...
分类: LINUX
2010-03-28 00:24:43
PSAD scan iptables log file to generate the attack block. The problem is that when you log ALL packets as shown in other PSAD tutorials, it will slow down considerably your server if it's busy and generate huge huge log files (growing at a rate of 1meg per second or more). With simple iptables rules, we will only log traffic that look suspicious (5 new connections in 5 seconds for example).
Installation
Download the
uncompress it and run the install.pl script :
./install.pl
Next we have to restart sysklogd and klog :
/etc/init.d/sysklogd restart /etc/init.d/klogd restart
Here is a little mod in order not to get the iptables full :
echo '524288' > /proc/sys/net/ipv4/netfilter/ip_conntrack_max echo '7200' > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
You can change the ip_conntrack_max to a higher value if needed. If you don't do so, your iptable will get full and requests will be dropped. See your logfile to see if any packets get drop after some time eg : `cat /var/log/syslog | grep dropped`
To log only suspicious IP, first make a safe IP list :
vi /root/safeip.txt
and in that file put safe IP addresses (with CIDR or not).
127.0.0.0/24 192.168.0.0/24 123.123.123.123
Optional : If you wish to whitelist whole countries, simply get the list of IP using our
We will use a short script to set the iptables rules (note 'iptables -F' in the script that flush previous rules)
#!/bin/bash # Script to check important ports on remote webserver # Copyright (c) 2009 blogama.org # This script is licensed under GNU GPL version 2.0 or above # --------------------------------------------------------------------- WORKDIR="/root/" INTERVAL="5" HITCOUNT="5" SAFEIPFILE="safeip.txt" cd $WORKDIR iptables -F if [ -f $SAFEIPFILE ]; then IPS=$(grep -Ev "^#" $SAFEIPFILE) for i in $IPS do iptables -A INPUT -s $i -j ACCEPT done fi iptables -A INPUT -m state --state NEW -m recent --set iptables -A INPUT -m state --state NEW -m recent --update --seconds $INTERVAL --hitcount $HITCOUNT -j LOG
Basically, this will log an IP address only once it made 5 NEW connections within 5 seconds. Let say IP 111.111.111.111 creates 12 new connections in a 5 seconds interval, it will be logged 8 times (so it will become 8 `packets` for PSAD, you will see later what it mean). Of course, you can ajust this setting to your needs.
Make the script executable (chmod +x) and run it.
Next we have to configure PSAD :
vi /etc/psad/psad.conf
This is a suggested configuration, read psad documentation for more info :
Note : these lines are already there, just modify the value
[...] EMAIL_ADDRESSES admin@example.com; [...] HOSTNAME server1.example.com; [...] DANGER_LEVEL1 50; ### Number of packets. DANGER_LEVEL2 100; DANGER_LEVEL3 250; DANGER_LEVEL4 400; DANGER_LEVEL5 500; [...] PORT_RANGE_SCAN_THRESHOLD 0; [...] ENABLE_PERSISTENCE N; [...] SCAN_TIMEOUT 3600; ### seconds [...] MIN_DANGER_LEVEL 3; [...] EMAIL_ALERT_DANGER_LEVEL 3; [...] ALERT_ALL N; [...] IMPORT_OLD_SCANS Y; [...] ENABLE_AUTO_IDS Y; [...] AUTO_IDS_DANGER_LEVEL 5; [...] AUTO_BLOCK_TIMEOUT 43200; [...] IPTABLES_BLOCK_METHOD Y; [...]
Here is an explanation of what this configuration file will do :
If an IP made 250 NEW connections in 1 hour time it will send an email to admin@example.com. The same happend after 400 connections. After 500 new connections in 1h period, PSAD will block the IP for the next 12 hours. Of course you can ajust that to your needs... Remember that we only log IP that made at least 5 connection in the last 5 seconds so it's improbable to block a legitimate user... `Packets` are not real packets, they are simply the number of time the IP appears in/var/log/syslog.
Now we have to restart PSAD :
/etc/init.d/psad restart
If you want to whitelist IP also in PSAD, take a look at /etc/psad/auto_dl (its better to whitelist them in the iptables rules but its safer to put them at both places) :
vi /etc/psad/auto_dl
Command you need to know :
to show PSAD reports
psad -S
removing the IP block
psad -F
That's it!