PSAD (psad.conf)

Configuração para o PSAD

Categoria: Segurança

Software: PSAD

[ Hits: 9.395 ]

Por: Anderson L Tamborim


Para os que leram o meu artigo sobre PSAD, aqui está o conf do mesmo
devidamente  configurado para melhorar a função do software.
Enjoy!


### Supports multiple email addresses (as a comma separated
### list).
EMAIL_ADDRESSES             root@localhost;

### Machine hostname
HOSTNAME                    RootSec;
HOME_NET                    ppp0;
SYSLOG_DAEMON               syslogd; 
DANGER_LEVEL1               5;    ### Number of packets.
DANGER_LEVEL2               50;
DANGER_LEVEL3               1000;
DANGER_LEVEL4               5000;
DANGER_LEVEL5               10000;
PSAD_CHECK_INTERVAL         5;
SNORT_SID_STR               SID;
PORT_RANGE_SCAN_THRESHOLD   1;

ENABLE_PERSISTENCE          Y;
SCAN_TIMEOUT                3600;  ### seconds
SHOW_ALL_SIGNATURES         N;
IGNORE_CONNTRACK_BUG_PKTS   Y;
IGNORE_PORTS                NONE;
EMAIL_ALERT_DANGER_LEVEL    1;
PSAD_EMAIL_LIMIT            10;
ALERT_ALL                   Y;

IMPORT_OLD_SCANS            N;  
ENABLE_DSHIELD_ALERTS       N;
ENABLE_AUTO_IDS             Y;

### Block all traffic from offending IP if danger
### level >= to this value
AUTO_IDS_DANGER_LEVEL       3;

### Set the auto-blocked timeout in seconds (the default
### is one hour).
AUTO_BLOCK_TIMEOUT          50; 

### Enable iptables blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set)
IPTABLES_BLOCK_METHOD       Y;

### Specify the position or rule number within the iptables
### policy where auto block rules get added.
IPTABLES_AUTO_RULENUM       1;

### Enable tcp wrappers blocking (only gets enabled if
### ENABLE_AUTO_IDS is also set) 
TCPWRAPPERS_BLOCK_METHOD    N;
### Set the whois timeout
WHOIS_TIMEOUT               60;  ### seconds

### Set the number of times an ip can be seen before another dns
### lookup is issued.
DNS_LOOKUP_THRESHOLD        20;

### Set the number of times an ip can be seen before another whois
### lookup is issued.
WHOIS_LOOKUP_THRESHOLD      20;

### Enable psad to run an external script or program (use at your
### own risk!)
ENABLE_EXT_SCRIPT_EXEC      Y;### Example:  EXTERNAL_SCRIPT       /path/to/script --ip SRCIP -v;
EXTERNAL_SCRIPT             /usr/sbin/iptables -A INPUT -p tcp -s SRCIP -j DROP;

### Control execution of EXTERNAL_SCRIPT (only once per IP, or
### every time a scan is detected for an ip).
EXEC_EXT_SCRIPT_PER_ALERT   Y;

### Disk usage variables
DISK_CHECK_INTERVAL         300;  ### seconds

### This can be set to 0 to disable disk checking altogether
DISK_MAX_PERCENTAGE         95;

### This can be set to 0 to have psad not place any limit on the
### number of times it will attempt to remove data from
### /var/log/psad/.
DISK_MAX_RM_RETRIES         10;

### Only archive scanning ip directories that have reached a danger
### level greater than or equal to this value.  Archiving old
### scanning ip directories only takes place at psad startup.
MIN_ARCHIVE_DANGER_LEVEL    1;      
### Directories
PSAD_DIR                    /var/log/psad;
SCAN_DATA_ARCHIVE_DIR       /var/log/psad/scan_archive;
PSAD_ERROR_DIR              /var/log/psad/errs;
ANALYSIS_MODE_DIR           /var/log/psad/ipt_analysis;
SNORT_RULES_DIR             /etc/snort/rules;

### Files
FW_DATA_FILE                /var/log/psad/fwdata;
FW_CHECK_FILE               /var/log/psad/fw_check;
PSAD_PID_FILE               /var/run/psad/psad.pid;
PSAD_CMDLINE_FILE           /var/run/psad/psad.cmd;
PSAD_SIGS_FILE              /etc/psad/signatures;
PSAD_ICMP_TYPES_FILE        /etc/psad/icmp_types;
PSAD_AUTO_DL_FILE           /etc/psad/auto_dl;
PSAD_POSF_FILE              /etc/psad/posf;
PSAD_FIFO                   /var/lib/psad/psadfifo;
ETC_HOSTS_DENY              /etc/hosts.deny;
ETC_SYSLOG_CONF             /etc/syslog.conf;
ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF            /etc/metalog/metalog.conf;

### PID files               
KMSGSD_PID_FILE             /var/run/psad/kmsgsd.pid;
PSADWATCHD_PID_FILE         /var/run/psad/psadwatchd.pid;

### List of ips that have been auto blocked by iptables
### or tcpwrappers (the auto blocking feature is disabled by
### default, see the psad man page and the ENABLE_AUTO_IDS
### variable).              
AUTO_BLOCK_IPT_FILE         /var/log/psad/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE       /var/log/psad/auto_blocked_tcpwr;

FW_ERROR_LOG                /var/log/psad/errs/fwerrorlog;
PRINT_SCAN_HASH             /var/log/psad/scan_hash;

### /proc interface for controlling ip forwarding
PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;

### Packet counters for tcp, udp, and icmp protocols
PACKET_COUNTER_FILE         /var/log/psad/packet_ctr;### Counter file for Dshield alerts
DSHIELD_COUNTER_FILE        /var/log/psad/dshield_ctr;

### Counter file for iptables prefixes
IPT_PREFIX_COUNTER_FILE     /var/log/psad/ipt_prefix_ctr;

### system binaries
shCmd           /bin/sh;
iptablesCmd     /usr/sbin/iptables;
mknodCmd        /bin/mknod;
psCmd           /bin/ps;
mailCmd         /bin/mail;
sendmailCmd     /usr/sbin/sendmail;
ifconfigCmd     /sbin/ifconfig;
syslogdCmd      /sbin/syslogd;
syslog-ngCmd     /sbin/syslog-ng;  ### only used if SYSLOG_DAEMON = syslog-ng
killallCmd      /usr/bin/killall;
netstatCmd      /bin/netstat;
unameCmd        /bin/uname;
whoisCmd        /usr/bin/whois_psad;
dfCmd           /bin/df;
fwcheck_psadCmd  /usr/sbin/fwcheck_psad;
psadwatchdCmd   /usr/sbin/psadwatchd;
kmsgsdCmd       /usr/sbin/kmsgsd;
psadCmd         /usr/sbin/psad;







  


Comentários
[1] Comentário enviado por memory em 06/11/2008 - 16:35h

Ola amigo
poderia me ajudar
meu kmsgsd nao esta rodando quando inicio o psad
ja verifiquei o caminho no psad.conf esta o mesmo que o
whereis me retornou /usr/sbin/kmsgsd
que pode ser ?
abracos

[2] Comentário enviado por Xatoo em 28/03/2016 - 20:39h

Não consigo editar o psad.conf, não consigo usar o root do sistema para obter acesso privilegiado ao arquivo para editá-lo no Fedora 23.
Como faço...

Xatoo


Contribuir com comentário

  



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts