Permalink
Browse files

Added checking for automatic ip danger level increases/decreases via …

…psad_auto_ips.

Various additions in README.
Added auto updating of signatures.
Fixed bug with incorrect ipchains rule parsing (source and destination ports = n/a for some kernels
in the default deny rule).
Added psad_auto_ips to install.pl.


git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@83 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  • Loading branch information...
1 parent 4984353 commit a158b94461e6498247d1fc9d1b553af4755a3d50 @mrash committed May 1, 2001
Showing with 95 additions and 18 deletions.
  1. +42 −2 README
  2. +49 −15 install.pl
  3. +1 −1 psad-init
  4. +3 −0 pscan
View
44 README
@@ -75,6 +75,42 @@ compatible with psad.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
USAGE:
+ -d -daemon
+ Do not run psad as a daemon. This option is most useful
+ if used in conjunction with -o so that scan warning messages
+ are written to STDOUT instead of the scanlog file.
+
+ -e -error
+ Occasionally messages that are written by to the psadfifo
+ named pipe and also to /var/log/messages do not conform to
+ the normal firewall logging format and psad will write these
+ message to /var/log/psad/fwerrorlog by default. Passing the
+ -error option will make psad ignore all such erroneous
+ firewall messages.
+
+ -o -output
+ By default all scan warning messages generated by psad are
+ written to /var/log/psad/scanlog. Passing the -o option
+ instructs psad to write all error messages to STDOUT.
+
+ -f -firewallcheck
+ Psad performs a rudimentary check of the firewall rules that
+ exist on the machine on which psad is deployed to determine
+ whether or not the firewall has a compatible configuration.
+ Passing the -f option will disable this check.
+
+ -c -config <configuration file>
+ By default psad uses configuration parameters that are
+ present within the configuration section of the psad script
+ itself. This can be overridden by specifying a configuration
+ file on the command line.
+
+ -n -namelookups
+ Psad normally attempts to find the name associated with a
+ scanning ip address, but this feature can be disabled with
+ the -n command line argument.
+
+
Usage: psad [-d] [-o] [-e] [-f] [-c <config file>] [-s <signature file>] [-h]
-daemon - do not run as a daemon.
@@ -88,13 +124,15 @@ Usage: psad [-d] [-o] [-e] [-f] [-c <config file>] [-s <signature file>] [-h]
-namelookups - disable name resolution against
scanning ips.
-signatures <sig file> - import scan signatures.
+ -auto_ips <ips file> - import auto ips file for automatic
+ ip danger level increases/decreases.
-local_port_lookup - disable local port lookups for scan
signatures.
-h - prints this help message.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-INSTALL:
+INSTALLATION:
(See the INSTALL file in the source directory.)
@@ -106,4 +144,6 @@ and 2.4.0 although it should work on any Linux system that has a properly
configured firewall. The only program that depends on the RedHat architecture
is psad-init, which specifically depends on /etc/rc.d/init.d/functions.
psad-init is mostly included as a nicety; it can be run from the command line
-like any other program.
+like any other program.
+
+Ipfilter support on *BSD boxes is coming soon.
View
64 install.pl
@@ -80,7 +80,7 @@
}
if ( -e "/usr/local/bin/psad" && (! $nopreserve)) { # need to grab the old config
print "*** Copying psad -> /usr/local/bin/psad\n";
- print "*** Preserving old config within /usr/local/bin/psad\n";
+ print " Preserving old config within /usr/local/bin/psad\n";
preserve_config("psad", "/usr/local/bin/psad", \%Cmds);
perms_ownership("/usr/local/bin/psad", 0500)
} else {
@@ -90,7 +90,7 @@
}
if (-e "/usr/local/bin/kmsgsd" && (! $nopreserve)) {
print "*** Copying kmsgsd -> /usr/local/bin/kmsgsd\n";
- print "*** Preserving old config within /usr/local/bin/kmsgsd\n";
+ print " Preserving old config within /usr/local/bin/kmsgsd\n";
preserve_config("kmsgsd", "/usr/local/bin/kmsgsd", \%Cmds);
perms_ownership("/usr/local/bin/kmsgsd", 0500);
} else {
@@ -100,7 +100,7 @@
}
if (-e "/usr/local/bin/diskmond" && (! $nopreserve)) {
print "*** Copying diskmond -> /usr/local/bin/diskmond\n";
- print "*** Preserving old config within /usr/local/bin/diskmond\n";
+ print " Preserving old config within /usr/local/bin/diskmond\n";
preserve_config("diskmond", "/usr/local/bin/diskmond", \%Cmds);
perms_ownership("/usr/local/bin/diskmond", 0500);
} else {
@@ -112,9 +112,9 @@
print "*** Creating /etc/psad/\n";
mkdir "/etc/psad",400;
}
-if (-e "/etc/psad/psad.conf") {
+if (-e "/etc/psad/psad_signatures") {
print "*** Copying psad_signatures -> /etc/psad/psad_signatures\n";
- print "*** Preserving old signatures file as /etc/psad/psad_signatures.old\n";
+ print " Preserving old signatures file as /etc/psad/psad_signatures.old\n";
`$Cmds{'mv'} /etc/psad/psad_signatures /etc/psad/psad_signatures.old`;
`$Cmds{'cp'} psad_signatures /etc/psad/psad_signatures`;
perms_ownership("/etc/psad/psad_signatures", 0600);
@@ -123,9 +123,20 @@
`$Cmds{'cp'} psad_signatures /etc/psad/psad_signatures`;
perms_ownership("/etc/psad/psad_signatures", 0600);
}
+if (-e "/etc/psad/psad_auto_ips") {
+ print "*** Copying psad_auto_ips -> /etc/psad/psad_auto_ips\n";
+ print " Preserving old auto_ips file as /etc/psad/psad_auto_ips.old\n";
+ `$Cmds{'mv'} /etc/psad/psad_auto_ips /etc/psad/psad_auto_ips.old`;
+ `$Cmds{'cp'} psad_auto_ips /etc/psad/psad_auto_ips`;
+ perms_ownership("/etc/psad/psad_auto_ips", 0600);
+} else {
+ print "*** Copying psad_auto_ips -> /etc/psad/psad_auto_ips\n";
+ `$Cmds{'cp'} psad_auto_ips /etc/psad/psad_auto_ips`;
+ perms_ownership("/etc/psad/psad_auto_ips", 0600);
+}
if (-e "/etc/psad/psad.conf") {
print "*** Copying psad.conf -> /etc/psad/psad.conf\n";
- print "*** Preserving old psad.conf file as /etc/psad/psad.conf\n";
+ print " Preserving old psad.conf file as /etc/psad/psad.conf\n";
`$Cmds{'mv'} /etc/psad/psad.conf /etc/psad/psad.conf.old`;
`$Cmds{'cp'} psad.conf /etc/psad/psad.conf`;
perms_ownership("/etc/psad/psad.conf", 0600);
@@ -140,9 +151,9 @@
if ($distro eq "redhat61" || $distro eq "redhat62") {
# remove signature checking from psad process if we are not running an iptables-enabled kernel
- system "perl -p -i -e 's|\\-s\\s/etc/psad/psad_signatures||' psad-init" if ($kernel !~ /^2.3/ && $kernel !~ /^2.4/);
print "*** Copying psad-init -> /etc/rc.d/init.d/psad-init\n";
`$Cmds{'cp'} psad-init /etc/rc.d/init.d/psad-init`;
+ system "perl -p -i -e 's|\\-s\\s/etc/psad/psad_signatures||' /etc/rc.d/init.d/psad-init" if ($kernel !~ /^2.3/ && $kernel !~ /^2.4/);
}
# need to put checks in here for redhat vs. other systems.
unless($fwcheck) {
@@ -163,22 +174,22 @@
my $pid = (split /\s+/, $pidstatement)[1];
system "$Cmds{'kill'} $pid";
if ($kernel =~ /^2.3/ || $kernel =~ /^2.4/) {
- system "/usr/local/bin/psad -s /etc/psad/psad_signatures";
+ system "/usr/local/bin/psad -s /etc/psad/psad_signatures -a /etc/psad/psad_auto_ips";
} elsif ($kernel =~ /^2.2/) {
- system "/usr/local/bin/psad";
+ system "/usr/local/bin/psad -a /etc/psad/psad_auto_ips";
} else {
print "*** You are running kernel $kernel. Assuming ipchains support.\n";
- system "/usr/local/bin/psad";
+ system "/usr/local/bin/psad -a /etc/psad/psad_auto_ips";
}
} else {
print "*** Starting the psad daemons...\n";
if ($kernel =~ /^2.3/ || $kernel =~ /^2.4/) {
- system "/usr/local/bin/psad -s /etc/psad/psad_signatures";
+ system "/usr/local/bin/psad -s /etc/psad/psad_signatures -a /etc/psad/psad_auto_ips";
} elsif ($kernel =~ /^2.2/) {
- system "/usr/local/bin/psad";
+ system "/usr/local/bin/psad -a /etc/psad/psad_auto_ips";
} else {
print "*** You are running kernel $kernel. Assuming ipchains support.\n";
- system "/usr/local/bin/psad";
+ system "/usr/local/bin/psad -a /etc/psad/psad_auto_ips";
}
}
}
@@ -251,7 +262,20 @@ ()
}
}
}
- print STDOUT "*** Your firewall does not include rules that will log dropped/rejected packets. Psad will not work with such a firewall setup.\n";
+ print STDOUT "*** Your firewall does not include rules that will log dropped/rejected packets.\n";
+ print STDOUT " You need to include a default rule that logs packets that have not been accepted\n";
+ print STDOUT " by previous rules, and this rule should have a logging prefix of \"drop\", \"deny\"\n";
+ print STDOUT " or \"reject\". For example suppose that you are running a webserver to which you\n";
+ print STDOUT " also need ssh access. Then a iptables ruleset that is compatible with psad\n";
+ print STDOUT " could be built with the following commands:\n";
+ print STDOUT "\n";
+ print STDOUT " iptables -A INPUT -s 0/0 -d <webserver_ip> 80 -j ACCEPT\n";
+ print STDOUT " iptables -A INPUT -s 0/0 -d <webserver_ip> 22 -j ACCEPT\n";
+ print STDOUT " iptables -A INPUT -j LOG --log-prefix \" DROP\"\n";
+ print STDOUT " iptables -A INPUT -j DENY\n";
+ print STDOUT "\n";
+ print STDOUT " Psad will not run without an iptables ruleset that includes rules similar to the\n";
+ print STDOUT " last two rules above.\n";
return 0;
} elsif ($ipchains) {
# target prot opt source destination ports
@@ -266,14 +290,24 @@ ()
chomp $rule;
next FWPARSE if ($rule =~ /^Chain/ || $rule =~ /^target/);
if ($rule =~ /^(\w+)\s+(\w+)\s+(\S+)\s+\S+\s+(\S+)\s+(\*)\s+\-\>\s+(\*)/) {
+# if ($rule =~ /^(\w+)\s+(\w+)\s+(\S+)\s+\S+\s+(\S+)/) {
my ($target, $proto, $opt, $dst, $srcpt, $dstpt) = ($1, $2, $3, $4, $5, $6);
+# my ($target, $proto, $opt, $dst, $srcpt, $dstpt) = ($1, $2, $3, $4);
if ($target =~ /drop|reject|deny/i && $proto =~ /all|tcp/ && $opt =~ /....l./) {
if (check_destination($dst, \@localips)) {
print STDOUT "*** Your firewall setup looks good. Unauthorized tcp packets will be dropped and logged.\n";
return 1;
}
}
- }
+ } elsif ($rule =~ /^(\w+)\s+(\w+)\s+(\S+)\s+\S+\s+(\S+)\s+(n\/a)/) { # kernel 2.2.14 (and others) show "n/a" instead of "*"
+ my ($target, $proto, $opt, $dst, $ports) = ($1, $2, $3, $4, $5);
+ if ($target =~ /drop|reject|deny/i && $proto =~ /all|tcp/ && $opt =~ /....l./) {
+ if (check_destination($dst, \@localips)) {
+ print STDOUT "*** Your firewall setup looks good. Unauthorized tcp packets will be dropped and logged.\n";
+ return 1;
+ }
+ }
+ }
}
print STDOUT "*** Your firewall does not include rules that will log dropped/rejected packets. Psad will not work with such a firewall setup.\n";
return 0;
View
2 psad-init
@@ -89,7 +89,7 @@ if grep -q psadfifo /etc/syslog.conf; then
daemon /usr/local/bin/kmsgsd
echo
echo -n "Starting the psad daemon: "
- daemon /usr/local/bin/psad -s /etc/psad/psad_signatures
+ daemon /usr/local/bin/psad -s /etc/psad/psad_signatures -a /etc/psad/psad_auto_ips
echo
echo -n "Starting the disk monitoring daemon: "
daemon /usr/local/bin/diskmond
View
3 pscan
@@ -4,6 +4,9 @@
# open a socket to each of the ports in the range specified on
# the command line. You do not need to be root to execute this
# script.
+#
+# TODO:
+# - use alarms to avoid hanging on closed ports
use Socket;
use Getopt::Long;

0 comments on commit a158b94

Please sign in to comment.