You may just need to add a default logging rule
heliobarbosa opened this issue · 9 comments
I'm faced with this erro
[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on localhost.localdomain. For more information,
see the file "README" in the psad sources directory or visit:http://www.cipherdyne.org/psad/docs/fwconfig.html
But this is my iptables rules:
[root@localhost Downloads]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warningChain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
LOG all -- anywhere anywhere LOG level warningChain OUTPUT (policy ACCEPT)
target prot opt source destination
there is som problem?
Yes get those mails to "[psad-status] firewall setup warning on domain.tld!" rules are in the INPUT and FORWARD
Debian 9.1
psad-2.4.5
iptables & ip6tables
@HelioB - you should really have a default deny policy on the INPUT chain (not accept)
@mrash - I get a similar message:
[+] Available search strings in /etc/psad/psad.conf:
DROP
[+] Additional search strings can be added be specifying more
FW_MSG_SEARCH lines in /etc/psad/psad.conf
[-] The INPUT chain in the ruleset on xxxxxxxx includes a default
LOG rule for all protocols,
but the rule does not include one of the log prefixes mentioned above.
It appears as though the log prefix is set to "NONE"
psad will not be able to detect scans without adding one of the above
logging prefixes to the rule.
For the last rule in the INPUT chain I use:
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "DROP INPUT: " --log-level 4
Regarding #50; the latest version of PSAD has finally landed in Fedora. Now I also get this warning:
You may just need to add a default logging rule to the
'filter' 'INPUT' chain on defiant. For more information,
see the file "README" in the psad sources directory or visit:
I do have drop rules for INPUT and FORWARD in both iptables and ip6tables.
# iptables -vnL | grep DROP
21 840 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 LOG all -- !lo * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix "DROP INPUT "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 LOG all -- !lo * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix "DROP FORWARD "
15 600 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
# iptables-save | grep DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT ! -i lo -j LOG --log-prefix "DROP INPUT " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD ! -i lo -j LOG --log-prefix "DROP FORWARD " --log-tcp-options --log-ip-options
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
Yet, PSAD does not detect the chains:
jul 09 11:32:00 defiant systemd[1]: Starting The Port Scan Attack Detector (psad)...
jul 09 11:32:01 defiant psad[13390]: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
jul 09 11:32:01 defiant psad[13390]: invalid IPT_AUTO_CHAIN2 keyword, OUTPUT chain does not exist.
jul 09 11:32:01 defiant psad[13390]: invalid IPT_AUTO_CHAIN3 keyword, FORWARD chain does not exist.
jul 09 11:32:01 defiant psad[13390]: imported p0f-based passive OS fingerprinting signatures
jul 09 11:32:01 defiant psad[13390]: imported TOS-based passive OS fingerprinting signatures
jul 09 11:32:02 defiant psad[13390]: imported Snort classification.config
jul 09 11:32:02 defiant psad[13390]: imported original Snort rules in /etc/psad/snort_rules/ for reference info
jul 09 11:32:02 defiant psad[13390]: imported 206 psad Snort signatures from /etc/psad/signatures
jul 09 11:32:02 defiant psad[13390]: imported valid icmp types and codes
jul 09 11:32:02 defiant psad[13390]: imported valid icmp6 types and codes
jul 09 11:32:02 defiant psad[13390]: starting up psad version 2.4.5
jul 09 11:32:04 defiant systemd[1]: Started The Port Scan Attack Detector (psad).
jul 09 11:32:04 defiant psad[13438]: flushing existing psad iptables auto-response chains
I do not use firewalld, I use the native ip[6]tables.
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
FW_CMD_ARGS NONE;
...
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
What am I missing here?
...
-A INPUT -j LOG
-A INPUT -j DROP
....
-A FORWARD -j LOG
Should be enough what version you using? package/installed with the install.pl
On an Arch Linux systemd based system I have been using (without any problems)
-A INPUT -m limit --limit 2/min -j LOG --log-prefix "DROP INPUT: " --log-level 4
I also set in /etc/psad/psad.conf:
AUTO_DETECT_JOURNALCTL Y;
I also use a default deny policy:
## iptables-restore < /etc/iptables.rules
*filter
#default DROP Policy
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
I don't think a default drop policy is required, my last rule for input and forward drops all.
