psad (Port Scan Attack Detector)
Author: Michael Rash (firstname.lastname@example.org)
Thanks to: (see the CREDITS file).
The Port Scan Attack Detector (psad) is a collection of two lightweight
system daemons written in Perl and in C that are designed to work with Linux
iptables firewalling code to detect port scans and other suspect traffic. It
features a set of highly configurable danger thresholds (with sensible
defaults provided), verbose alert messages that include the source,
destination, scanned port range, begin and end times, tcp flags and
corresponding nmap options, reverse DNS info, email and syslog alerting,
automatic blocking of offending ip addresses via dynamic configuration of
iptables rulesets, passive operating system fingerprinting, and DSheild
reporting. In addition, psad incorporates many of the tcp, udp, and icmp
signatures included in the snort intrusion detection system
(http://www.snort.org) to detect highly suspect scans for various backdoor
programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft),
and advanced port scans (syn, fin, xmas) which are easily leveraged against a
machine via nmap. psad can also alert on snort signatures that are logged
via fwsnort, which makes use of the iptables string match module to detect
application layer signatures.
Information on config keywords referenced by psad may be found both in the
psad(8) man page, and also here:
All information psad analyzes is gathered from iptables log messages.
psad by default reads the /var/log/messages file for new iptables messages and
optionally writes them out to a dedicated file (/var/log/psad/fwdata).
psad is then responsible for applying the danger threshold and signature logic
in order to determine whether or not a port scan has taken place, send
appropriate alert emails, and (optionally) block offending ip addresses. psad
includes a signal handler such that if a USR1 signal is received, psad will
dump the contents of the current scan hash data structure to
/var/log/psad/scan_hash.$$ where "$$" represents the pid of the running psad
NOTE: Since psad relies on iptables to generate appropriate log messages
for unauthorized packets, psad is only as good as the logging rules included
in the iptables ruleset. Usually the best way setup the firewall is with
default "drop and log" rules at the end of the ruleset, and include rules
above this last rule that only allow traffic that should be allowed through.
Upon execution, the psad daemon will attempt to ascertain whether or not such
a default deny rule exists, and will warn the administrator if it doesn't.
See the FW_EXAMPLE_RULES file for example firewall rulesets that are
compatible with psad.
Additionally, extensive coverage of psad is included in the book "Linux
Firewalls: Attack Detection and Response" published by No Starch Press, and a
supporting script in this book is compatible with psad. This script can be
See the INSTALL file in the psad sources directory.
See the FW_HELP file in the psad sources directory. Also, read the
psad has been tested on RedHat 6.2 - 9.0, Fedora Core 1 and 2, and
Gentoo Linux systems running various kernels. The only program that
specifically depends on the RedHat architecture is psad-init, which depends
on /etc/rc.d/init.d/functions. For non-RedHat systems a more generic init
script is included called "psad-init.generic". The psad init scripts are
mostly included as a nicety; psad can be run from the command line like any
Copyright (C) 1999-2015 Michael Rash (email@example.com)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
psad makes use of many of the tcp, udp, and icmp signatures available in
Snort (written by Marty Roesch, see http://www.snort.org). Snort is a
registered trademark of Sourcefire, Inc.