psad (Port Scan Attack Detection) is an Intrusion Detection System written in Perl that analyzes iptables logs to monitor and block potential attackers that scan your system for open ports. What it does is actively monitor the networking logs, report suspicious activity to an email address and block the attackers using iptables.

Even if Linux systems are very hard to break (as long as everything is up to date), you’ll feel safer if network traffic is monitored automatically and potential attackers are blocked before they even try anything.

Ubuntu desktops don’t have a firewall set up by default so setting up an app like psad is an option to consider in the matter of security.

Install psad

psad is available in the Ubuntu repositories so installing it is easy. Open a terminal and type:

sudo apt-get update
sudo apt-get install psad

During installation, it will most likely install postfix as the mail transfer agent, the software used for sending report emails when suspicious activity is detected. When prompted, select:

General type of mail configuration: Internet Site
System mail name: localhost

Configure iptables

We’re now going to set up a very basic firewall. We’re going to block all incoming traffic and only allow incoming connections on specific ports (such as ssh, ftp or web server).

To see the current iptables rules, type:

sudo iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

If you see anything else but this, flush the rules:

sudo iptables -F

Allow local traffic (between applications):

sudo iptables -A INPUT -i lo -j ACCEPT

Allow traffic for current connections (useful when you’re doing this over ssh on a remote pc and you don’t want to get blocked out now, do you):

sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

Allow incoming traffic for specific ports or services. This is an example line for ssh server running on port 22 so you may edit the port to fit your configuration and also add more lines for any other servers you have running on that computer (21 for ftp, 80 for http, 443 for https and so on):

sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT

Start logging incoming and forwarded traffic:

sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
sudo ip6tables -A INPUT -j LOG
sudo ip6tables -A FORWARD -j LOG

Now block all traffic that doesn’t match a rule we accepted earlier:

sudo iptables -A INPUT -j DROP

Make sure these iptables rules are loaded every time your computer starts:

sudo apt-get install iptables-persistent
sudo service iptables-persistent restart

Configure psad

If you don’t have it already, install nano (terminal text editor):

sudo apt-get install nano

Edit the psad config file, search for these options and edit the accordingly:

EMAIL_ADDRESSES email.address@to.send.reports.to.com
HOSTNAME localhost
IPT_SYSLOG_FILE /var/log/syslog

EMAIL_ALERT_DANGER_LEVEL 4
(anything less than level 4 will fill-up your inbox in no-time;)

ENABLE_IPV6_DETECTION N
(leave this to Y if you have IPv6 configured on your computer)

ENABLE_AUTO_IDS Y
(this will automatically block potential attackers)

AUTO_IDS_DANGER_LEVEL 4;
(set this to 5 if you only want to block very dangerous attackers;)

AUTO_BLOCK_TIMEOUT 3600
(how long an attacker is blocked, in seconds)

If psad is running on another computer you’re currently using (like on a remote server), it’s best to have it ignore your IP address so you won’t get yourself blocked by the firewall in case you ever decide to run a port scan on your server.

Open the auto_dl file:

sudo nano /etc/psad/auto_dl

and add this line (replace 192.168.100.31 with your current ip address):

192.168.100.31 0;

When you’re done configuring, restart psad:

sudo service psad restart

Everything should be good to go. For testing purposes, run a test port scan (replace the ip address with the computer’s psad is running on):

sudo nmap -PN -sS 192.168.100.1

While the scan is in progress, run psad status to see a whole bunch of warnings:

sudo psad -S

HowTo Block Network Intrusion Attempts on Ubuntu with psad
Tagged on: