Howto Setup a Basic IDS/IPS on a Linux Server
As part of your overall hardening, and suite of security software you have installed, an IDS and/or IPS should not be left out. This is also a requirement for PCI Compliance. And IDS/IPS is very important for a number of reasons, first because when you are hacked, typically some sort of activity preceeded the hack, such as a port scan, which and IDS could detect, and an IPS could block. In addition the logs from your IDS/IPS can serve as part of your audit trail when investigating a security breach.
PSAD will help you meet the Payment Card Industry Data Security Standard 11.4, and it’s related testing procedures. After installing PSAD, you will want to test it with a port scan detector to ensure PSAD is working and generating alerts. This will help you meet PCI DSS requirement 11.1′s Testing Procedure 11.1.d. The log should also be part of your incident response policy which are part of requirements 12.9.3 and 12.9.5.
Depending on what you want to scan for, this can take any where from weeks to setup and confirgure to minutes. And monitoring your Intrusion Detection System / Intrusion Protection System can require any where from several full time staff, to a few minutes a day. We will be covering a simple IDS/IPS here, something you will be able to setup in minutes and be able to maintain with only a few minutes per day. Specifically we will be covering the PSAD, made by CipherDyne. For a more robust IDS/IPS, you could use something such as Snort, although PSAD contains a lot of the elements of Snort, as well as many signatures from Snort.
To install PSAD, first download the software:
tar -jxvf psad-2.1.7.tar.bz2
Now run the install file:
In our example we are going to use the default for most of the options:
[+] Would you like alerts sent to a different address ([y]/n)?
Hit enter, for yes, then enter your email, and then a . on the next line
Would you like psad to only parse specific strings in iptables
Choose the default, no.
First, is it ok to leave the HOME_NET setting as “any” ([y]/n)?
Choose yes, for added security you may want to set HOME_NET to your local, onsite, IP addresses. We won’t be detailing that as this is a basic install.
Would you like to enable DShield alerts (y/[n])?
Choose no, this can be changed in the config file later (/etc/psad/psad.conf).
Dshield is a company that keeps a feed of bad IPs, in addition to offering a number of other security related tools, such as base64 decoder and a database of reverse MD5 and SHA-1 hashes.
Would you like to install the latest signatures from
This one doesn’t have a default, so type y, to get the latest signatures. Cipherdyne is of course the makers of PSAD.
[+] Enable psad at boot time ([y]/n)?
Press enter for yes.
With this setup, PSAD will log activity, such as port scans in /var/log/psad/ip/. It will have one directory for each IP. In addition to an entry in /var/log, it will also email you once a certain danger level is reached. Which we will get to configuring next. The logged output from PSAD will be useful for PCI DSS requirement 10.6, which states all logs must be reviewed daily.
Open the psad config file in your favorite text editor. By the way we are using CentOS in our example so your paths may vary if you’re on a different distro. Also this on on a basic install, and we did not need any additional packages or libraries to install this.
Here you can set how agressive you want psad to be.
Some good settings for it to be mildly agressive would be the following changes:
Change MIN_DANGER_LEVEL from 1 to 2:
Change EMAIL_ALERT_DANGER_LEVEL from 1 to 3:
Those settings are a little loose, so got back up and change DANGER_LEVEL3 from 150 to 50:
If you have alerts going to a Smart Phone or PDA, there can be a lot of them, so you might want to set a limit for the number of emails you get for each IP, example change EMAIL_LIMIT to 3:
If you do this, because you block the IP, because you will not get any future alerts for that IP.
To make your IDS and IPS enable the following:
If there are any IPs you want to whitelist, such as the IP of a security scanner, you can do so in /etc/psad/auto_dl, with an entry such as:
After editing the config file, restart psad:
/sbin/service psad restart
Finally to make this all work, you need to add the following commands to your IP tables:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
These can either be added to an IPtables text file, if you have it configured that way, or if you use firewall management software, such as the APF firewall from RF-X Networks, it would be in /etc/apf/postroute.rules
Whether you are trying to make your server PCI compliant, or just trying to harden or protect your server, I hope you enjoyed this tutorial. By every admin doing their part to secure their servers, this will help deter hackers, as well as make the Internet a safer place.