When I start PSAD with psad --debug I see that it, for some reason, defaults to firewall-cmd... I will check this in more detail. Continues in #50.
# psad --debug
[+] run_command(): /bin/ps auxww
[*] journalctl appears to be running.
[+] import_perl_modules(): The @INC array:
/usr/local/lib64/perl5
/usr/local/share/perl5
/usr/lib64/perl5/vendor_perl
/usr/share/perl5/vendor_perl
/usr/lib64/perl5
/usr/share/perl5
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -w -t filter -n -L INPUT
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)
Tue Jul 10 16:09:13 2018 firewall-cmd command stdout:
Tue Jul 10 16:09:13 2018 firewall-cmd command stderr:
FirewallD is not running
Tue Jul 10 16:09:13 2018 Return value: 0
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L INPUT
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)
Tue Jul 10 16:09:13 2018 firewall-cmd command stdout:
Tue Jul 10 16:09:13 2018 firewall-cmd command stderr:
FirewallD is not running
Tue Jul 10 16:09:13 2018 Return value: 0
[+] syslog msg: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
[-] build_ipt_config(): invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L OUTPUT
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)
Tue Jul 10 16:09:13 2018 firewall-cmd command stdout:
Tue Jul 10 16:09:13 2018 firewall-cmd command stderr:
FirewallD is not running
Tue Jul 10 16:09:13 2018 Return value: 0
[+] syslog msg: invalid IPT_AUTO_CHAIN2 keyword, OUTPUT chain does not exist.
[-] build_ipt_config(): invalid IPT_AUTO_CHAIN2 keyword, OUTPUT chain does not exist.
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse::exec_iptables(waitpid()) /bin/firewall-cmd --direct --passthrough ipv4 -t filter -v -n -L FORWARD
Tue Jul 10 16:09:13 2018 [+] IPTables::Parse: Setting SIGCHLD handler to: CODE(0x5581cdf40ab8)
Tue Jul 10 16:09:14 2018 firewall-cmd command stdout:
Tue Jul 10 16:09:14 2018 firewall-cmd command stderr:
FirewallD is not running
Tue Jul 10 16:09:14 2018 Return value: 0
My config is as follows:
EMAIL_ADDRESSES list-admin@domain.example;
HOSTNAME hostname;
HOME_NET any;
EXTERNAL_NET any;
FW_SEARCH_ALL Y;
FW_MSG_SEARCH DROP;
IFCFGTYPE iproute2;
DANGER_LEVEL1 5; ### number of packets.
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
DL1_UNIQUE_HOSTS 10;
DL2_UNIQUE_HOSTS 20;
DL3_UNIQUE_HOSTS 50;
DL4_UNIQUE_HOSTS 100;
DL5_UNIQUE_HOSTS 500;
CHECK_INTERVAL 5;
SNORT_SID_STR SID;
PORT_RANGE_SCAN_THRESHOLD 1;
PORT_RANGE_SWEEP_THRESHOLD 0; ### a single port by default, see the DL1_UNIQUE_HOSTS var
PROTOCOL_SCAN_THRESHOLD 5;
ENABLE_PERSISTENCE Y;
SCAN_TIMEOUT 3600; ### seconds
PERSISTENCE_CTR_THRESHOLD 5;
MAX_SCAN_IP_PAIRS 0;
SHOW_ALL_SIGNATURES Y;
ALERTING_METHODS ALL;
AUTO_DETECT_JOURNALCTL Y;
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
SYSLOG_DAEMON syslogd;
ENABLE_FW_MSG_READ_CMD Y;
FW_MSG_READ_CMD /bin/journalctl;
FW_MSG_READ_CMD_ARGS -f -k;
USE_FW_MSG_READ_CMD_ARGS Y;
FW_MSG_READ_MIN_PKTS 30;
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
ENABLE_PSADWATCHD N;
EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
IGNORE_PROTOCOLS NONE;
IGNORE_INTERFACES NONE;
IGNORE_LOG_PREFIXES NONE;
MIN_DANGER_LEVEL 1;
EMAIL_ALERT_DANGER_LEVEL 3;
ENABLE_IPV6_DETECTION Y;
ENABLE_INTF_LOCAL_NETS Y;
ENABLE_MAC_ADDR_REPORTING Y;
ENABLE_FW_LOGGING_CHECK Y;
EMAIL_LIMIT 25;
ENABLE_EMAIL_LIMIT_PER_DST Y;
EMAIL_LIMIT_STATUS_MSG Y;
EMAIL_THROTTLE 0;
ALERT_ALL Y;
