Skip to content

Instantly share code, notes, and snippets.

@netson
Last active July 6, 2024 21:55
Show Gist options
  • Save netson/c45b2dc4e835761fbccc to your computer and use it in GitHub Desktop.
Save netson/c45b2dc4e835761fbccc to your computer and use it in GitHub Desktop.
Using PSAD and UFW

PSAD and UFW

Table of Contents

What are we doing here?

What is PSAD?

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data.

PSAD website

What is UFW?

the default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall.

UFW website

Using PSAD and UFW

PSAD will modify iptables rules directly and will create its own chains. If you're using UFW as a frontend for iptables, you will need to ensure that the proper logging rules are present so that PSAD can parse these. This gist will explain how to configure UFW and PSAD to play nice together.

This gist focuses on PSAD 2.2.4, UFW 0.34 and Ubuntu Server 14.04.

Configure UFW logging rules

The default UFW logging itself is not sufficient for use by PSAD as it does not log the level of detail that PSAD requires. There a big chance that you will end up discarding certain messages before PSAD will get a chance to analyze them and detect any threats which as a result will go undetected.

It is important to emphasize that PSAD is not a firewall configuration tool; it requires your firewall to be properly configured before it is installed and activated.

To ensure UFW creates the proper logging rules for PSAD, we need to add some lines to the UFW configuration. UFW has 4 files with rules it will always add in a specifc order:

  • /etc/ufw/before.rules
  • /etc/ufw/before6.rules
  • /etc/ufw/after.rules
  • /etc/ufw/after6.rules

The before* rules are added before any other rules are added, and the after* rules are added afterwards. Obviously, the filenames ending with 6 are related to IPv6 and the other ones to IPv4. As of version 2.2, PSAD offers full IPv6 support.

To create the proper logging rules, edit the before*.rules files and add the following lines, at the end, but before the COMMIT line. If you place them after the COMMIT line, the rules will not be added to iptables.

# custom psad logging directives
-A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
-A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "

These lines will ensure logging of all important traffic on the INPUT and FORWARD chains.

The parameter --log-tcp-options adds additional info to the iptables log files which PSAD can use to detect certain scan/attack signatures. This option is not required to run PSAD but it is recommended. If you enable the TCP options, you will also need to tell PSAD to look out for these in the logfiles. You do so by editing the psad.conf file:

# /etc/psad/psad.conf
EXPECT_TCP_OPTIONS             Y;

This parameters is only available in PSAD 2.2.2 or newer. If you do not wish to add the TCP options to the logs, change the value of EXPECT_TCP_OPTIONS to N.

A detailed explanation of what this option does is explained here: http://www.cipherdyne.org/blog/2013/09/tcp-options-and-detection-of-masscan-port-scans.html.

Activate the changes by restarting PSAD:

sudo psad -R

Log prefix

As you probably noticed, the above logging rules also add a prefix to each log line. This is also optional. The reason I add it is because I like to place iptables log lines in a separate logfile. This makes it easier for me to go through the logs without having to filter out any other kernel originated logmessages.

To have rsyslog redirect iptables messages to a separate logfile, create a file /etc/rsyslog.d/10-iptables.conf and add the following contents:

# log kernel generated IPTABLES log messages to file
# each log line will be prefixed by "[IPTABLES]", so search for that
:msg,contains,"[IPTABLES]" /var/log/iptables.log

# the following stops logging anything that matches the last rule.
# doing this will stop logging kernel generated IPTABLES log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
# older versions of ubuntu may require you to change stop to ~
& stop

Then, restart rsyslog to activate the changes:

sudo service rsyslog restart

We're almost done now, but now that we are storing the IPTABLES log messages in a different file, we will need to tell PSAD where it can find this file, otherwise it will not be able to analyze any logs. To do so update the /etc/psad/psad.conf file and change the IPT_SYSLOG_FILE parameter to /var/log/iptables.log, like so:

IPT_SYSLOG_FILE                /var/log/psad-iptables.log;

Then, restart PSAD to activate the changes:

sudo psad -R

Links

@aPersonWithName
Copy link

Ubuntu 16.04, rsyslog already has a rule for UFW, that is: "[UFW ". No need for the "[IPTABLES] " prefix as documented above. You will still need to configure the UFW prefix in the before*.rules so the logs are created with the UFW prefix in the first place.

true, thx

@rickygm
Copy link

rickygm commented Aug 1, 2023

as it should be with the new versions in debian 11+and Ufw?

@netson
Copy link
Author

netson commented Aug 2, 2023

Hi, I haven't used PSAD in a few years since at some point it became to cumbersome to maintain the update and installation process for PSAD on the various servers I was running. So I can't tell you which changes would be required to run this on the latest debian... If you do try it out and make tweaks, please report them back here and I could update the gist. Thanks! :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment