Psad: Difference between revisions

From Coolscript
Jump to navigation Jump to search
(Created page with "'''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''DRAFT''' - '''Coming soon''' This is an easy and small script to allow customized drop rules on your iptables Fi...")
 
(Replaced content with "deleted")
 
Line 1: Line 1:
'''DRAFT''' - '''DRAFT'''  - '''DRAFT'''  - '''DRAFT'''  - '''DRAFT''' - '''Coming soon'''
deleted
 
This is an easy and small script to allow customized drop rules on your iptables Firewall to protect against intruders on your network. <br>
The script follows the same approach then [http://coolscript.org/index.php/Syslog_to_Firewall '''Syslog to Firewall'''] but runs on Linux  together with [http://www.netfilter.org/ iptables] and [http://cipherdyne.org/psad/ psad].<br>
Finally this goes into the direction of a [https://en.wikipedia.org/wiki/Intrusion_prevention_system IPS]
<br>
=Environment=
Psad2ipt has been tested on Linux Debian 8 (Jessie) but should run on any other recent Linux Distribution too.
=Features=
*Provides a easy [https://en.wikipedia.org/wiki/Intrusion_prevention_system IPS] based on [https://en.wikipedia.org/wiki/Open-source_software OSS] for nuts!
*It runs on it's own, no additional server software is required (such as [https://en.wikipedia.org/wiki/LAMP_%28software_bundle%29 LAMP]), only [http://perl.com/ Perl] with a few additional [http://www.cpan.org/ Modules] is needed.
*Sqlite3 is used (that's based on a flat file) to allow to cope a large activity with psad2ipt.
*Dynamic ramp up the drop time, an intruder get first blocked by default with 15, then 30, 60, 120 and so on minutes on every occurrence of an event.
*Tight ip address checking to avoid false blockings, psad2ipt does not want to get blamed.
*Optional reporting into a [http://splunk.com Splunk] server.
<br>
 
=Setup and Operation description=
Pad2ipt runs on it's own iptables chain to add or remove malicious ip addresses which has been identified by psad.<br>
The iptables chain must be present at runtime [abort if not] so creating the Psad2ipt chain is a essential step to do first.<br>
If psad2ipt get's called by psad then it takes immediatly action and blocks the ip by adding a iptables rule into it previous assigned chain.<br>
The rule is using the state connection module to identify incoming packages only and requires the outside interface name to specify the direction,<br>
this way it should be a '''save drop rule''' to avoid false blockings. We also offer a whitelist function to prevent wrong data assignment.<br>
However, psad2ipt will never add private ip addresses into it's chain, even if specified to do so.
<br>
=Installation=
Download and extract the archive to /usr/local/psad2ipt, a different path is possible by setup the configuration file.
==List of files==
*psad2ipt.pl - Script
*psad2ipt.xml - Configuration
*psad2ipt.db - Database
==Install Perl Modules==
*This will work with Debian
apt-get install libipc-run-perl
apt-get install libproc-processtable-perl
apt-get install libdbi-perl
apt-get install libdbd-sqlite3-perl
cpan Net::Syslog
=Setup=
==Setup psad2ipt==
*Edit '''psad2ipt.xml'''
{| style="border: 1px solid #FFF0C0;"
|+ '''psad2ipt.xml'''
|-----
! align="left" valign="top" bgcolor="#ffff99" style="padding:5px;"| XML Child Element     
! align="left" valign="top" bgcolor="#ffff99" style="padding:5px;"| XML Attribute
! align="left" valign="top" bgcolor="#ffff99" style="padding:5px;"| Value
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
SETTINGS
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Chain
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Chain Name to be used with psad2ipt, the default is P2I
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
MaxEvents
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Maximum events with a single IP addrress,<br>
this is a counter which counts until the amount has been reached before blocking this ip address. <br>
The default is 1
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
MaxDBDays
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Maximum days of events which is keeped within the database, older records will be deleted
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
LookBehind
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Number of Days where psad2ipt looks behind to get get amount of events for the specified ip address<br>
This values is used when running psad2ipt with the options '''-A''' and '''-C'''
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
MaxRules
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Used for flooding prevention, it is the maximum number of rules allowed within the psad2ipt chain
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
BaseLock
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
This is the startup amount of mintes which psad2ipt will use when it's get called with the option '''-A'''<br>
The unit is '''Minutes'''<br>
The default is 15 Minutes<br>
The amount will dynamically increase on every event, first 15, then 30, 60, 120 and so on
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
UseSyslog
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
If set to '''1''' then psad2ipt will write into syslog to localhost using UDP 514,<br>
Note that this needs to be setup within the syslog daemon configuration before for doing this
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
DBFile
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Path to DB File, this is needed to be used with option '''-c'''
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
LogPath
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
If '''UseSyslog''' equals 0 then the specified path is used to wrtie the psa2ipt log files
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
WhiteListPath
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Path to be used for reading whitelist files
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
OutsideInterface
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
Required: Name of outsite interface name, for exampe '''eth0''', this value has no default!
|-----
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px: 1px solid #F3F781; "|
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
SplunkServer
| align="left" valign="top" bgcolor="#ffffff" style="padding:5px; border: 1px solid #F3F781;"|
IP address of the splunk server where psad2ipt is sending messages to UDP 514
|}
==Setup iptables==
To setup iptable it is essential to define the rule, example for the default rule 'P2I'
/sbin/iptables -N P2I
Note that the chain will have no affect unless it has been assigned to the INPUT or FORWARD rule of iptables.<br>
Assigning the chain:
/sbin/iptables -A INPUT -j P2I
/sbin/iptables -A FORWARD -j P2I
*Note that the assignment must be placed after the rule creation and before the default drop chain/rule
==Running psad2ipt==
psad2ipt can be applied with the following option:
*Check the inventory, delete expired addresses from the chain, use the configuration option to allow this command to be allowed from everywhere else then our home directory
#/psad2ipt -C -c /usr/local/psad2ipt/psad2ipt.xml
*Check the inventory, delete expired addresses from the chain
/usr/local/psad2ipt #./psad2ipt -C
*Add the sample address (1.2.3.4) to the specified chain '''(P2I)''', this is done immediately.
/usr/local/psad2ipt #./psad2ipt -A 1.2.3.4
*List the database records
/usr/local/psad2ipt #./psad2ipt -l
*Delete a single ip address from the environment
/usr/local/psad2ipt #./psad2ipt -D 1.2.3.4
*Flush the database
/usr/local/psad2ipt #./psad2ipt -F
 
=Examples=
*Example rule in chain P21
root@rb-mk01:/usr/local/psad2ipt# iptables -L P2I -n
Chain P2I (1 references)
target    prot opt source              destination
DROP      all  --  11.1.2.5            0.0.0.0/0            state NEW /* Dynamic rule by P2I at 2016-02-19 19:16:02 */

Latest revision as of 20:42, 20 February 2016

deleted