tools might be able to help with your analysis.