On Oct 29, 2012, Dmitry Korzhevin wrote:

> Hello,

Hello Dmitry,

> I have problems with psad. I downloaded latest psad version from
> http://cipherdyne.org/about.html site, and installed from source, on
> Debian 6.0.6 amd64 linux.
> 
> I use this manual:
> 
> http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/
> 
> And seems, after i add next iptables rules:
> 
> iptables -A INPUT -j LOG
> iptables -A FORWARD -j LOG
> 
> system load average starts growing up to 100 LA, and server hangs..
> 
> Btw, this server is used as VPN gateway with about 50 users, i use
> external log for iptables: /var/log/iptables.log
> 
> 
> Can you please help me - how i can configure psad without such big load...

The key to getting psad to work is to make sure that your iptables
policy is accepting packets that for services that you want to allow,
and log and drop all others.  There is an iptables setup script for the
Linux Firewall book available at the following link that configures
iptables in this manner:

http://www.cipherdyne.org/LinuxFirewalls/ch01/iptables.sh.tar.gz

You would need to configure it for the specific services that you want
to allow - the script serves as an illustration.

Now, you might be wondering if using the iptables ACCEPT target on a
large percentage of your traffic is not helpful for the kind of analysis
that psad does, and this is a good question.  The answer is twofold:

1) In a normal network environment, _most_ traffic is usually not
malicious anyway, so on average logging TCP ACK's associated with things
like web connections is not useful.  psad is designed to look for port
scans and sweeps among other things, and through proper use of the
iptables connection tracking mechanism such packets will be logged even
for services are otherwise allowed.  E.g. a FIN scan against port 80 will
be logged even if you are accepting traffic to port 80 because a FIN scan
isn't a valid start of a TCP connection.

2) If you run fwsnort in addition to psad, then you can get iptables to
log specific TCP ACK packets that contain truely malicious application
layer data since fwsnort uses the string match extension along with a
translated set of snort rules to detect things that you should probably
care about.

Thanks,

--Mike


> Best Regards,
> Dmitry
> 
> ---
> Dmitry KORZHEVIN
> System Administrator
> STIDIA S.A. - Luxembourg
> 
> e: dmitry.korzhe...@stidia.com
> m: +38 093 874 5453
> w: http://www.stidia.com

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to