On Apr 24, 2013, Jeffrey Anthony Serio wrote: > I recently installed psad on Sabayon hardened server, and it's not sending > alert mails to root. I followed the guide at > http://linuxdrops.com/install-arno-firewall-with-psad-iptables-on-steroids/#, > and configured everything correctly. The e-mail address variable in > /etc/psad/psad.conf points to the correct address > (root@localhost.localdomain). I am also able to send mail to root from > root, as was suggested in the Cipherdyne psad QA page. So when I use my > other machine to run an nmap scan on the psad machine, it doesn't send > alert mails to root. psad does work on my other machine when a port scan > has been emitted. Both machines are running Sabayon, they both have psad > and arno's iptable firewall running as well as postfix and sendmail > daemons. So I'm not exactly sure what's wrong.
There are a few things to check I think: - Verify that the nmap scans result in iptables log messages being generated and written to a file by syslog that psad is configured to monitor (/var/log/messages by default - see the IPT_SYSLOG_FILE variable in the /etc/psad/psad.conf file). In that file, there should be iptables log data. - What does "psad --Status" show (you'll need to run this as root)? If psad is tracking scans because iptables is logging them, then this command will show what psad sees. This will help narrow the problem down to either a mail communications issue, or something more fundamental (like psad not seeing an iptables log data written by syslog). - Is psad writing any messages to syslog itself? (Other than the normal messages it writes at init time.) Thanks, --Mike ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
