QUICK AND EASY INSTALLATION INSTRUCTIONS:
Just run the psad installation script "install.pl" from the psad
This will result in a functional installation of psad on your system. It is
safe to run the install.pl script even if you already have psad installed on
your system. The configuration can (optionally) be preserved from the
previous installation (you will be prompted for this if an existing psad
installation is detected). For more information, read on:
psad makes use of log messages that are generated by iptables as it logs
(and drops) packets. Hence if your firewall is not configured to log packets,
then psad will NOT detect port scans or anything else. Usually the best and
most secure way to configure your firewall is to first put the minimal rules
needed to allow only necessary traffic to and from your machine, and then have
default LOG and DROP rules toward the end of the firewall ruleset. Some
example firewall rulesets that are compatible with psad are contained within
the file FW_EXAMPLE_RULES, and the "iptables.sh" script available at the
following link contains a script to build a compatible iptables policy:
Note that psad is only compatible (as of version 2.1.3) with iptables
firewalls, but support for other firewall logging formats (such as logs
generated by ipfw and pf) is coming soon.
psad requires several perl modules that may or may not already be
installed on your Linux system. These modules are included in the deps/
directory in the psad sources, and the list of modules is:
psad also includes a whois client written by Marco d'Itri (see the deps/whois
directory). This client does better than others at collecting the correct
whois information for a given IP address.
As of kernel version 2.4.13, there is a bug in the connection tracking
code that can drop packets that are part of legitimate TCP connections that
have entered into the CLOSE_WAIT state depending on how late they arrive.
Since these packets are drop whenever the iptables policy is configured in
a default drop stance, psad interprets them as potentially belonging to a
scan. The source of the problem is an inappropriately low timeout value, and
fortunately this problem is mostly fixed (or at least minimized) by the
trivial kernel patch "conntrack_patch" included with the psad source code.
If you start noticing lots of ACK/FIN, ACK, and even RST packets being denied
by iptables from legtimate sessions, then you may want to apply this patch.
This will of course require the kernel to be recompiled. For more information
on how to do this, see the Kernel-HOWTO available at:
You can install a new version of psad over an existing one; just run
install.pl. The installation script will preserve any old configuration
parameters when installing the new versions of psad, psadwatchd, and kmsgsd.
psad can be completely removed from the system by executing
install.pl with the --uninstall option.