PSAD and UFW
Table of Contents
- What are we doing here?
- What is PSAD?
- What is UFW?
- Using PSAD and UFW
- Configure UFW logging rules
- Log prefix
What are we doing here?
What is PSAD?
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.
What is UFW?
the default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall.
Using PSAD and UFW
PSAD will modify iptables rules directly and will create its own chains. If you're using UFW as a frontend for iptables, you will need to ensure that the proper logging rules are present so that PSAD can parse these. This gist will explain how to configure UFW and PSAD to play nice together.
This gist focuses on PSAD 2.2.4, UFW 0.34 and Ubuntu Server 14.04.
Configure UFW logging rules
The default UFW logging itself is not sufficient for use by PSAD as it does not log the level of detail that PSAD requires. There a big chance that you will end up discarding certain messages before PSAD will get a chance to analyze them and detect any threats which as a result will go undetected.
It is important to emphasize that PSAD is not a firewall configuration tool; it requires your firewall to be properly configured before it is installed and activated.
To ensure UFW creates the proper logging rules for PSAD, we need to add some lines to the UFW configuration. UFW has 4 files with rules it will always add in a specifc order:
The before* rules are added before any other rules are added, and the after* rules are added afterwards. Obviously, the filenames ending with 6 are related to IPv6 and the other ones to IPv4. As of version 2.2, PSAD offers full IPv6 support.
To create the proper logging rules, edit the
before*.rules files and add the following lines, at the end, but before the COMMIT line. If you place them after the COMMIT line, the rules will not be added to iptables.
# custom psad logging directives -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] " -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
These lines will ensure logging of all important traffic on the INPUT and FORWARD chains.
--log-tcp-options adds additional info to the iptables log files which PSAD can use to detect certain scan/attack signatures. This option is not required to run PSAD but it is recommended. If you enable the TCP options, you will also need to tell PSAD to look out for these in the logfiles. You do so by editing the psad.conf file:
# /etc/psad/psad.conf EXPECT_TCP_OPTIONS Y;
This parameters is only available in PSAD 2.2.2 or newer. If you do not wish to add the TCP options to the logs, change the value of
A detailed explanation of what this option does is explained here: http://www.cipherdyne.org/blog/2013/09/tcp-options-and-detection-of-masscan-port-scans.html.
Activate the changes by restarting PSAD:
sudo psad -R
As you probably noticed, the above logging rules also add a prefix to each log line. This is also optional. The reason I add it is because I like to place iptables log lines in a separate logfile. This makes it easier for me to go through the logs without having to filter out any other kernel originated logmessages.
To have rsyslog redirect iptables messages to a separate logfile, create a file
/etc/rsyslog.d/10-iptables.conf and add the following contents:
# log kernel generated IPTABLES log messages to file # each log line will be prefixed by "[IPTABLES]", so search for that :msg,contains,"[IPTABLES]" /var/log/iptables.log # the following stops logging anything that matches the last rule. # doing this will stop logging kernel generated IPTABLES log messages to the file # normally containing kern.* messages (eg, /var/log/kern.log) # older versions of ubuntu may require you to change stop to ~ & stop
Then, restart rsyslog to activate the changes:
sudo service rsyslog restart
We're almost done now, but now that we are storing the IPTABLES log messages in a different file, we will need to tell PSAD where it can find this file, otherwise it will not be able to analyze any logs. To do so update the
/etc/psad/psad.conf file and change the
IPT_SYSLOG_FILE parameter to
/var/log/iptables.log, like so:
Then, restart PSAD to activate the changes:
sudo psad -R
Ubuntu 16.04, rsyslog already has a rule for UFW, that is: "[UFW ". No need for the "[IPTABLES] " prefix as documented above. You will still need to configure the UFW prefix in the before*.rules so the logs are created with the UFW prefix in the first place.