Permalink
Browse files

documentation updates

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@1093 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  • Loading branch information...
1 parent 8fd91b9 commit 02b10f41ff581fe2c25d22b433d6da08704b1c74 @mrash committed Jun 16, 2004
Showing with 32 additions and 57 deletions.
  1. +4 −4 FW_EXAMPLE_RULES
  2. +11 −33 INSTALL
  3. +8 −10 README
  4. +4 −0 install.pl
  5. +4 −9 psad.8
  6. +1 −1 psad.conf
View
8 FW_EXAMPLE_RULES
@@ -1,10 +1,10 @@
The following firewall rulesets are examples of rulesets that are compatible
with psad. Basically, the only criteria is have the firewall log and
-drop/deny/reject packets that should not be allowed through. Then a port scan
-will manifest itself within /var/log/messages as packets are dropped and
-logged, at which time these messages will be written to the
-/var/lib/psad/psadfifo named pipe and analyzed by psad.
+drop packets that should not be allowed through. Then a port scan will
+manifest itself within /var/log/messages as packets are dropped and logged,
+at which time these messages will be written to the /var/lib/psad/psadfifo
+named pipe and analyzed by psad.
### iptables:
View
44 INSTALL
@@ -13,35 +13,23 @@ Done. Enough said. :) This will result in a functional installation
of psad on your system. It is safe to run the install.pl script even
if you already have psad installed on your system. The configuration
can (optionally) be preserved from the previous installation (you will
-be prompted for this if an existing psad installation is detected on
-your system).
+be prompted for this if an existing psad installation is detected).
=======================================================================
For more information, read on:
IMPORTANT:
- psad makes use of drop/deny/reject messages that are generated
-by iptables, and appear in /var/log/messages. Hence if your firewall
-is not configured to drop/deny/reject packets (and log them), then psad
-will NOT detect port scans. Usually the best and most secure way to
-configure your firewall is to first put the minimal rules needed to
-allow only necessary traffic to and from your machine, and then have a
-default drop/deny/reject-and-log rule toward the end of the firewall
-ruleset. Some example firewall rulesets that are compatible with psad
-are contained within the file FW_EXAMPLES.
-
- For psad versions less than 1.3, the functionality of psad is
-affected by the version of the Linux kernel on which the software is
-deployed. For kernel versions 2.2.x (and 2.0.x?) the built-in ipchains
-firewalling code does not have any capability to log or distinguish any
-tcp flags other than syn, or ack. Hence, most of the tcp signatures
-included in psad_signatures cannot be detected by psad running on these
-kernel versions. By contrast, the iptables firewalling code (see
-http://www.netfilter.org) integrated within the 2.4.x kernels can
-distinguish all tcp flags and hence make the signature logic possible
-within psad. NOTE: ipchains support has been removed from psad as of
-version 1.3.
+ psad makes use of log messages that are generated by iptables as it
+logs (and drops) packets. Hence if your firewall is not configured to
+log packets, then psad will NOT detect port scans or anything else.
+Usually the best and most secure way to configure your firewall is to
+first put the minimal rules needed to allow only necessary traffic to
+and from your machine, and then have default drop-and-log rules toward
+the end of the firewall ruleset. Some example firewall rulesets that
+are compatible with psad are contained within the file FW_EXAMPLE_RULES.
+Note that psad is not compatible with the ipchains or ipfw firewalls
+that are included within pre-2.4.x Linux kernels.
A note on iptables: As of kernel version 2.4.13, there is a bug in the
connection tracking code that denies packets that are part of legitimate
@@ -83,14 +71,4 @@ specified in the config section.
psad can be completely removed from the system by executing
install.pl with the --uninstall option.
-USAGE:
-
-Usage: install.pl [-n] [-u] [-h]
-
- -n --no-preserve - disable preservation of old configs.
- -u --uninstall - completely remove psad from the
- system.
- -h --help - prints this help message.
-
-
$Id$
View
18 README
@@ -31,7 +31,7 @@ METHODOLOGY:
All information psad analyzes is gathered from iptables log messages.
psad creates a named pipe (/var/lib/psad/psadfifo) and reconfigures syslog to
