psad: could not add iptables block rule for: xxx.xxx.xxx.xxx and IPT_AUTO_CHAIN1 keyword not found
flaggz opened this issue · 0 comments
flaggz commented
Even after updating to GitHub version I still got these errors in the log and I can't auto block ip addresses.
Tried with ENABLE_OVERRIDE_FW_CMD Y or N but the problem remains
messages log:
psad: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
psad: could not add iptables block rule for:
Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
psad -V
[+] psad v2.4.6 by Michael Rash <mbr@cipherdyne.org>
psad.conf
EMAIL_ADDRESSES xxx;
HOSTNAME xxx;
HOME_NET NOT_USED;
EXTERNAL_NET any;
FW_SEARCH_ALL Y;
FW_MSG_SEARCH DROP;
IFCFGTYPE ifconfig;
DANGER_LEVEL1 5;
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
DL1_UNIQUE_HOSTS 10;
DL2_UNIQUE_HOSTS 20;
DL3_UNIQUE_HOSTS 50;
DL4_UNIQUE_HOSTS 100;
DL5_UNIQUE_HOSTS 500;
CHECK_INTERVAL 5;
SNORT_SID_STR SID;
PORT_RANGE_SCAN_THRESHOLD 1;
PORT_RANGE_SWEEP_THRESHOLD 0;
PROTOCOL_SCAN_THRESHOLD 5;
ENABLE_PERSISTENCE Y;
SCAN_TIMEOUT 3600;
PERSISTENCE_CTR_THRESHOLD 5;
MAX_SCAN_IP_PAIRS 0;
SHOW_ALL_SIGNATURES N;
ALERTING_METHODS noemail;
AUTO_DETECT_JOURNALCTL Y;
ENABLE_SYSLOG_FILE Y;
IPT_WRITE_FWDATA Y;
IPT_SYSLOG_FILE /var/log/messages;
SYSLOG_DAEMON syslogd;
ENABLE_FW_MSG_READ_CMD N;
FW_MSG_READ_CMD /bin/journalctl;
FW_MSG_READ_CMD_ARGS -f -k;
USE_FW_MSG_READ_CMD_ARGS Y;
FW_MSG_READ_MIN_PKTS 30;
ENABLE_SIG_MSG_SYSLOG Y;
SIG_MSG_SYSLOG_THRESHOLD 10;
SIG_SID_SYSLOG_THRESHOLD 10;
ENABLE_PSADWATCHD N;
EXPECT_TCP_OPTIONS Y;
MAX_HOPS 20;
IGNORE_KERNEL_TIMESTAMP Y;
IGNORE_CONNTRACK_BUG_PKTS Y;
IGNORE_PORTS NONE;
IGNORE_PROTOCOLS NONE;
IGNORE_INTERFACES NONE;
IGNORE_LOG_PREFIXES NONE;
MIN_DANGER_LEVEL 1;
EMAIL_ALERT_DANGER_LEVEL 3;
ENABLE_IPV6_DETECTION Y;
ENABLE_INTF_LOCAL_NETS Y;
ENABLE_MAC_ADDR_REPORTING N;
ENABLE_FW_LOGGING_CHECK Y;
EMAIL_LIMIT 20;
ENABLE_EMAIL_LIMIT_PER_DST N;
EMAIL_LIMIT_STATUS_MSG Y;
EMAIL_THROTTLE 0;
EMAIL_APPEND_HEADER NONE;
ALERT_ALL Y;
IMPORT_OLD_SCANS N;
SYSLOG_IDENTITY psad;
SYSLOG_FACILITY LOG_LOCAL7;
SYSLOG_PRIORITY LOG_INFO;
TOP_PORTS_LOG_THRESHOLD 500;
STATUS_PORTS_THRESHOLD 20;
TOP_SIGS_LOG_THRESHOLD 500;
STATUS_SIGS_THRESHOLD 50;
TOP_IP_LOG_THRESHOLD 500;
STATUS_IP_THRESHOLD 25;
TOP_SCANS_CTR_THRESHOLD 1;
ENABLE_OVERRIDE_FW_CMD Y;
FW_CMD /usr/sbin/iptables;
FW_CMD_ARGS NONE;
ENABLE_DSHIELD_ALERTS N;
DSHIELD_ALERT_EMAIL reports@dshield.org;
DSHIELD_ALERT_INTERVAL 6;
DSHIELD_USER_ID 0;
DSHIELD_USER_EMAIL NONE;
DSHIELD_DL_THRESHOLD 0;
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
ENABLE_SNORT_SIG_STRICT Y;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 3;
AUTO_BLOCK_TIMEOUT 604800;
