Chinaunix首页 | 论坛 | 博客
  • 博客访问: 707968
  • 博文数量: 139
  • 博客积分: 7607
  • 博客等级: 少将
  • 技术积分: 1964
  • 用 户 组: 普通用户
  • 注册时间: 2007-11-11 23:43
个人简介

...

文章分类

全部博文(139)

文章存档

2012年(53)

2011年(4)

2010年(29)

2009年(10)

2008年(33)

2007年(10)

分类: LINUX

2010-03-28 00:24:43

PSAD scan iptables log file to generate the attack block. The problem is that when you log ALL packets as shown in other PSAD tutorials, it will slow down considerably your server if it's busy and generate huge huge log files (growing at a rate of 1meg per second or more). With simple iptables rules, we will only log traffic that look suspicious (5 new connections in 5 seconds for example).

Installation

Download the 

uncompress it and run the install.pl script :

./install.pl

Next we have to restart sysklogd and klog :

/etc/init.d/sysklogd restart
/etc/init.d/klogd restart

Here is a little mod in order not to get the iptables full :

echo '524288' >  /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo '7200' > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

You can change the ip_conntrack_max to a higher value if needed. If you don't do so, your iptable will get full and requests will be dropped. See your logfile to see if any packets get drop after some time eg : `cat /var/log/syslog | grep dropped`

To log only suspicious IP, first make a safe IP list :

vi /root/safeip.txt

and in that file put safe IP addresses (with CIDR or not).

127.0.0.0/24
192.168.0.0/24
123.123.123.123

Optional : If you wish to whitelist whole countries, simply get the list of IP using our 

We will use a short script to set the iptables rules (note 'iptables -F' in the script that flush previous rules)

#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
# ---------------------------------------------------------------------
 
WORKDIR="/root/"
INTERVAL="5"
HITCOUNT="5"
SAFEIPFILE="safeip.txt"
 
cd $WORKDIR
 
iptables -F
if [ -f $SAFEIPFILE ]; then
  IPS=$(grep -Ev "^#" $SAFEIPFILE)
  for i in $IPS
  do
        iptables -A INPUT -s $i -j ACCEPT
  done
fi
 
iptables -A INPUT -m state --state NEW -m recent --set
iptables -A INPUT -m state --state NEW -m recent --update --seconds $INTERVAL --hitcount $HITCOUNT -j LOG

Basically, this will log an IP address only once it made 5 NEW connections within 5 seconds. Let say IP 111.111.111.111 creates 12 new connections in a 5 seconds interval, it will be logged 8 times (so it will become 8 `packets` for PSAD, you will see later what it mean). Of course, you can ajust this setting to your needs.

Make the script executable (chmod +x) and run it.

Next we have to configure PSAD :

vi /etc/psad/psad.conf

This is a suggested configuration, read psad documentation for more info :

Note : these lines are already there, just modify the value

[...]
EMAIL_ADDRESSES             admin@example.com;
[...]
HOSTNAME                    server1.example.com;
[...]
DANGER_LEVEL1               50;    ### Number of packets.
DANGER_LEVEL2               100;
DANGER_LEVEL3               250;
DANGER_LEVEL4               400;
DANGER_LEVEL5               500;
[...]
PORT_RANGE_SCAN_THRESHOLD   0;
[...]
ENABLE_PERSISTENCE          N;
[...]
SCAN_TIMEOUT                3600;  ### seconds
[...]
MIN_DANGER_LEVEL            3;
[...]
EMAIL_ALERT_DANGER_LEVEL    3;
[...]
ALERT_ALL                   N;
[...]
IMPORT_OLD_SCANS            Y;
[...]
ENABLE_AUTO_IDS             Y;
[...]
AUTO_IDS_DANGER_LEVEL       5;
[...]
AUTO_BLOCK_TIMEOUT          43200;
[...]
IPTABLES_BLOCK_METHOD       Y;
[...]

Here is an explanation of what this configuration file will do :

If an IP made 250 NEW connections in 1 hour time it will send an email to admin@example.com. The same happend after 400 connections. After 500 new connections in 1h period, PSAD will block the IP for the next 12 hours. Of course you can ajust that to your needs... Remember that we only log IP that made at least 5 connection in the last 5 seconds so it's improbable to block a legitimate user... `Packets` are not real packets, they are simply the number of time the IP appears in/var/log/syslog.

Now we have to restart PSAD :

/etc/init.d/psad restart

If you want to whitelist IP also in PSAD, take a look at /etc/psad/auto_dl (its better to whitelist them in the iptables rules but its safer to put them at both places) :

vi /etc/psad/auto_dl

Command you need to know :

to show PSAD reports

psad -S

removing the IP block

psad -F

That's it!

阅读(1164) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~