Hello out there,

For several weeks, I've got Shorewall happily configured on my Linux
box. All the possible multicast- and broadcast addresses are logged, but
there is no annoying email-warning-alert of the local router broadcast
anymore!. (so finally the Shorewall-firewall is properly configured and
Psad for about +/-80%

My configuration is as follows:

Shorewall in combination with Psad v2.2.1 on Ubuntu 14.04.1 LTS

My question is:
How do I set the options to quickly autoblock ipv4-addresses with Psad,
when somebody is tracing open ports of the firewall (net zone of course)
with nMap in stealth mode (scanning all the TCP ports, with a Windows
nMap it takes about 1.5 hour).

Last week, I've got several waring emails (from Psad of course) AFTER
1.5 HOUR, with a test with nMap and the above options. (scanning option
all UDP ports, had the same result).

My goal is very simple:
If anyone is scanning a port of my firewall, or a (little) range, I
would like to autoblock the IP-address automatically and immediately.
(of course Psad must send direct an alert to the system account)
This test was last week successful, but far to slow and with to much
Psad emails.

After filtering all the Psad (false positive warnings about all the
*-casts) AND altering a few configuration parameters in the Psad config-
file, a same rescan didn't autoblock and alert at all...

With shorewall, I USE 3 levels of logging (filtered bij RSyslogd ->
2. WARN(ing)
3. none(!)

All the logs of the Shorewall specific iptables and netfilter rules
are filtered only to the shorewall.log file, with the standard default

The changes I've made in Psad were the following (I've lowered the
original values):

        ### Danger levels.  These represent the total number of
        ### packets required for a scan to reach each danger level.
        ### A scan may also reach a danger level if the scan trips
        ### a signature or if the scanning ip is listed in
        ### auto_ips so a danger level is automatically
        ### assigned.
        DANGER_LEVEL1               5;    ### Number of packets.
        DANGER_LEVEL2               10;
        DANGER_LEVEL3               50;
        DANGER_LEVEL4               100;
        DANGER_LEVEL5               1000;

Does anybody know how to trigger fast (very fast) an email out of the
Shorewall logfile into the Psad warning email AND block automatically
the IP?
(unblocking is easy witch Psad --flush :-)

Schould I change the Psad config file or higher the logging levels (1-7)
ie. WARN(ing) -> CRIT(ical)?

I've you don't know how, thanks for reading anyway,


Paul F. Versloot

ps: included, psad.conf; shorewall.conf, rules, zones, policy.

Attachment: config_files.tar.gz
Description: application/compressed-tar

Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
psad-discuss mailing list

Reply via email to