On Oct 29, 2012, Dmitry Korzhevin wrote: > Hello,
Hello Dmitry, > I have problems with psad. I downloaded latest psad version from > http://cipherdyne.org/about.html site, and installed from source, on > Debian 6.0.6 amd64 linux. > > I use this manual: > > http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/ > > And seems, after i add next iptables rules: > > iptables -A INPUT -j LOG > iptables -A FORWARD -j LOG > > system load average starts growing up to 100 LA, and server hangs.. > > Btw, this server is used as VPN gateway with about 50 users, i use > external log for iptables: /var/log/iptables.log > > > Can you please help me - how i can configure psad without such big load... The key to getting psad to work is to make sure that your iptables policy is accepting packets that for services that you want to allow, and log and drop all others. There is an iptables setup script for the Linux Firewall book available at the following link that configures iptables in this manner: http://www.cipherdyne.org/LinuxFirewalls/ch01/iptables.sh.tar.gz You would need to configure it for the specific services that you want to allow - the script serves as an illustration. Now, you might be wondering if using the iptables ACCEPT target on a large percentage of your traffic is not helpful for the kind of analysis that psad does, and this is a good question. The answer is twofold: 1) In a normal network environment, _most_ traffic is usually not malicious anyway, so on average logging TCP ACK's associated with things like web connections is not useful. psad is designed to look for port scans and sweeps among other things, and through proper use of the iptables connection tracking mechanism such packets will be logged even for services are otherwise allowed. E.g. a FIN scan against port 80 will be logged even if you are accepting traffic to port 80 because a FIN scan isn't a valid start of a TCP connection. 2) If you run fwsnort in addition to psad, then you can get iptables to log specific TCP ACK packets that contain truely malicious application layer data since fwsnort uses the string match extension along with a translated set of snort rules to detect things that you should probably care about. Thanks, --Mike > Best Regards, > Dmitry > > --- > Dmitry KORZHEVIN > System Administrator > STIDIA S.A. - Luxembourg > > e: dmitry.korzhe...@stidia.com > m: +38 093 874 5453 > w: http://www.stidia.com ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
