Reference: http://www.cipherdyne.org/psad/
# Download the latest version of psad from http://www.cipherdyne.org/psad/download/
cd /tmp
wget http://www.cipherdyne.org/psad/download/psad-2.1.4-1.i386.rpm
rpm -Uvh psad-2.1.4-1.i386.rpm
rm -rf psad-2.1.4-1.i386.rpm
cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
vi /etc/psad/psad.conf
# Adjust the values as shown
######
EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
HOSTNAME example.com;
# If there is only one network interface on the box, then just set this variable to "NOT_USED".
HOME_NET NOT_USED;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
ENABLE_SCAN_ARCHIVE Y;
DISK_MAX_PERCENTAGE 85;
FLUSH_IPT_AT_INIT N;
#######
# Add CIDR value of a private network interface card in HOME_NET if you are using one.Not required if you have a single public interface.
Automate Signature Updates
crontab -e
###
0 0 * * * /usr/sbin/psad --sig-update && /sbin/service psad restart
###
# Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail poiting to your mail executable
eg.
ln -s /usr/lib/sendmail /bin/mail
/etc/rc.d/init.d/psad start
/usr/sbin/psad --sig-update
/sbin/chkconfig psad on
# Check psad statistics after 5-10 mins by running this command
/usr/sbin/psad --Status
# Setup Cronjob to delete Psad scan archive older than 7 days
crontab -e
0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf
# Fwsnort Installation
Reference: http://www.cipherdyne.org/fwsnort
# Download fwsnort from http://www.cipherdyne.org/fwsnort/download/
cd /tmp
wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.5.tar.gz
tar zxvf fwsnort-1.0.5.tar.gz
cd /tmp/fwsnort-1.0.5
perl install.pl
cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig
vi /etc/fwsnort/fwsnort.conf
######
# Modify the uname location as follows
unameCmd /bin/uname;
######
# Add CIDR value of a private network interface card in HOME_NET in /etc/fwsnort/fwsnort.conf if you are using one.Not required if you have a single public interface.
/usr/sbin/fwsnort --no-ipt-sync --verbose
# Check log file for errors and correct accordingly
tail -f /var/log/fwsnort.log
#If you encounter the following errors
###
#[*] It does not appear that string match support has been compiled into
# Netfilter. Fwsnort will not be of very much use without this.
# ** NOTE: If you want to have fwsnort generate a Netfilter policy
# anyway, specify the --no-ipt-test option. Exiting.
#[root@extranet tmp]# tail -f /var/log/fwsnort.log
#[-] Netfilter ipv4options extension not available, disabling ipopts translation.
# then run this
# Update signatures
/usr/sbin/fwsnort --update-rules
#Then run this
/usr/sbin/fwsnort --no-ipt-test --verbose
# Run the generated Netfilter script
/etc/fwsnort/fwsnort.sh
# Enable auto-update of firewall rules
crontab -e
1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh /etc/fwsnort/fwsnort.sh > /dev/null 2>&1
# Enable auto-update of fwsnort signatures
crontab -e
0 0 * * * /usr/sbin/fwsnort --update-rules
/etc/rc.d/init.d/psad restart
rm -rf /tmp/fwsnort-1.0.5.tar.gz
rm -rf /tmp/fwsnort-1.0.5
# Enabling whitelisting and Special danger levels for IPs and Port.
Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.
# Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file before starting the nessus scan.Please ensure that you restart psad after adding the IP address.
2 comments:
Wow... good walk through for psad and snort installation n config. keep it up buddy...
Thanks
Post a Comment