write kern.info messages to the pipe. As log messages are generated by
-iptables a separate daemon (called kmsgsd) reads any messages that match a
+iptables, a separate daemon (called kmsgsd) reads any messages that match a
particular regular expression designed to catch dropped/rejected packets out
of the pipe and write them to a separate file (/var/log/psad/fwdata). psad is
then responsible for reading messages as they are generated from this file and
@@ -44,13 +44,13 @@ of the current scan hash data structure to /var/log/psad/scan_hash.$$ where
NOTE: Since psad relies on iptables to generate appropriate log messages
for unauthorized packets, psad is only as good as the logging rules included
-in the iptables ruleset. Usually the best way setup the firewall is with a
-default "drop and log" rule at the end of the ruleset, and include rules above
-this last rule that only allow traffic that should be allowed through. Upon
-execution, the psad daemon will attempt to ascertain whether or not such a
-default deny rule exists, and will warn the administrator if it doesn't. See
-the FW_EXAMPLE_RULES file for example firewall rulesets that are compatible
-with psad.
+in the iptables ruleset. Usually the best way setup the firewall is with
+default "drop and log" rules at the end of the ruleset, and include rules
+above this last rule that only allow traffic that should be allowed through.
+Upon execution, the psad daemon will attempt to ascertain whether or not such
+a default deny rule exists, and will warn the administrator if it doesn't.
+See the FW_EXAMPLE_RULES file for example firewall rulesets that are
+compatible with psad.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INSTALLATION:
@@ -69,8 +69,6 @@ script is included called "psad-init.generic". The psad init scripts are
mostly included as a nicety; psad can be run from the command line like any
other program.
-Ipfilter support on *BSD boxes is coming soon.
-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
COPYRIGHT:
View
4 install.pl
@@ -728,6 +728,10 @@ ()
}
}
}
+ if (-e "${USRSBIN_DIR}/fwcheck_psad") {
+ print " .. Removing ${USRSBIN_DIR}/fwcheck_psad\n";
+ unlink "${USRSBIN_DIR}/fwcheck_psad";
+ }
if (-e "${USRSBIN_DIR}/psad") {
print wrap('', $SUB_TAB, " .. Removing psad daemons: ${USRSBIN_DIR}/" .
"(psad, psadwatchd, kmsgsd)\n");
View
13 psad.8
@@ -725,12 +725,7 @@ Michael Rash <mbr@cipherdyne.org>
Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
always welcome as well.
--If $ENABLE_PERSISTENCE="Y", the scan data structures can become
-large over time and consume lots of memory depending on the popularity
-of your machine/site. Restarting psad solves this problem of course,
-but a better way is on the TODO list.
-
--For iptables firewalls as of Linux kernel version 2.4.21, if the ip_conntrack
+-For iptables firewalls as of Linux kernel version 2.4.26, if the ip_conntrack
module is loaded (or compiled into the kernel) and the firewall has been
configured to keep state of connections, occasionally packets that are supposed
to be part of normal TCP traffic will not be correctly identified due to a bug
@@ -741,9 +736,9 @@ TCP_CONNTRACK_CLOSE_WAIT timeout value in
linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c from 60 seconds to 2 minutes,
and a kernel patch "conntrack_patch" is included with the psad sources to
change this. (Requires a kernel recompile of course, see the Kernel-HOWTO.)
-Also, by default the IGNORE_CONNTRACK_BUG_PKTS variable is set in psad.conf
-which causes psad to ignore all tcp packets that have the ACK bit set unless
-the packets match a specific signature.
+Also, by default the IGNORE_CONNTRACK_BUG_PKTS variable is set to "Y" in
+psad.conf which causes psad to ignore all tcp packets that have the ACK bit set
+unless the packets match a specific signature.
.SH DISTRIBUTION
.B psad
View
2 psad.conf
@@ -50,7 +50,7 @@ HOME_NET _CHANGEME_;
### Firewall message search strings. NOTE: the FW_MSG_SEARCH variable
### is now located in the file /etc/psad/fw_search.conf. Edit this
### file to configure search strings for psad. The change was made so
-### that a single file could be reference by both psad and kmsgsd for
+### that a single file could be referenced by both psad and kmsgsd for
### search strings in iptables messages.
### Danger levels. These represent the total number of

0 comments on commit 02b10f4

Please sign in to comment.