Dhammapada

A deed is not well done if one suffers after doing it, if one bears the consequences sobbing and with tears streaming down one's face. But a deed is well done if one does not suffer after doing it, if one experiences the consequences smiling and contented.


Introduction

psad and fwsnort are a pair of light weight tools which can be used as an effective NIDS.

psad is a set of lightweight daemons that monitor network traffic (iptables logs) for port scans and/or suspicious activity. psad also has the potential to actively respond to potential threats and can be configured to automagically blacklist naughty ip addresses.

fwsnort, as the name implies, converts snort rules to iptables. fwsnort first evaluates your current firewall and only adds rules for accepted traffic. By default, fwsnort logs suspicious traffic, and psad, as above, monitors the logs.

Both tools, psad and fwsnort, assume you understand iptables or at least can configure iptables. If you need a quick review of iptables see my iptables page or other online reference.

Note: Most of these commands are run as root.

Install psad

psad is in the Debian, Fedora, and Ubuntu repositories and you may install pasd with apt-get / yum .

The disadvantage of installing from the repositories is that Debian/Ubuntu install a number of dependencies (bastille) or, in the case of Fedora 13, the psad package has a few bugs.

IMO it is almost as easy to simply install from "source". This is easy to do and is essentially running a perl script and answering a few questions.

Install the perl dependencies

Although the dependencies are the same, the package names vary between deb and rpm systems. gcc is required to compile psad and wget is used by both psad and fwsnort to update the respective rule sets.

Debian / Ubuntu

Using any method, install the following packages:

sudo apt-get -y install libcarp-clan-perl libdate-calc-perl \
libiptables-chainmgr-perl libiptables-parse-perl libnetwork-ipv4addr-perl \
libunix-syslog-perl libbit-vector-perl gcc wget

Fedora

Using any method, install the following packages:

yum install -y perl-Bit-Vector perl-Carp-Clan \
perl-Date-Calc perl-IPTables-ChainMgr perl-IPTables-Parse \
perl-Net-IPv4Addr perl-Unix-Syslog wget libbsd-devel gcc

Or, for the lazy typist:

yum -y install psad wget libbsd-devel gcc
yum -y remove psad

Download and install psad

Download the ( tar.gz ) source code from here

Extract the archive and install

tar xvf psad-2.1.5.tar.gz
cd psad-2.1.5

#Debian / Ubuntu (sudo)
sudo ./install.pl

# Fedora (su)
su -c ./install.pl

You will be asked a few questions, you may accept the defaults.

Personally, I disable email alerts, so the only answers I change are:

Would you like alerts sent to a different address ([y]/n)? n

Back to top

Install fwsnort

With both Debian and Ubuntu you may install fwsnort from the repositories (fwsnort is not in the Fedora repositories):

sudo apt-get install fwsnort

Personally, IMO fwsnort is just as easily installed from source.

Download the ( tar.gz ) install script from here

tar xvf fwsnort-1.1.tar.gz
cd fwsnort-1.1

#Debian / Ubuntu

# Fedora

As you install, answer the questions you are asked by accepting the defaults (hit Enter).

Configure psad

Although installation was easy, we need to do some post installation configuration.

Firewall configuration

One "problem" with psad and fwsnort, these applications assume you are familiar with configuration of your firewall.

psad requires you to log your network traffic. If you put your LOG in the wrong place, psad will bock legitimate traffic. In order NOT to block legitimate traffic, you need to first ACCEPT legitimate traffic, then LOG packets, then REJECT/DROP the remaining traffic.

fwsnort will first analyze your current firewall (iptables) rules and then identifies only those snort rules that apply to your open ports. For example, if port 80 (Apache) is closed, fwsnort will not load the snort rules pertaining to http traffic.

