How to Install PSAD on Ubuntu Linux

As the name indicates, Port Scan Attack Detection (PSAD) tool is used to block port scanning on the server. Nmap, a well-known tool is mostly used for launching port scan to detect open/close ports. PSAD tool continuously monitors firewall (iptables in case of linux platform) logs to determine port scan or any other attack occurred. In case of successful attack on the server, PSAD also takes action to deter the threat.

In this article, we will install and configure PSAD on Ubuntu 15.04 VM. Currently, we are running the following services on  VM.

  1. Web server (port 80)
  2. FTP server  (port 21)
  3. ssh server (port 22)

Netstat and telnet commands are used to check ports status against above mention services.

Web service (Apache)


Ftp service (vsftpd)


Ssh service (Secure shell)



The detail of VM setting are given in figure 1 and the ip address is

vm setting

IPtables (known as linux firewall) package is pre-installed on all Linux platforms. Therefore, install PSAD package on VM. It can be installed from source code or binary package. In this article, we will install PSAD package from Ubuntu repository. First of all, run the package update command then install the PSAD package using the following command.

$sudo apt-get update
apt-get update
$sudo apt-get install psad
psad instalation

PSAD package required many dependencies which are resolved automatically in case of installation from Ubuntu repository. However, PSAD installation from source cod required several perl packages.

During the installation of the package, PSAD prompts for mail server configuration which is shown below. In this article, we have not set up any SMTP server for emails alert.



PSAD  uses firewall (iptables) logs to detect any malicious activity on the machine.  Following commands will enable logging of packets on input & forward chains of iptables.

$sudo iptables -A INPUT -j LOG

$sudo iptables -A FORWARD -j LOG

After enabling logs for both chains, run following command to list the current configuration of iptables.

$sudo iptables -L

Output of the above command will be similar shown below.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             LOG level warning
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

PSAD configuration file, snort rules & signatures are under /etc/psad directory on Ubuntu platform.  PSAD configuration file is /etc/psad/psad.conf  and it has many parameter to change while deploying on the production server. However, in this article, we will change few settings of PSAD so that it detects iptables logs and takes necessary action to deter attack.

configuration psad
EMAIL_ADDRESSES   root@localhost; ##change it to get psad alerts 

HOSTNAME          test-machine; #set host name

HOME_NET; # Set LAN network 

EXTERNAL_NET      any; # Set Wan network 

ENABLE_SYSLOG_FILE      Y; #by default set yes

One of the important configuration of PSAD is the setting IPT_SYSLOG_FILE parameter.By default,it search for logs in  /var/log/messages. However, syslog on Ubuntu is /var/log/syslog therefore change path so that PSAD detects malicious activity.

IPT_SYSLOG_FILE             /var/log/syslog;

We are using PSAD as IDS/IPS therefore we have to enable  ENABLE_AUTO_IDS  parameter in psad.conf file.  It will automatically change the iptables rules to block scan from attacker.

ENABLE_AUTO_IDS Y;         # disable by default

AUTO_IDS_DANGER_LEVEL 1;  #By default level is 5

Basic setting of PSAD is complete, now update the signatures so that it can correctly recognize known attack types.

sudo psad --sig-update
psad update

Before starting PSAD on the machine, scan server using Nmap tool. The output of scanner shows following port are open on the machine.

nmap logs

Now start PSAD tool using following command and also check status which is shown in following figure.

# /etc/init.d/psad start

#psad -S
psad start

After enabling PSAD, no open port detected by Nmap scanner which is also shown in the following figure.

blocked by psad

Attacker  (ip address is is blocked by PSAD by adding drop rule in the iptables.

no more pin

Iptables rule against address is shown in the following figure.

attacker ip blocked

Detailed output of PSAD is shown in following figures.


Port scan by the attacker is shown in PSAD output.


Attacker IP is shown in the following output of PSAD.



In this article, we explored a well-known open-source tool PSAD for blocking of port scan on servers. PSAD is a complete IDS/IPS which automatically adds attacker ip address in the firewall rules. The attacker uses port scanner to get preliminary information about the server to launch further attacks therefore it is very important to block port scan automatically.

Leave a Comment