Discussion:
[psad-discuss] psad without FirewallD on Centos7?
Hannes Happle
2016-10-19 13:10:54 UTC
Permalink
Hi!

First of all, thanks for developing psad, really nice piece of Software.
I used it for over a year on Debian Wheezy without problems.

Now, I switched to a stronger Server running Centos7 (because SELinux)
and here I have some trouble getting psad up and running, or -more
precisely- banning.

I had a small Issue starting it , because Systemd expected the .pid file
in /var/run and not /var/run/psad.
I resolved that by editing the run path in the config an now it runs
fine and is detecting scans, sending alerts etc.

BUT its not creating IPTables chains (PSAD_BLOCK_INPUT etc.)

I switched to IPTables instead of FirewallD because I really dislike the
latter and also think, while having advantages on e.g. Notebooks, its
nonsense on Servers with static configurations.

I installed most recent Versions of psad, IPTables::Parse and
IPTables::ChainMgr from cipherdyne.org and it seems like psad tries to
interact with FirewallD instead of IPTables:

# psad --fw-list
[+] Listing chains from IPT_AUTO_CHAIN keywords...

FirewallD is not running

FirewallD is not running

FirewallD is not running


IPTables Chains get not touched, and because of that, also no banning
occurs.
Any Ideas how to resolve this issue?

Thanks,
Hannes
Michael Rash
2016-10-21 02:48:52 UTC
Permalink
Post by Hannes Happle
Hi!
First of all, thanks for developing psad, really nice piece of Software.
I used it for over a year on Debian Wheezy without problems.
Cool, glad you like psad.
Post by Hannes Happle
Now, I switched to a stronger Server running Centos7 (because SELinux)
and here I have some trouble getting psad up and running, or -more
precisely- banning.
I had a small Issue starting it , because Systemd expected the .pid file
in /var/run and not /var/run/psad.
I resolved that by editing the run path in the config an now it runs
fine and is detecting scans, sending alerts etc.
BUT its not creating IPTables chains (PSAD_BLOCK_INPUT etc.)
I switched to IPTables instead of FirewallD because I really dislike the
latter and also think, while having advantages on e.g. Notebooks, its
nonsense on Servers with static configurations.
I installed most recent Versions of psad, IPTables::Parse and
IPTables::ChainMgr from cipherdyne.org and it seems like psad tries to
# psad --fw-list
[+] Listing chains from IPT_AUTO_CHAIN keywords...
FirewallD is not running
FirewallD is not running
FirewallD is not running
IPTables Chains get not touched, and because of that, also no banning
occurs.
Any Ideas how to resolve this issue?
I suspect this is happening because the firewall-cmd binary is still
installed on your system, and the IPTables::Parse module looks for
firewall-cmd before iptables/ip6tables. If you are not using firewalld at
all, then you could just move /usr/bin/firewall-cmd to
"/usr/bin/firewall-cmd" to "/usr/bin/firewall-cmd.old".

Thanks,

--Mike
Post by Hannes Happle
Thanks,
Hannes
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
psad-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/psad-discuss
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
Hannes Happle
2016-10-24 23:14:01 UTC
Permalink
Thank you very much, works like a charm! I went a step further an
removed FirewallD altogether.
What may be nice is some cfg setting to maybe tell is to ignore
firewall-cmd and use IPTables instead.
Ofc nothing really important, but would have saved me quite some time
and would be a "nice to have".
Or maybe just write it down in PSAD's documentation.
Anyways, thanks again!

Hannes
Post by Hannes Happle
Hi!
First of all, thanks for developing psad, really nice piece of Software.
I used it for over a year on Debian Wheezy without problems.
Cool, glad you like psad.
Now, I switched to a stronger Server running Centos7 (because SELinux)
and here I have some trouble getting psad up and running, or -more
precisely- banning.
I had a small Issue starting it , because Systemd expected the .pid file
in /var/run and not /var/run/psad.
I resolved that by editing the run path in the config an now it runs
fine and is detecting scans, sending alerts etc.
BUT its not creating IPTables chains (PSAD_BLOCK_INPUT etc.)
I switched to IPTables instead of FirewallD because I really dislike the
latter and also think, while having advantages on e.g. Notebooks, its
nonsense on Servers with static configurations.
I installed most recent Versions of psad, IPTables::Parse and
IPTables::ChainMgr from cipherdyne.org <http://cipherdyne.org> and
it seems like psad tries to
# psad --fw-list
[+] Listing chains from IPT_AUTO_CHAIN keywords...
FirewallD is not running
FirewallD is not running
FirewallD is not running
IPTables Chains get not touched, and because of that, also no banning
occurs.
Any Ideas how to resolve this issue?
I suspect this is happening because the firewall-cmd binary is still
installed on your system, and the IPTables::Parse module looks for
firewall-cmd before iptables/ip6tables. If you are not using firewalld
at all, then you could just move /usr/bin/firewall-cmd to
"/usr/bin/firewall-cmd" to "/usr/bin/firewall-cmd.old".
Thanks,
--Mike
Thanks,
Hannes
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
psad-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/psad-discuss
<https://lists.sourceforge.net/lists/listinfo/psad-discuss>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
psad-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/psad-discuss
Loading...