For Desktops I suggest you use ufw

ufw is installed by default on Ubuntu, to add ufw to Debian:

sudo apt-get install -y ufw

Using any editor, open /etc/ufw/before.rules

Look for the lines :

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

Add these this line: -A ufw-before-input -j LOG --log-level warn

-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -j LOG --log-level warn

(Re)start ufw

sudo ufw disable
sudo ufw enable

Fedora comes with a default set of rules for iptables and, assuming you have not modified the default rules, you can use the following commands:

su -c 'iptables -I INPUT 5 -j LOG --log-level warn'
su -c 'service iptables save'

Custom iptables rule sets

If you use custom iptables rules or are on a server, first ACCEPT all the legitimate traffic, next LOG, then DROP/REJECT. If you log first you will block legitimate traffic.

Sample iptables rules, note the LOG before dropping packets.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG --log-level warn
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP

rsyslog and iptables Logs

All 3 distros use rsyslog but we need to make a few edits to the Fedora configuration.

If you are using Debian or Ubuntu, you are in luck, the default configuration is sufficient and no edits are needed.

Using any editor, open /etc/rsyslog.conf

Find the line:

#kern.* /dev/console

Remove the # from the front and change the log to /var/log/kern.log

kern.* /var/log/kern.log

save your changes and exit.

Next, configure the log file.

su -c "touch /var/log/kern.log"

Set selinux context

su -c "chcon system_u:object_r:var_log_t:s0 /var/log/kern.log"

Restart rsyslog

su -c "service rsyslog restart"

psad.conf

using any editor, open /etc/psad/psad.conf

I suggest you read the configuration file as it explains the various configuration options.

The options I use are as follows:

Take note - I disabled email messages ...

HOME_NET any; #Use if you have multiple network cards
HOME_NET NOT_USED; #Use if you have only 1 network card

ALERTING_METHODS noemail;

IPT_SYSLOG_FILE /var/log/kern.log;

ENABLE_PERSISTENCE N;

SCAN_TIMEOUT 3600; ### seconds

IMPORT_OLD_SCANS Y;

ENABLE_DSHIELD_ALERTS N;

ENABLE_AUTO_IDS Y;

AUTO_IDS_DANGER_LEVEL 3;

AUTO_BLOCK_TIMEOUT 3600;

ENABLE_AUTO_IDS_REGEX Y;

AUTO_BLOCK_REGEX ESTAB;

# See : psad mailing list

ENABLE_AUTO_IDS_EMAILS N;

IPTABLES_BLOCK_METHOD Y;

FLUSH_IPT_AT_INIT N;

TCPWRAPPERS_BLOCK_METHOD Y;

DISK_MAX_PERCENTAGE 80;

Mail

psad is configured to use email alerts. Personally I disable the mail service, if you wish to receive email alerts you will need to adjust your installation and configuration if you wish to enable email alerts.

# Debian / Ubuntu / sudo
sudo ln -s /bin/true /bin/mail

#Fedora / su
su -c 'ln -s /bin/true /bin/mail'

Idiosyncrasies

I ran into a few small bumps with each distro.

Debian

Because the psad install script (install.pl) did not install a valid boot script, with Debian we need to configure (replace) the psad init script.

You can either write one or upload the debian init script from my server. I uploaded the init script from the debian psad pakage, so it is released under the GPL .

cd /etc/init.d
sudo mv psad /root/psad.bak
sudo wget http://bodhizazen.net/adblock/psad.init.debian
sudo mv psad.init.debian psad
sudo chmod a+x psad
sudo update-rc.d psad defaults
sudo service psad start

With Fedora we need to either disable selinux or configure selinux to allow psad and snort.

I prefer to write a selinux policy for psad and you can either use mine or write your own (assuming you know how to write selinux policies).

My policy can be download from here

You can review the policy using any editor

nano ids.te

Compile and install the policy (the following steps need to be done once):

su -c "checkmodule -M -m -o ids.mod ids.te"
su -c "semodule_package -o ids.pp -m ids.mod"
su -c "semodule -i ids.pp

Fedora Bug Report

Ubuntu

With Ubuntu we need a few Apparmor profiles.

