Paul F. Versloot
2015-04-05 03:23:56 UTC
Hello out there,
For several weeks, I've got Shorewall happily configured on my Linux
box. All the possible multicast- and broadcast addresses are logged, but
there is no annoying email-warning-alert of the local router broadcast
anymore!. (so finally the Shorewall-firewall is properly configured and
Psad for about +/-80%
My configuration is as follows:
Shorewall 4.6.4.3 in combination with Psad v2.2.1 on Ubuntu 14.04.1 LTS
(x32).
My question is:
How do I set the options to quickly autoblock ipv4-addresses with Psad,
when somebody is tracing open ports of the firewall (net zone of course)
with nMap in stealth mode (scanning all the TCP ports, with a Windows
nMap it takes about 1.5 hour).
Last week, I've got several waring emails (from Psad of course) AFTER
1.5 HOUR, with a test with nMap and the above options. (scanning option
all UDP ports, had the same result).
My goal is very simple:
If anyone is scanning a port of my firewall, or a (little) range, I
would like to autoblock the IP-address automatically and immediately.
(of course Psad must send direct an alert to the system account)
This test was last week successful, but far to slow and with to much
Psad emails.
After filtering all the Psad (false positive warnings about all the
*-casts) AND altering a few configuration parameters in the Psad config-
file, a same rescan didn't autoblock and alert at all...
With shorewall, I USE 3 levels of logging (filtered bij RSyslogd ->
shorewall.log):
1. INFO
2. WARN(ing)
3. none(!)
All the logs of the Shorewall specific iptables and netfilter rules
are filtered only to the shorewall.log file, with the standard default
prefix.
The changes I've made in Psad were the following (I've lowered the
original values):
### Danger levels. These represent the total number of
### packets required for a scan to reach each danger level.
### A scan may also reach a danger level if the scan trips
### a signature or if the scanning ip is listed in
### auto_ips so a danger level is automatically
### assigned.
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 10;
DANGER_LEVEL3 50;
DANGER_LEVEL4 100;
DANGER_LEVEL5 1000;
Does anybody know how to trigger fast (very fast) an email out of the
Shorewall logfile into the Psad warning email AND block automatically
the IP?
(unblocking is easy witch Psad --flush :-)
Schould I change the Psad config file or higher the logging levels (1-7)
ie. WARN(ing) -> CRIT(ical)?
I've you don't know how, thanks for reading anyway,
Greetings,
Paul F. Versloot
ps: included, psad.conf; shorewall.conf, rules, zones, policy.
For several weeks, I've got Shorewall happily configured on my Linux
box. All the possible multicast- and broadcast addresses are logged, but
there is no annoying email-warning-alert of the local router broadcast
anymore!. (so finally the Shorewall-firewall is properly configured and
Psad for about +/-80%
My configuration is as follows:
Shorewall 4.6.4.3 in combination with Psad v2.2.1 on Ubuntu 14.04.1 LTS
(x32).
My question is:
How do I set the options to quickly autoblock ipv4-addresses with Psad,
when somebody is tracing open ports of the firewall (net zone of course)
with nMap in stealth mode (scanning all the TCP ports, with a Windows
nMap it takes about 1.5 hour).
Last week, I've got several waring emails (from Psad of course) AFTER
1.5 HOUR, with a test with nMap and the above options. (scanning option
all UDP ports, had the same result).
My goal is very simple:
If anyone is scanning a port of my firewall, or a (little) range, I
would like to autoblock the IP-address automatically and immediately.
(of course Psad must send direct an alert to the system account)
This test was last week successful, but far to slow and with to much
Psad emails.
After filtering all the Psad (false positive warnings about all the
*-casts) AND altering a few configuration parameters in the Psad config-
file, a same rescan didn't autoblock and alert at all...
With shorewall, I USE 3 levels of logging (filtered bij RSyslogd ->
shorewall.log):
1. INFO
2. WARN(ing)
3. none(!)
All the logs of the Shorewall specific iptables and netfilter rules
are filtered only to the shorewall.log file, with the standard default
prefix.
The changes I've made in Psad were the following (I've lowered the
original values):
### Danger levels. These represent the total number of
### packets required for a scan to reach each danger level.
### A scan may also reach a danger level if the scan trips
### a signature or if the scanning ip is listed in
### auto_ips so a danger level is automatically
### assigned.
DANGER_LEVEL1 5; ### Number of packets.
DANGER_LEVEL2 10;
DANGER_LEVEL3 50;
DANGER_LEVEL4 100;
DANGER_LEVEL5 1000;
Does anybody know how to trigger fast (very fast) an email out of the
Shorewall logfile into the Psad warning email AND block automatically
the IP?
(unblocking is easy witch Psad --flush :-)
Schould I change the Psad config file or higher the logging levels (1-7)
ie. WARN(ing) -> CRIT(ical)?
I've you don't know how, thanks for reading anyway,
Greetings,
Paul F. Versloot
ps: included, psad.conf; shorewall.conf, rules, zones, policy.