# PSAD: Intrusion Detection for iptables (firewall)



## lotuseclat79 (Sep 12, 2003)

PSAD or Port Scan Attack Detector is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

PSAD information is here including Download, Documentation, Features, Source Code, and Mailing List links.

PSAD is designed to work with ipchains Linux kernels 2.2.x, and iptables in Linux kernels 2.4.x and later to detect port scans.

PSAD features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, tcp flags and corresponding nmap options (Linux 2.4.x kernels only), reverse DNS info, email alerting, and automatic blocking of offending ip addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the tcp signatures included in Snort to detect highly suspect scans.

Note the Linux Firewalls book here which can be purchased there at a 30% discount.

-- Tom

P.S. I highly recommend consulting the Widpedia Netfilter/iptables webpage here for more information about iptables, esp. diagrams at the bottom of the webpage.


----------



## meox (Jan 20, 2008)

hmm.. interesting a firewall for linux i thought linux was ok without anything.. but i was wrong i guessi will check it out later


----------



## lotuseclat79 (Sep 12, 2003)

Hi meox,

Linux kernels have the firewall, yes, but if you do nothing to activate firewall rules, then you are truly running naked on the Internet. Depending on where you surf, and whether or not you are port scanned and subsequently compromised - which can happen within 20 seconds of connecting to the Internet - at least Linux is somewhat safer than Windows.

-- Tom


----------



## tomdkat (May 6, 2006)

lotuseclat79 said:


> PSAD or Port Scan Attack Detector is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.
> 
> PSAD information is here including Download, Documentation, Features, Source Code, and Mailing List links.


Thanks for the info! 

Peace...


----------



## WARnux (Jun 29, 2007)

I checked my package manager and psad is there. I use Debian. Other distros probably have it as well.


----------



## lotuseclat79 (Sep 12, 2003)

WARnux said:


> I checked my package manager and psad is there. I use Debian. Other distros probably have it as well.


Hi WARnux,

Yeah, I did also, but found out that the package manager one was not the latest version. This indicates that the repository is not-up-to-date re that package.

-- Tom


----------



## TeckniX (May 27, 2008)

I keep getting an error about the following from psad:
[psad-error] Exceeded max disk utilization for /var/log/psad on localhost

I've got more than 5gigs left of space, yet the error is still showing -anyone knows why?


----------



## tomdkat (May 6, 2006)

I'm not sure if it's a space issue or not. If it is, the "/var" filesystem might be full. Run this command in a terminal window to see how much free space your filesystems have:

$ df -h

Peace...


----------



## lotuseclat79 (Sep 12, 2003)

TeckniX said:


> I keep getting an error about the following from psad:
> [psad-error] Exceeded max disk utilization for /var/log/psad on localhost
> 
> I've got more than 5gigs left of space, yet the error is still showing -anyone knows why?


Hi TeckniX,

As I recall, there may be a configuration limit on the maximum allowed log size which you should be able to increase since you have more space. Look around or at psad's documentation on how to do that.

I think you will need to play with what size works best for you, and how much logging you need to actually turn on to detect problems.

I am not sure if you can get the logging to reuse its own space, like a circular queue, but that may be one question you can pose to the author at the CipherDyne web site.

-- Tom


----------

