Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

tradetaxfree · 2011-10-02 21:50:22

These are slightly updated instructions I've not seen anywhere else as Arno's excellent firewall no longer works out of the box with PSAD. Also some notes below for PSAD with the simpler UFW Firewall which also has a gui

sudo apt-get install arno-iptables-firewall psad fwsnort ssmtp
#ssmtp is easier to configure than exim - see further below

OR

sudo apt-get install arno-iptables-firewall psad fwsnort exim4

The basic arno firewall configuration is ok but can be made a little more secure by changing the following variables in /etc/arno-iptables-firewall/firewall.conf:

ECHO_IGNORE=1
IP_FORWARDING=0

Rsyslog settings in /etc/rsyslog.d/arno-iptables-firewall.conf now send all firewall logs to /var/log/arno-iptables-firewall & they are not logged anywhere else (in previous arno versions they used to also show up in /var/log/messages) Various other guides I've seen talk of piping output to /var/lib/psad/psadfifo but the rule PSAD adds in /etc/rsyslog.conf no longer works as rsyslog includes & applies rules in /etc/rsyslog.d/ first.

Settings to change in /etc/psad/psad.conf as by default active response is disabled:

EMAIL_ADDRESSES             myemail@me.com;
IPT_SYSLOG_FILE             /var/log/arno-iptables-firewall;
ENABLE_AUTO_IDS             Y;

If you use the simpler "UFW" Firewall the default psad setting of /var/log/messages for IPT_SYSLOG_FILE will work for you. To install UFW & a gui instead of Arno's firewall:

sudo apt-get install ufw gufw
sudo ufw enable

FWSNORT's standard config is ok - a small script is needed to update the FWSNORT & PSAD signatures once a week. Don't forget to make this executable with chmod +x /path/to/my-script

#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/etc/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
psad --sig-update
psad -H
echo "psad signatures updated"

Not all of the FWSNORT signatures will be spliced into iptables, only the rules which match the services you have running will be added.

Setup a weekly crontab:

sudo crontab -e

& add the following line:

0 15 * * 5 /path/to/update-fwsnort 2>&1 >> /var/log/fwsnort_update.log

To have FWSNORT's rules spliced into iptables on each boot create /etc/init.d/fwsnort

#!/bin/bash
#
### BEGIN INIT INFO
# Provides:          fwsnort
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Load/unload snort signatures for psad
# Description:       update-rc.d -f fwsnort defaults 
### END INIT INFO
/etc/fwsnort/fwsnort.sh
exit 0

& run update-rc.d -f fwsnort defaults

To test your setup run nmap on your IP from a 2nd machine on your LAN or run ShieldsUP & check PSAD's status:

sudo psad -S

If PSAD's status does not register the scan & / or you see an error message in /var/log/psad/fw_check along the lines of "You may just need to add a default logging rule to the INPUT chain" remove both the firewall & psad & flush iptables:

sudo iptables -F

& reinstall the firewall followed by psad & then run psad's iptables check:

sudo psad --fw-analyze

I've been playing with Archbang & a more elegant mail solution is to use SSMTP (which is also in the Debian repos) so you receive emails from PSAD,

Configuring EXIM to send emails through gmail is another solution but since Arno's Firewall no longer has any mail server dependency SSMTP is easier to setup.

To test the emails from PSAD are working set the following in /etc/psad/psad.conf:

EMAIL_ALERT_DANGER_LEVEL    1;

& you will receive an email for every scan. Set this alert level to 3-5 for normal operation or you will receive hundreds of emails which can be quite annoying.

Install sysv-rc-conf & turn off the run levels for Exim as the daemon does not need to run to flush the mail queue.

To have your syslog files emailed to you:

sudo apt-get install logcheck syslog-summary

& set your email address in /etc/logcheck/logcheck.conf

See also my guide for OSSEC HIDS (Host Intrusion Detection System)

& Securing DNS with DNScrypt

Last edited by tradetaxfree (2012-06-17 15:17:26)

Tunafish · 2012-06-17 14:27:09

Thanks for your howto. I'm trying to set this up.
Have some issues: there is not /etc/fwsnort/fwsnort.sh on my system, I do have /var/lib/fwsnort/fwsnort.sh
Should I use this script instead?

I only received one e-mail, with the following subject:
"[psad-error] Exceeded max disk utilization for /var/log/psad on nn-laptop"
I checked, but there is no huge file in /var/log/psad...

Last edited by Tunafish (2012-06-17 15:13:17)

tradetaxfree · 2012-06-17 15:15:32

You could use /var/lib/fwsnort/fwsnort.sh - just make sure line 1 of /etc/init.d/fwsnort points to it.

Here are the contents of my fwsnort.sh:

echo " "
echo "[+] Splicing fwsnort rules into the iptables policy..."
/sbin/iptables-restore < /etc/fwsnort/fwsnort.save
echo "    Done."

echo " "
exit

I think the fwsnort.save file is created by running:

/usr/sbin/fwsnort --update-rules

I use a cron job to run /usr/local/update-fwsnort:

#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/etc/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
psad --sig-update
psad -H
echo "psad signatures updated"

(in your case edit the location in the script above for fwsnort.sh)

Tunafish · 2012-06-17 15:25:26

tradetaxfree wrote:

You could use /var/lib/fwsnort/fwsnort.sh - just make sure line 1 of /etc/init.d/fwsnort points to it.

Thanks, it's the same file....

Now I've got things running and I receive this warning e-mail:

[-] You may just need to add a default logging rule to the /sbin/ip6tables
    'filter' 'INPUT' chain on nn-laptop.  For more information,
    see the file "FW_HELP" in the psad sources directory or visit:

    http://www.cipherdyne.org/psad/docs/fwconfig.html

tradetaxfree · 2012-06-17 15:36:18

I think I had the "Exceeded max disk utilization" error previously when /var filled up. Do you have free space in /var ? Perhaps the logfile in /var/log/psad/errs will also provide some clues ?

Tunafish · 2012-06-17 15:41:26

tradetaxfree wrote:

I think I had the "Exceeded max disk utilization" error previously when /var filled up. Do you have free space in /var ? Perhaps the logfile in /var/log/psad/errs will also provide some clues ?

There should be plenty of space on /var...
I'll reboot and see what error will be next smile

No more errors, but how do I check if it's working?

Last edited by Tunafish (2012-06-17 15:52:09)

CrunchBang Linux

SEARCH

#1 2011-10-02 21:50:22

Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

#2 2012-06-17 14:27:09

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

#3 2012-06-17 15:15:32

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

#4 2012-06-17 15:25:26

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

#5 2012-06-17 15:36:18

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

#6 2012-06-17 15:41:26

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

Board footer