AUTO_BLOCK_DL1_TIMEOUT 300;
AUTO_BLOCK_DL2_TIMEOUT 900;
AUTO_BLOCK_DL3_TIMEOUT 1200;
AUTO_BLOCK_DL4_TIMEOUT $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT 0;
ENABLE_AUTO_IDS_REGEX N;
AUTO_BLOCK_REGEX ESTAB;
ENABLE_RENEW_BLOCK_EMAILS N;
ENABLE_AUTO_IDS_EMAILS Y;
IPTABLES_BLOCK_METHOD Y;
IPT_AUTO_CHAIN1 DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2 DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3 DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT Y;
IPTABLES_PREREQ_CHECK 1;
TCPWRAPPERS_BLOCK_METHOD N;
ENABLE_WHOIS_LOOKUPS Y;
WHOIS_TIMEOUT 60;
WHOIS_LOOKUP_THRESHOLD 20;
ENABLE_WHOIS_FORCE_ASCII N;
ENABLE_WHOIS_FORCE_SRC_IP N;
ENABLE_DNS_LOOKUPS Y;
DNS_LOOKUP_THRESHOLD 20;
ENABLE_EXT_SCRIPT_EXEC N;
EXTERNAL_SCRIPT /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC N;
EXTERNAL_BLOCK_SCRIPT /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE N;
CUSTOM_SYSLOG_TS_RE ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL 300;
DISK_MAX_PERCENTAGE 95;
DISK_MAX_RM_RETRIES 10;
ENABLE_SCAN_ARCHIVE N;
TRUNCATE_FWDATA Y;
MIN_ARCHIVE_DANGER_LEVEL 1;
MAIL_ALERT_PREFIX [psad-alert];
MAIL_STATUS_PREFIX [psad-status];
MAIL_ERROR_PREFIX [psad-error];
MAIL_FATAL_PREFIX [psad-fatal];
SIG_UPDATE_URL http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL 5;
PSADWATCHD_MAX_RETRIES 10;
INSTALL_ROOT /;
PSAD_DIR $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR $PSAD_DIR/errs;
CONF_ARCHIVE_DIR $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR /etc/fwsnort/snort_rules;
FW_DATA_FILE $PSAD_DIR/fwdata;
ULOG_DATA_FILE $PSAD_DIR/ulogd.log;
FW_CHECK_FILE $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE $PSAD_DIR/dshield.email;
SIGS_FILE $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE $PSAD_CONF_DIR/posf;
P0F_FILE $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE /etc/hosts.deny;
ETC_SYSLOG_CONF /etc/syslog.conf;
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE $PSAD_DIR/install.log;
PSAD_PID_FILE $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE $PSAD_DIR/top_ports;
TOP_SIGS_FILE $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN psad_iptout.XXXXXX;
IPT_ERROR_PATTERN psad_ipterr.XXXXXX;
iptablesCmd /sbin/iptables;
ip6tablesCmd /sbin/ip6tables;
shCmd /bin/sh;
wgetCmd /usr/bin/wget;
gzipCmd /bin/gzip;
mknodCmd /bin/mknod;
psCmd /bin/ps;
mailCmd /bin/mail;
sendmailCmd /usr/sbin/sendmail;
ifconfigCmd /sbin/ifconfig;
ipCmd /sbin/ip;
killallCmd /usr/bin/killall;
netstatCmd /bin/netstat;
unameCmd /bin/uname;
whoisCmd $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd /bin/df;
fwcheck_psadCmd $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd $INSTALL_ROOT/usr/sbin/psad;