Thursday, April 03, 2008

Reactive Firewall Setup using Psad

Reference: http://www.cipherdyne.org/psad/

# Download the latest version of psad from http://www.cipherdyne.org/psad/download/

cd /tmp

wget http://www.cipherdyne.org/psad/download/psad-2.1.4-1.i386.rpm

rpm -Uvh psad-2.1.4-1.i386.rpm
rm -rf psad-2.1.4-1.i386.rpm
cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
vi /etc/psad/psad.conf

# Adjust the values as shown

######
EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
HOSTNAME example.com;
# If there is only one network interface on the box, then just set this variable to "NOT_USED".
HOME_NET NOT_USED;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
ENABLE_SCAN_ARCHIVE Y;
DISK_MAX_PERCENTAGE 85;
FLUSH_IPT_AT_INIT N;
#######

# Add CIDR value of a private network interface card in HOME_NET if you are using one.Not required if you have a single public interface.

Automate Signature Updates

crontab -e

###
0 0 * * * /usr/sbin/psad --sig-update && /sbin/service psad restart
###


# Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail poiting to your mail executable
eg.
ln -s /usr/lib/sendmail /bin/mail

/etc/rc.d/init.d/psad start

/usr/sbin/psad --sig-update

/sbin/chkconfig psad on

# Check psad statistics after 5-10 mins by running this command

/usr/sbin/psad --Status

# Setup Cronjob to delete Psad scan archive older than 7 days

crontab -e

0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf

# Fwsnort Installation

Reference: http://www.cipherdyne.org/fwsnort
# Download fwsnort from http://www.cipherdyne.org/fwsnort/download/

cd /tmp

wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.5.tar.gz

tar zxvf fwsnort-1.0.5.tar.gz

cd /tmp/fwsnort-1.0.5

perl install.pl
cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig

vi /etc/fwsnort/fwsnort.conf

######
# Modify the uname location as follows
unameCmd /bin/uname;
######
# Add CIDR value of a private network interface card in HOME_NET in /etc/fwsnort/fwsnort.conf if you are using one.Not required if you have a single public interface.

/usr/sbin/fwsnort --no-ipt-sync --verbose

# Check log file for errors and correct accordingly
tail -f /var/log/fwsnort.log

#If you encounter the following errors
###
#[*] It does not appear that string match support has been compiled into
# Netfilter. Fwsnort will not be of very much use without this.
# ** NOTE: If you want to have fwsnort generate a Netfilter policy
# anyway, specify the --no-ipt-test option. Exiting.
#[root@extranet tmp]# tail -f /var/log/fwsnort.log
#[-] Netfilter ipv4options extension not available, disabling ipopts translation.

# then run this

# Update signatures
/usr/sbin/fwsnort --update-rules

#Then run this
/usr/sbin/fwsnort --no-ipt-test --verbose

# Run the generated Netfilter script

/etc/fwsnort/fwsnort.sh

# Enable auto-update of firewall rules
crontab -e

1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh /etc/fwsnort/fwsnort.sh > /dev/null 2>&1

# Enable auto-update of fwsnort signatures
crontab -e

0 0 * * * /usr/sbin/fwsnort --update-rules

/etc/rc.d/init.d/psad restart

rm -rf /tmp/fwsnort-1.0.5.tar.gz
rm -rf /tmp/fwsnort-1.0.5

# Enabling whitelisting and Special danger levels for IPs and Port.

Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.

# Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file before starting the nessus scan.Please ensure that you restart psad after adding the IP address.

2 comments:

yadap said...

Wow... good walk through for psad and snort installation n config. keep it up buddy...

Thanks

neil said...
This comment has been removed by a blog administrator.