SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#1 2011-10-02 21:50:22

tradetaxfree
#! CrunchBanger
Registered: 2011-03-05
Posts: 122

Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

These are slightly updated instructions I've not seen anywhere else as Arno's excellent firewall no longer works out of the box with PSAD. Also some notes below for PSAD with the simpler UFW Firewall which also has a gui

sudo apt-get install arno-iptables-firewall psad fwsnort ssmtp
#ssmtp is easier to configure than exim - see further below

OR

sudo apt-get install arno-iptables-firewall psad fwsnort exim4 

The basic arno firewall configuration is ok but can be made a little more secure by changing the following variables in /etc/arno-iptables-firewall/firewall.conf:

ECHO_IGNORE=1
IP_FORWARDING=0

Rsyslog settings in /etc/rsyslog.d/arno-iptables-firewall.conf now send all firewall logs to /var/log/arno-iptables-firewall & they are not logged anywhere else (in previous arno versions they used to also show up in /var/log/messages) Various other guides I've seen talk of piping output to /var/lib/psad/psadfifo but the rule PSAD adds in /etc/rsyslog.conf no longer works as rsyslog includes & applies rules in /etc/rsyslog.d/ first.

Settings to change in /etc/psad/psad.conf as by default active response is disabled:

EMAIL_ADDRESSES             myemail@me.com;
IPT_SYSLOG_FILE             /var/log/arno-iptables-firewall;
ENABLE_AUTO_IDS             Y;

If you use the simpler "UFW" Firewall the default psad setting of /var/log/messages for IPT_SYSLOG_FILE will work for you. To install UFW & a gui instead of Arno's firewall:

sudo apt-get install ufw gufw
sudo ufw enable

FWSNORT's standard config is ok - a small script is needed to update the FWSNORT & PSAD signatures once a week. Don't forget to make this executable with chmod +x /path/to/my-script

#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/var/lib/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
psad --sig-update
psad -H
echo "psad signatures updated"

Not all of the FWSNORT signatures will be spliced into iptables, only the rules which match the services you have running will be added.

Setup a weekly crontab:

sudo crontab -e

& add the following line:

0 15 * * 5 /path/to/update-fwsnort 2>&1 >> /var/log/fwsnort_update.log

To have FWSNORT's rules spliced into iptables on each boot create /etc/init.d/fwsnort

#!/bin/bash
#
### BEGIN INIT INFO
# Provides:          fwsnort
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Load/unload snort signatures for psad
# Description:       update-rc.d -f fwsnort defaults 
### END INIT INFO
/var/lib/fwsnort/fwsnort.sh
exit 0

& run update-rc.d -f fwsnort defaults

To test your setup run nmap on your IP from a 2nd machine on your LAN or run ShieldsUP & check PSAD's status:

sudo psad -S

If PSAD's status does not register the scan & / or you see an error message in /var/log/psad/fw_check along the lines of "You may just need to add a default logging rule to the INPUT chain" remove both the firewall & psad & flush iptables:

sudo iptables -F

& reinstall the firewall followed by psad & then run psad's iptables check:

sudo psad --fw-analyze

I've been playing with Archbang & a more elegant mail solution is to use SSMTP (which is also in the Debian repos) so you receive emails from PSAD,

Configuring EXIM to send emails through gmail is another solution but since Arno's Firewall no longer has any mail server dependency SSMTP is easier to setup.

To test the emails from PSAD are working set the following in /etc/psad/psad.conf:

EMAIL_ALERT_DANGER_LEVEL    1;

& you will receive an email for every scan. Set this alert level to 3-5 for normal operation or you will receive hundreds of emails which can be quite annoying.

Troubleshooting PSAD / FWSNORT
If you can see the scans being detected but not being blocked, stop PSAD & then run in debug mode:

psad --debug

If you are trying FWSNORT on an OpenVZ container you will not be able to fully utilize FWSNORT as the iptables modules 'string match' & 'comment match' are not currently available in the guest container. You will need to run FWSNORT in the script with the following switch:

/usr/sbin/fwsnort --no-ipt-test option

If FWSNORT is not running fully & you set in psad.conf "ENABLE_AUTO_IDS_REGEX = Y" then the scans will be detected but not blocked as there will be no FWSNORT log prefixes.