IMPORT_OLD_SCANS N;
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
TOP_SCANS_CTR_THRESHOLD 1;
ENABLE_OVERRIDE_FW_CMD N;
FW_CMD NONE;
FW_CMD_ARGS NONE;
ENABLE_DSHIELD_ALERTS Y;
DSHIELD_ALERT_EMAIL reports@dshield.org;
DSHIELD_ALERT_INTERVAL 6; ### hours
DSHIELD_USER_ID 0;
DSHIELD_USER_EMAIL NONE;
DSHIELD_DL_THRESHOLD 0;
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
ENABLE_SNORT_SIG_STRICT Y;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 5;
AUTO_BLOCK_TIMEOUT 3600;
AUTO_BLOCK_DL1_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL2_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL3_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0; ### permanent
ENABLE_AUTO_IDS_REGEX N;
AUTO_BLOCK_REGEX ESTAB; ### from fwsnort logging prefixes
ENABLE_RENEW_BLOCK_EMAILS N;
ENABLE_AUTO_IDS_EMAILS Y;
IPTABLES_BLOCK_METHOD Y;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT Y;
IPTABLES_PREREQ_CHECK 1;
TCPWRAPPERS_BLOCK_METHOD N;
ENABLE_WHOIS_LOOKUPS Y;
WHOIS_TIMEOUT 60; ### seconds
WHOIS_LOOKUP_THRESHOLD 20;
ENABLE_WHOIS_FORCE_ASCII N;
ENABLE_WHOIS_FORCE_SRC_IP N;
ENABLE_DNS_LOOKUPS Y;
DNS_LOOKUP_THRESHOLD 20;
ENABLE_EXT_SCRIPT_EXEC N;
EXTERNAL_SCRIPT /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC N;
EXTERNAL_BLOCK_SCRIPT /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE N;
CUSTOM_SYSLOG_TS_RE ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL 300; ### seconds
DISK_MAX_PERCENTAGE 95;
DISK_MAX_RM_RETRIES 10;
ENABLE_SCAN_ARCHIVE N;
TRUNCATE_FWDATA Y;
MIN_ARCHIVE_DANGER_LEVEL 1;
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL 5; ### seconds
PSADWATCHD_MAX_RETRIES 10;
INSTALL_ROOT /;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules; ### may not exist
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN psad_iptout.XXXXXX;
IPT_ERROR_PATTERN psad_ipterr.XXXXXX;
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd /usr/bin/whois;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;
My issue was resolved with psad-2.4.6-1.fc29.x86_64
On my Ubuntu 20.04 have the same problem with INPUT, even iptables has LOG rules.
In my case the problem with Debian 11 was the fact, that rules added manually are gone after a reboot. And since I use ipv6 too, I got the message 2 times in the email.
My solution was to add the following script to the folder /etc/network/if-pre-up.d/iptableRules and make it executable: chmod +x iptableRules.
Note: the script must not have an .sh extension otherwise it will not be executed. You can test if it will be loaded by running the command run-parts --test /etc/network/if-pre-up.d
#!/bin/bash
# check if rule exists and if not add it
checkRule() {
# $1 = iptables/ip6tables
# $2 = rule
# rule does not exist?
if ! $1 -C $2; then
# add rule
$1 -A $2
# failed?
if ! $1 -C $2; then
# inform user
echo "error: could not add rule $2 to $1"
else
# inform user
echo "rule $2 added to $1"
fi
else
# inform user
echo "rule $2 already exists in $1"
fi
}
# define rules
inputRule="INPUT -j LOG"
forwardRule="FORWARD -j LOG"
# check if rules exists
checkRule "iptables" "$inputRule"
checkRule "iptables" "$forwardRule"
checkRule "ip6tables" "$inputRule"
checkRule "ip6tables" "$forwardRule"
As an alternative you can use the package iptables-persistent but I have not tested it. More information you can find at:
https://serverfault.com/questions/904938/iptables-didnt-restore-the-new-rules-after-reboot