Assuming you use Apparmor (and I know you want to) you can either write your own Apparmor profiles or download mine :

sudo -i

wget http://bodhizazen.net/aa-profiles/bodhizazen/ubuntu-10.04/usr.sbin.psad
wget http://bodhizazen.net/aa-profiles/bodhizazen/ubuntu-10.04/usr.sbin.fwsnort
wget http://bodhizazen.net/aa-profiles/bodhizazen/ubuntu-10.04/etc.fwsnort.fwsnort.sh

aa-enforce usr.sbin.psad usr.sbin.fwsnort etc.fwsnort.fwsnort.sh

exit

Using psad

In this section I will highlight some of the features of psad.

Warning: Depending on your volume of network traffic and iptables rule set, psad can fill your logs very fast.

Start / stop psad:

service psad start
service psad stop
service psad restart

Update psad signatures:

psad --sig-update
psad -H

Show psad status (give information on network traffic and blocked ip addresses):

psad -S

Flush the blocked ip addresses:

psad -F

auto ids

"Auto ids" means psad will monitor your logs ( /var/log/kern.log ) and automagically use iptables to blacklist naughty ip addresses. Please keep in mind ip addresses are easily spoofed.

White list an ip address: You may wish, for example, to whitelist your router or LAN.

Using any editor, open /etc/psad/auto_dl

Examples:

#router
192.168.0.1 0;

#LAN
192.168.0.0/24 0;

Similarly, to blacklist an ip, use a "Danger level" of 1

111.222.33.4 1;

Note: This will still allow a few packets from the IP in question, but the auto ids will blacklist the IP address quickly and this may easier then maintaining a blacklist elsewhere or with iptables.

Testing psad

For the paranoid among us (I know who you are), how do we know psad "works"?

First, you can use nmap for a second machine to scan your host.

sudo nmap -p- -sV -sS -O psad_ip_address

You can use the following technique locally:

Using any editor, open /etc/psad/psad.conf

Change

AUTO_IDS_DANGER_LEVEL 3;

to

AUTO_IDS_DANGER_LEVEL 2;

Add a new LOG rule to iptables

sudo iptables -I INPUT 1 -j LOG

Now ping google.

ping -c 10 google.com

You will soon see

ping: sendmsg: Operation not permitted

Now check hosts.deny

cat /etc/hosts.deny

You will see google listed (by IP)

To undo those changes:

iptables -D INPUT -j LOG
psad -F

Finally, edit /etc/psad/psad.conf , change the AUTO_IDS_DANGER_LEVEL back to 3

Using fwsnort

fwsnort is easy to use and configure.

Update the snort rules:

sudo fwsnort --update-rules

The command "fwsnort" reviews the snort rules an generates a script, /etc/fwsnort/fwsnort.sh , that will add rules to your firewall.

sudo fwsnort

If you get this error :

[-] It looks like the iptables 'comment' match is not available, disabling. [*] It does not appear that string match support has been compiled into the kernel. Fwsnort will not be of very much use without this. ** NOTE: If you want to have fwsnort generate an iptables policy anyway, use the --no-ipt-test option. Exiting.

You can try to use:

fwsnort --no-ipt-test --verbose

BUT you are likely to find that that will not work. You need to compile a kernel with strings support.

Review the rules - depending on your firewall you may get hundreds of potential rules to add. With ufw I get 10 rules and with Fedora I get 40. I suggest you review your firewall if you get hundreds of rules to add as adding this many rules may slow down iptables.

Apply the rules:

sudo /etc/fwsnort/fwsnort.sh

Apply the rules on boot

Using any editor, open /etc/rc.local and add the following line:

/etc/fwsnort/fwsnort.sh

If you wish, for extra credit, configure cron to update psad sig and fwsnort rules. I would advise you update once a week.


References

psad documentation
fwsnort documentation (man page)
Fedora Security-Enhanced Linux Guide
Ubuntu Forums : Introduction to Apparmor