Arno's firewall will not work in an OpenVZ container either as you cannot modprobe kernel modules so you will need to build your firewall manually. Check /var/log/psad/psad.ipterr for errors. Another possible error are the firewall chains for PSAD not existing. Create them with the following iptables commands (at the top of your firewall script):

#create PSAD chains
-N PSAD_BLOCK_INPUT
-N PSAD_BLOCK_OUTPUT
-N PSAD_BLOCK_FORWARD

Logs via Email

Install sysv-rc-conf & turn off the run levels for Exim as the daemon does not need to run to flush the mail queue.

To have your syslog files emailed to you:

sudo apt-get install logcheck syslog-summary

& set your email address in /etc/logcheck/logcheck.conf

See also my guide for OSSEC HIDS (Host Intrusion Detection System)

& Securing DNS with DNScrypt

Last edited by tradetaxfree (2013-10-10 13:55:56)

Offline

Help fund CrunchBang, donate to the project!

#2 2012-06-17 14:27:09

Tunafish
#! Die Hard
From: the Netherlands
Registered: 2010-03-07
Posts: 1,204

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

Thanks for your howto. I'm trying to set this up.
Have some issues: there is not /etc/fwsnort/fwsnort.sh on my system, I do have /var/lib/fwsnort/fwsnort.sh
Should I use this script instead?


I only received one e-mail, with the following subject:
"[psad-error] Exceeded max disk utilization for /var/log/psad on nn-laptop"
I checked, but there is no huge file in /var/log/psad...

Last edited by Tunafish (2012-06-17 15:13:17)


sed 's/stress/relaxation/g'
Privacy & Security on #!

Offline

#3 2012-06-17 15:15:32

tradetaxfree
#! CrunchBanger
Registered: 2011-03-05
Posts: 122

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

You could use /var/lib/fwsnort/fwsnort.sh - just make sure line 1 of /etc/init.d/fwsnort points to it.

Here are the contents of my fwsnort.sh:

echo " "
echo "[+] Splicing fwsnort rules into the iptables policy..."
/sbin/iptables-restore < /etc/fwsnort/fwsnort.save
echo "    Done."

echo " "
exit

I think the fwsnort.save file is created by running:

/usr/sbin/fwsnort --update-rules

I use a cron job to run /usr/local/update-fwsnort:

#!/bin/bash
# update fwsnort & psad signatures
/usr/sbin/fwsnort --update-rules
/usr/sbin/fwsnort
/etc/fwsnort/fwsnort.sh
echo "fwsnort signatures updated"
psad --sig-update
psad -H
echo "psad signatures updated"

(in your case edit the location in the script above for fwsnort.sh)

Offline

#4 2012-06-17 15:25:26

Tunafish
#! Die Hard
From: the Netherlands
Registered: 2010-03-07
Posts: 1,204

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

tradetaxfree wrote:

You could use /var/lib/fwsnort/fwsnort.sh - just make sure line 1 of /etc/init.d/fwsnort points to it.

Thanks, it's the same file....

Now I've got things running and I receive this warning e-mail:

[-] You may just need to add a default logging rule to the /sbin/ip6tables
    'filter' 'INPUT' chain on nn-laptop.  For more information,
    see the file "FW_HELP" in the psad sources directory or visit:

    http://www.cipherdyne.org/psad/docs/fwconfig.html

sed 's/stress/relaxation/g'
Privacy & Security on #!

Offline

#5 2012-06-17 15:36:18

tradetaxfree
#! CrunchBanger
Registered: 2011-03-05
Posts: 122

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

I think I had the "Exceeded max disk utilization" error previously when /var filled up. Do you have free space in /var ? Perhaps the logfile in /var/log/psad/errs will also provide some clues ?

Offline

#6 2012-06-17 15:41:26

Tunafish
#! Die Hard
From: the Netherlands
Registered: 2010-03-07
Posts: 1,204

Re: Arno-Iptables-Firewall with PSAD (Port Scan Attack Detector) & FWSNORT

tradetaxfree wrote:

I think I had the "Exceeded max disk utilization" error previously when /var filled up. Do you have free space in /var ? Perhaps the logfile in /var/log/psad/errs will also provide some clues ?

There should be plenty of space on /var...
I'll reboot and see what error will be next smile


No more errors, but how do I check if it's working?

Last edited by Tunafish (2012-06-17 15:52:09)


sed 's/stress/relaxation/g'
Privacy & Security on #!

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.

Debian Logo