As name indicate, Port Scan Attack Detection (PSAD) tool is used to block port scanning on the server. Nmap, a well-known tool is mostly used for launching port scan to detect open/close ports. PSAD tool continuously monitors firewall (iptables in case of linux platform) logs to determine port scan or any other attack occurred. In case of successful attack on the server, PSAD also takes action to deter the threat.
In this article, we will install and configure PSAD on Ubuntu 15.04 VM. Currently we are running following services on VM.
- Web server (port 80)
- FTP server (port 21)
- ssh server (port 22)
Netstat and telnet commands are used to check ports status against above mention services.
Web service (Apache)
Ftp service (vsftpd)
Ssh service (Secure shell)
The detail of VM setting are given in figure 1 and the ip address is 192.168.1.111.
IPtables (known as linux firewall) package is pre-installed on all linux platforms. Therefore, install PSAD package on VM. It can be installed from source code or binary package. In this article, we will install PSAD package from Ubuntu repository. First of all, run package update command then install PSAD package using following command.
$sudo apt-get update
$sudo apt-get install psad
PSAD package required many dependencies which are resolved automatically in case of installation from Ubuntu repository. However, PSAD installation from source cod required several perl packages.
During installation of package, PSAD prompts for mail server configuration which is shown below. In this article, we have not setup any SMTP server for emails alert.
PSAD uses firewall (iptables) logs to detect any malicious activity on the machine. Following commands will enable logging of packets on input & forward chains of iptables.
$sudo iptables -A INPUT -j LOG
$sudo iptables -A FORWARD -j LOG
After enabling logs for both chains, run following command to list the current configuration of iptables.
$sudo iptables -L
Output of the above command will be similar shown below.
Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning Chain FORWARD (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination
PSAD configuration file, snort rules & signatures are under /etc/psad directory on Ubuntu platform. PSAD configuration file is /etc/psad/psad.conf and it has many parameter to change while deploying on production server. However, in this article, we will change few settings of PSAD so that it detects iptables logs and takes necessary action to deter attack.
EMAIL_ADDRESSES root@localhost; ##change it to get psad alerts
HOSTNAME test-machine; #set host name
HOME_NET 192.168.1.0/24; # Set LAN network
EXTERNAL_NET any; # Set Wan network
ENABLE_SYSLOG_FILE Y; #by default set yes
One of the important configuration of PSAD is the setting
IPT_SYSLOG_FILE parameter.By default,it search for logs in /var/log/messages. However, syslog on Ubuntu is /var/log/syslog therefore change path so that PSAD detects malicious activity .
We are using PSAD as IDS/IPS therefore we have to enable ENABLE_AUTO_IDS
parameter in psad.conf file. It will automatically change the iptables rules to block scan from attacker.
ENABLE_AUTO_IDS Y; # disable by default
AUTO_IDS_DANGER_LEVEL 1; #By default level is 5
Basic setting of PSAD is complete, now update the signatures so that it can correctly recognize known attack types.
sudo psad --sig-update
Before starting PSAD on the machine, scan server using Nmap tool. Output of scanner shows following port are open on the machine.
Now start PSAD tool using following command and also check status which is shown in following figure.
# /etc/init.d/psad start
After enabling PSAD, no open port detected by Nmap scanner which is also shown in following figure.
Attacker (ip address is 192.168.1.102) is blocked by PSAD by adding drop rule in the iptables.
Iptables rule against 192.168.1.102 address is shown in following figure.
Detailed output of PSAD is shown in following figures.
Port scan by the attacker is shown in PSAD output.
Attacker IP is shown in the following output of PSAD.
In this article, we explored a well-known open source tool PSAD for blocking of port scan on servers. PSAD is complete IDS/IPS which automatically adds attacker ip address in the firewall rules. Attacker uses port scanner to get preliminary information about the server to launch further attacks therefore it is very important to block port scan automatically.