The Port Scan Attack Detector psad
is a lightweight system daemon written in is designed to work with Linux iptables/ip6tables/firewalld firewalling code to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more.
It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, reverse DNS info, email and syslog alerting, automatic blocking of offending IP addresses via dynamic configuration of iptables rulesets, passive operating system fingerprinting, and DShield reporting.
In addition, psad
incorporates many of the TCP, UDP, and ICMP signatures included in the Snort intrusion detection system. to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (Mstream, Shaft), and advanced port scans (SYN, FIN, XMAS) which are easily leveraged against a machine via nmap. psad
can also alert on Snort signatures that are logged via fwsnort, which makes use of the iptables string match extension to detect traffic that matches application layer signatures.
As of the 2.4.4 release, psad
can also detect the IoT default credentials scanning phase of the Mirai botnet.
Also Read – Got-Responded : Tool to Detect NBT-NS & LLMNR Spoofing
psad
can generate alerts for application layer buffer overflow attacks, suspicious application commands, and other suspect layer 7 traffic.psad
offers integration with gnuplot
and afterglow
to produce graphs of malicious traffic. The following two graphs are of the Nachi worm from the Honeynet Scan30 challenge. First, a link graph produced by afterglow
after analysis of the iptables log data by psad
:
“Nachi Worm Link Graph”
The second shows Nachi worm traffic on an hourly basis from the Scan30 iptables data:
All information psad analyzes is gathered from iptables log messages. psad by default reads the /var/log/messages file for new iptables messages and optionally writes them out to a dedicated file (/var/log/psad/fwdata).
psad is then responsible for applying the danger threshold and signature logic in order to determine whether or not a port scan has taken place, send appropriate alert emails, and (optionally) block offending ip addresses.
psad includes a signal handler such that if a USR1 signal is received, psad will dump the contents of the current scan hash data structure to /var/log/psad/scan_hash.$$ where “$$” represents the pid of the running psad daemon.
NOTE: Since psad relies on iptables to generate appropriate log messages for unauthorized packets, psad is only as good as the logging rules included in the iptables ruleset.
Hence if your firewall is not configured to log packets, then psad will NOT detect port scans or anything else. Usually the best way setup the firewall is with default “drop and log” rules at the end of the ruleset, and include rules above this last rule that only allow traffic that should be allowed through.
Upon execution, the psad daemon will attempt to ascertain whether or not such a default deny rule exists, and will warn the user if not. See the FW_EXAMPLE_RULES file for example firewall rulesets that are compatible with psad.
Additionally, extensive coverage of psad is included in the book “Linux Firewalls: Attack Detection and Response” published by No Starch Press, and a supporting script in this book is compatible with psad.
Installation
Depending on the Linux distribution, psad
may already be available in the default package repository. For example, on Debian or Ubuntu systems, installation is done with a simple:
apt-get install psad
If psad is not available in the package repository, it can be installed with the install.pl
script bundled in the psad sources.
The install.pl script also handles upgrades if psad is already installed. psad
requires several perl modules that may or may not already be installed on your Linux system.
These modules are included in the deps/ directory in the psad sources, and are automatically installed by the install.pl script. The list of modules is:
psad also includes a whois client written by Marco d’Itri (see the deps/whois directory). This client does better than others at collecting the correct whois information for a given IP address.
The main requirement for an iptables configuration to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
The rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy.
Note that iptables policies can be quite complex with protocol, network, port, and interface restrictions, user defined chains, connection tracking rules, and much more.
There are many pieces of software such as Shorewall and Firewall Builder, that build iptables policies and take advantage of the advanced filtering and logging capabilities offered by iptables.
Generally the policies built by such pieces of software are compatible with psad since they specifically add rules that instruct iptables to log packets that are not part of legitimate traffic.
Psad can be configured to only analyze those iptables messages that contain specific log prefixes (which are added via the –log-prefix option), but the default is for psad to analyze all iptables log messages for evidence of port scans, probes for backdoor programs, and other suspect traffic.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…