In this tutorial, I will show you the installation and configuration of the PSAD (Port Scan Attack Detection) tool on Debian 8 (Jessie). As per project website: PSAD provides intrusion detection and log-analysis with IPtables (Linux firewall). The PSAD tool is used to change an IDS (Intrusion Detection) system into an IPS (Intrusion Prevention System). It uses the rules of the well-known open source IDS “SNORT” for the detection of intrusion events. The VM or server is continuously monitored by the tool for any active attacks such as port scans and it can block malicious IP addresses in the Linux firewall automatically. Another similar project is Guardian, which has very limited features. PSAD will be installed on a Debian-8 (Jessie) VM and the scanning tool “Nmap” will be used to check open ports on the VM. In the end, a DOS attack will be launched on the web server (Apache) to see the behavior of PSAD tool.
Debian Jessie will be installed on the VMware VM using net installer (debian-8.3.0-i386-netinst.iso).
The Debian installation process is described in the previous article. The IP address of the PSAD machine is 192.168.1.102/24.
The PSAD tool can be installed from source code or from the Debian package repository. I will install it from the Debian repository. First of all, add the following in the sources.list file (or check if the lines are already there) and run the apt command to update the repository list.
deb http://httpredir.debian.org/debian jessie main deb-src http://httpredir.debian.org/debian jessie main deb http://httpredir.debian.org/debian jessie-updates main deb-src http://httpredir.debian.org/debian jessie-updates main deb http://security.debian.org/ jessie/updates main deb-src http://security.debian.org/ jessie/updates main
Sources list for Debian Jessie
Run the following command to install PSAD in the VM.
apt-get install psad
Several Perl packages are required during installation of PSAD tool. The package dependencies will be automatically resolved by the Debian package manager.
The Firewalling feature on the Linux platform is provided by the IPtables package. It is a well known Linux firewall and already installed in all Linux distributions.
PSAD and Firewall Configuration
By default, there will be no rules in the IPtables chains on the Debian platform. Run the following command to list chains rules.
Enable logging on the input and forward chains of IPtables so that PSAD daemon can detect any abnormal activity.
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
The output of “iptables -L” command will be similar as shown below now.
Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination On the Debian distribution, the PSAD tool stores configuration files and rules in the /etc/psad directory.
The main PSAD configuration file is /etc/psad/psad.conf. In this tutorial, the IPS feature will be used to detects DOS attacks on the web server.
The basic settings for PSAD are given below.
The default danger level setting, PSAD check interval and usage of SID is shown in the following figure. By default, the PSAD daemon searches for logs in /var/log/messages file. Therefore, change IPT_SYSLOG_FILE parameter in the PSAD configuration.
Debian based distributations store syslog messages in /var/log/syslog file.
By default, PSAD works in IDS mode, the IPS parameter is disabled in the configuration file. Enable the following parameters to enable the IPS feature and danger level. After enabling the parameter in the configuration file, the PSAD daemon will automatically block the attacker by adding his IP address in the IPtables chains.
Now run the following command to update the signature database for detection of attacks.
Currently, Apache server is listening on port 80 as shown below.
Start PSAD using the following command and check status.
A DOS attack is launched using LOIC (Low Orbit Ion Cannon ) tool on the VM to test PSAD as shown below.
Syslog shows the DOS traffic generated using LOIC tool.
The IP address of the simulated attacker 192.168.1.100 is blocked by the PSAD daemon as shown below. Run the following command to view the dynamic rules added by PSAD.
The following screenshot shows that attacker can not ping the victim IP addressa nymore, so he has been blocked successfully by PSAD.
Run the following command to see the detailed output of PSAD.
1. Signature matched and attacker IP address
2. Traffic for specific ports
3. The attacker’s IP address in the IPtables chains.
4. Details about communication between attacker and victim.
PSAD is a well-known open source tool for blocking port scan attacks on Linux servers. It has both IDS and IPS features and is able to dynamically block malicious IP addresses using IPtables.