How to install PSAD Intrusion Detection on Ubuntu 16.04 LTS server

Submitted by The Fan Club on

This guide is based on various community forum posts.

This guide is intended as a relatively easy step by step guide to:

  • Install CipherDyne PSAD Intrusion Detection and Log Analysis with iptables on Ubuntu 12.04 LTS or later.
  • psad is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
  • From version 2.2 it also offers full IPv6 support. 

Requirements:

  • Tested on Ubuntu 12.04 LTS - 16.04 LTS server.
  • Should work on most Ubuntu/Debian based ditro's.

1. Download and install the latest version of PSAD.

  • Download and install the latest version from the Cipherdyne website.
  • Visit the CipherDyne PSAD download page and select the latest source tar archive, as of writing this the latest version is PSAD 2.4.3
  • To download and install the latest version open a Terminal and enter the following :
sudo su
mkdir /tmp/.psad
cd /tmp/.psad
wget http://cipherdyne.org/psad/download/psad-2.4.3.tar.gz
tar -zxvf psad-2.4.3.tar.gz
cd psad-2.4.3
./install.pl 
cd /tmp
rm -R .psad
exit

2. Edit the PSAD configuration file. 

  • Three main settings need to be set in the PSAD configuration file before we can complete the install, edit the others as required.
  • open a Terminal Window and enter :
vi /etc/psad/psad.conf
  • EMAIL_ADDRESSES - change this to your email address.
  • HOSTNAME - this is set during install - but double check and change to a FQDN if needed.
  • ENABLE_AUTO_IDS - set this to Y if you could like PSAD to take action - read configuration instructions before setting this to Y.
  • ENABLE_AUTO_IDS_EMAILS - set this to Y if you would like to receive email notifications of intrusions that are detected.

3. Add iptables LOG rules for both IPv4 and IPv6.

  • For an explanation of this step click here.
  • Add the following iptables policies :
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

4. Reload and update PSAD.

  • To restart, update the signature file and reload PSAD to complete the install open a Terminal Window and enter :
psad -R
psad --sig-update
psad -H
  • To check the status of PSAD, open a Terminal Window and enter :
psad --Status

Tags: 

Comments

Quick question : is psad any

Submitted by SASDOE (not verified) on

Quick question : is psad any use if enable_auto_ids is set to no ? And do i need to set it to yes to do the next step ?

Short answer - yes, it does

Submitted by The Fan Club on

Short answer - yes, it does not take action when a intrusion is detected, but will still log the events. Good for setup and testing but set to yes for production environment. See PSAD documentation for more information.

I have some problem while

Submitted by mubon (not verified) on

I have some problem while running this command # psad -R Use of qw(...) as parentheses is deprecated at /usr/sbin/psad line 4264. How can I fix this problem and is my psad still work despite the error above