Psad v3

[hellresistor]

Hope this are respecting your code!

Have done a "Quick Manual Merge"

[konstruktoid]

And for some reason the script freezes at the end with this PR.
Needs more investigation.

[hellresistor]

done

[hellresistor]

And for some reason the script freezes at the end with this PR.
Needs more investigation.

I have a 'dejavu' about that issue..
Remember that thing about variable for getting IP ?
I think was that. That ip var was getting the wrong ip, and that wrong ip will be inserted into between lines 14~18 on 44_psad file.

(actually cannot have avaliable machines to test it)

Update:
echo "$SERVERIP 0; # Server IP" >> /etc/psad/auto_dl on line 16 of 44_psad file

[konstruktoid]

Update:
echo "$SERVERIP 0; # Server IP" >> /etc/psad/auto_dl on line 16 of 44_psad file

I wrote this diff, but it didn't actually fix the freeze:

diff --git a/scripts/44_psad b/scripts/44_psad
index 44efd81..bfa9a96 100644
--- a/scripts/44_psad
+++ b/scripts/44_psad
@@ -12,7 +12,7 @@ function f_psad {
   fi
 
   echo "127.0.0.1    0;" >> "$PSADDL"
-  echo "$($WBIN -ih | awk '{print $3}' | head -n1)    0;" >> "$PSADDL"
+  echo "$SERVERIP    0;" >> "$PSADDL"
   sed -i "s/EMAIL_ADDRESSES             root@localhost;/EMAIL_ADDRESSES             $MYEMAIL;/" "$PSADCONF"
   sed -i "s/HOSTNAME                    _CHANGEME_;/HOSTNAME                    $(hostname --fqdn);/" "$PSADCONF"
   sed -i 's/ENABLE_AUTO_IDS             N;/ENABLE_AUTO_IDS               Y;/' "$PSADCONF"
@@ -43,4 +43,4 @@ function f_psad {
   fi
 
   ((SCRIPT_COUNT++))
-}
\ No newline at end of file
+}
diff --git a/ubuntu.sh b/ubuntu.sh
index 5bfb8cf..cac6c95 100644
--- a/ubuntu.sh
+++ b/ubuntu.sh
@@ -36,6 +36,7 @@ function main {
   ARPBIN="$(command -v arp)"
   WBIN="$(command -v w)"
   LXC="0"
+  SERVERIP="$(ip route | grep '^default' | awk '{print $9}')"
 
   if grep -qE 'container=lxc|container=lxd' /proc/1/environ; then
     LXC="1"
@@ -90,6 +91,7 @@ function main {
   readonly RESOLVEDCONF
   readonly RKHUNTERCONF
   readonly SECURITYACCESS
+  readonly SERVERIP
   readonly SSHDFILE
   readonly SSHFILE
   readonly SSH_GRPS

[hellresistor]

ok. Are you running as a SSH Terminal client. or directly on server? (this matters about the 'dejavu')

[konstruktoid]

SSH to server

[hellresistor]

SSH to server

Try directly on server ;) (i have feeling was because psad/ufw restarting... loose the current connection .... THE DÉJAVU! )

[konstruktoid]

diff --git a/scripts/44_psad b/scripts/44_psad
index bfa9a96..d2223d3 100644
--- a/scripts/44_psad
+++ b/scripts/44_psad
@@ -29,12 +29,9 @@ function f_psad {
   sed -i 's/IGNORE_PORTS             *;/IGNORE_PORTS             NONE;/' "$PSADCONF"
   sed -i 's/IPT_SYSLOG_FILE             \/var\/log\/messages;/IPT_SYSLOG_FILE             \/var\/log\/syslog;/' "$PSADCONF"
   
-  psad -R
   psad --sig-update
   psad -H
-  psad -R
   psad --fw-analyze
-  psad -F
 
   if [[ $VERBOSE == "Y" ]]; then
     systemctl status psad.service --no-pager

Flushing the created iptables rules causes the connection issues.
I also removed the -R, --Restart lines since -H, --HUP is most likely enough and we also recommend a reboot after the script has finished.

[konstruktoid]

Sorry for the delay, will test as soon as possible.

[konstruktoid]

Sorry for the late reply, LGTM.
Do you have any changes you want to make before merge?

[hellresistor]

seems nice!

[hellresistor]

well. next step, fail2ban? what you say friend ?