On Apr 24, 2013, Jeffrey Anthony Serio wrote:

> I recently installed psad on Sabayon hardened server, and it's not sending
> alert mails to root.  I followed the guide at
> http://linuxdrops.com/install-arno-firewall-with-psad-iptables-on-steroids/#,
> and configured everything correctly.  The e-mail address variable in
> /etc/psad/psad.conf points to the correct address
> (root@localhost.localdomain).  I am also able to send mail to root from
> root, as was suggested in the Cipherdyne psad QA page.  So when I use my
> other machine to run an nmap scan on the psad machine, it doesn't send
> alert mails to root.  psad does work on my other machine when a port scan
> has been emitted.  Both machines are running Sabayon, they both have psad
> and arno's iptable firewall running as well as postfix and sendmail
> daemons.  So I'm not exactly sure what's wrong.

There are a few things to check I think:

- Verify that the nmap scans result in iptables log messages being
  generated and written to a file by syslog that psad is configured to
  monitor (/var/log/messages by default - see the IPT_SYSLOG_FILE
  variable in the /etc/psad/psad.conf file).  In that file, there should
  be iptables log data.
- What does "psad --Status" show (you'll need to run this as root)?  If
  psad is tracking scans because iptables is logging them, then this
  command will show what psad sees.  This will help narrow the problem
  down to either a mail communications issue, or something more fundamental
  (like psad not seeing an iptables log data written by syslog).
- Is psad writing any messages to syslog itself?  (Other than the normal
  messages it writes at init time.)



Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
psad-discuss mailing list

Reply via email to