How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server

This guide is based on various community forum posts.

This guide is intended as a relatively easy step by step guide to:

  • Install CipherDyne PSAD Intrusion Detection and Log Analysis with iptables on Ubuntu 12.04 LTS or later.
  • psad is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  • From version 2.2 it also offers full IPv6 support. 

Requirements:

  • Tested on Ubuntu 12.04 LTS server or later.
  • Should work on most Ubuntu/Debian based ditro's.

1. Download and install the latest version of PSAD.

  • Download and install the latest version from the Cipherdyne website.
  • Visit the CipherDyne PSAD download page and select the latest source tar archive, as of writing this the latest version is PSAD 2.2
  • To download and install the latest version open a Terminal and enter the following :
sudo su
mkdir /tmp/.psad
cd /tmp/.psad
wget http://cipherdyne.org/psad/download/psad-2.2.tar.gz
tar -zxvf psad-2.2.tar.gz
cd psad-2.2
./install.pl 
cd /tmp
rm -R .psad
exit

2. Edit the PSAD configuration file. 

  • Three main settings need to be set in the PSAD configuration file before we can complete the install, edit the others as required.
  • open a Terminal Window and enter :
vi /etc/psad/psad.conf
  • EMAIL_ADDRESSES - change this to your email address.
  • HOSTNAME - this is set during install - but double check and change to a FQDN if needed.
  • ENABLE_AUTO_IDS - set this to Y if you could like PSAD to take action - read configuration instructions before setting this to Y.
  • ENABLE_AUTO_IDS_EMAILS - set this to Y if you would like to receive email notifications of intrusions that are detected.

3. Add iptables LOG rules for both IPv4 and IPv6.

  • For an explanation of this step click here.
  • Add the following iptables policies :
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

4. Reload and update PSAD.

  • To restart, update the signature file and reload PSAD to complete the install open a Terminal Window and enter :
psad -R
psad --sig-update
psad -H
  • To check the status of PSAD, open a Terminal Window and enter :
psad --Status

Tags: 

Comments

Quick question : is psad any

Quick question : is psad any use if enable_auto_ids is set to no ? And do i need to set it to yes to do the next step ?

Short answer - yes, it does

Short answer - yes, it does not take action when a intrusion is detected, but will still log the events. Good for setup and testing but set to yes for production environment. See PSAD documentation for more information.

I have some problem while

I have some problem while running this command # psad -R Use of qw(...) as parentheses is deprecated at /usr/sbin/psad line 4264. How can I fix this problem and is my psad still work despite the error above