PSAD セットアップ

Nid: 1144

Posted on: 15 December 2018
By: claire_gill

1 . PSAD インストール

$ sudo apt-get install psad -y

Back to top

2 . PSAD 設定

$ sudo vi /etc/psad/psad.conf
HOSTNAME                    octaviadata;
EMAIL_ALERT_DANGER_LEVEL    3;
ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       3;
AUTO_BLOCK_TIMEOUT          0;

$ sudo vi /etc/ufw/before.rules
# custom psad logging directives
-A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES]"
-A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES]"

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

$ sudo vi /etc/ufw/before6.rules
# custom psad logging directives
-A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES]"
-A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES]"

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

Back to top

3 . リロードと更新

$ sudo psad --sig-update
$ sudo psad -R

Back to top

4 . PSAD ステータス

/psadwatchd.pid does not exist for psadwatchd ???

$ sudo psad -S
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on octaviadata
[+] psad_fw_read (pid: 4379)  %CPU: 0.0  %MEM: 0.0
    Running since: Fri Dec 21 13:40:51 2018

[+] psad (pid: 4369)  %CPU: 0.0  %MEM: 0.0
    Running since: Fri Dec 21 13:40:51 2018
    Command line arguments: [none specified]
    Alert email address(es): root@localhost

[+] Version: psad v2.4.3

[+] Top 50 signature matches:
      "MISC Radmin Default install options attempt" (tcp),  Count: 3,  Unique sources: 1,  Sid: 100204

[+] Top 25 attackers:
      122.170.109.170 DL: 2, Packets: 3, Sig count: 3

[+] Top 20 scanned ports:
      tcp 25    25 packets
      tcp 8545  3 packets
      tcp 4899  3 packets
      tcp 61869 1 packets
      tcp 23    1 packets
      tcp 39721 1 packets
      tcp 3880  1 packets
      tcp 1200  1 packets
      tcp 10286 1 packets
      tcp 39134 1 packets
      tcp 32227 1 packets
      tcp 3359  1 packets
      tcp 55742 1 packets
      tcp 23524 1 packets
      tcp 27019 1 packets
      tcp 39723 1 packets
      tcp 23642 1 packets
      tcp 3306  1 packets
      tcp 111   1 packets
      tcp 4107  1 packets

      udp 36886 1 packets

[+] iptables log prefix counters:
      "[UFW BLOCK]": 63

    Total protocol packet counters:
       icmp6: 2 pkts
         tcp: 60 pkts
         udp: 1 pkts

[+] IP Status Detail:

SRC:  122.170.109.170, DL: 2, Dsts: 1, Pkts: 3, Total protocols: 1, Unique sigs: 1, Email alerts: 3

    DST: 51.68.206.148
        Scanned ports: TCP 4899, Pkts: 3, Chain: INPUT, Intf: eno3
        Total scanned IP protocols: 1, Chain: INPUT, Intf: eno3
        Signature match: "MISC Radmin Default install options attempt"
            TCP, Chain: INPUT, Count: 1, DP: 4899, SYN, Sid: 100204

    Total scan sources: 1
    Total scan destinations: 1

[+] These results are available in: /var/log/psad/status.out

$ sudo iptables -L

Back to top

Ref Link:

http://cipherdyne.org/psad/

https://www.digitalocean.com/community/tutorials/how-to-use-psad-to-detect-netwo…

IT notes

PSAD セットアップ

目次

1 . PSAD インストール

2 . PSAD 設定

3 . リロードと更新

4 . PSAD ステータス

関連記事

You are here

PSAD セットアップ

目次

1 . PSAD インストール

2 . PSAD 設定

3 . リロードと更新

4 . PSAD ステータス

関連記事