1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
The following firewall rulesets are examples of rulesets that are compatible
with psad. Basically, the only criteria is have the firewall log and
drop packets that should not be allowed through. Then a port scan will
manifest itself within /var/log/messages as packets are dropped and logged,
at which time these messages will be written to the /var/lib/psad/psadfifo
named pipe and analyzed by psad.
### iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 129.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- 208.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- 24.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- 208.xx.xx.xx 64.44.21.15 tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- 0.0.0.0/0 64.44.21.15 tcp dpt:25 flags:SYN,RST,ACK/SYN
ACCEPT tcp -- 0.0.0.0/0 64.44.21.15 tcp dpt:80 flags:SYN,RST,ACK/SYN
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level warning prefix `DROP '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG level warning prefix `DROP '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
