On Nov 26, 2012, Naji Mouawad wrote:

> I've got PSAD installed and in the last 24 hours it has produced 1,000+
> emails. I can't keep up with so many alerts and need to sanitize this
> somehow.
> 1. Considering to raise EMAIL ALERT DANGER LEVEL to 3. Any serious cons?
> 2. Considering setting noemail to prevent PSAD from sending an email. Is
> there a way to run some cron job on the hour to produce a digest for PSAD?
> These may be the wrong way to go about this. Any suggestions appreciated.

While you can set EMAIL_ALERT_DANGER_LEVEL to 3 or higher, I would
recommend first that you audit the iptables policy itself.  It should be
configured to only log packets that should not be accepted as a part of
normal operations.  For example, it is possible to configure iptables to
log packets that are part of established TCP connections, but this is
probably not what you want (except in more advanced configurations where
string matching for malicious application layer data is involved).  So,
basically it is recommend to:

- Have a state tracking rule towards the top of each built-in chain in
  the filter table - here is an example for the INPUT chain:

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

- Then have your ACCEPT rules for allowed incoming connections to
  services that you run in the INPUT chain and ACCEPT rules for outbound
  connections that you want to initiate from the local system in the
  OUTPUT chain.  If your Linux system is functioning as a gateway
  device, then you'll need to configure NAT along with filtering rules
  in the FORWARD chain.

- LOG and DROP everything else.

There is a firewall setup script available at the following link that
does the steps described above (you'll need to customize the services
that you want to allow if you use it):


With iptables configured in this way, the log data burden should be more
reasonable I'm guessing.



> Thanks!

> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov

> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

Keep yourself connected to Go Parallel: 
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
psad-discuss mailing list

Reply via email to