Saturday, November 15, 2008

PSAD - how to

still in the redhat/centos :P

what is PSAD ??
im lazy to explain and please go to read it..
http://www.cipherdyne.org/psad/docs/

Here we go, go to download the PSAD package.
http://www.cipherdyne.org/psad/download/

ok, download the package by wget :P
[alex@www ~]$ wget http://www.cipherdyne.org/psad/download/psad-2.1.4-1.i386.rpm
--19:21:37-- http://www.cipherdyne.org/psad/download/psad-2.1.4-1.i386.rpm
Resolving www.cipherdyne.org... 204.174.223.204
Connecting to www.cipherdyne.org|204.174.223.204|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 748833 (731K) [audio/x-pn-realaudio-plugin]
Saving to: `psad-2.1.4-1.i386.rpm'
100%[============================================================>] 748,833 82.4K/s in 9.0s
19:21:47 (81.1 KB/s) - `psad-2.1.4-1.i386.rpm' saved [748833/748833]

note:: done


Install it , go go go :-
[alex@www ~]$ sudo rpm -ivh psad-2.1.4-1.i386.rpm
Preparing... ########################################### [100%]
1:psad ########################################### [100%]
Can't open /etc/psad/psadwatchd.conf: No such file or directory.
[+] You can edit the EMAIL_ADDRESSES variable in /etc/psad/psad.conf
/etc/psad/psadwatchd.conf to have email alerts sent to an address
other than root\@localhost

note:: see , it is so obvious that asking you to modify the psad.conf and psadwatchd.conf enable to send you the email alert :P

before modify must always backup the original config file, use this as a practice
[alex@www psad]$ sudo cp psad.conf psad.conf.old


Modify it la la la la
[alex@www psad]$ sudo vi psad.conf
Change this line to ur email address
EMAIL_ADDRESSES alex@gmail.com;


Make it auto startup after system reboot
[alex@www psad]$ sudo /sbin/chkconfig psad on
[alex@www psad]$ sudo /sbin/chkconfig --level 35 psad on


[alex@www psad]$ sudo /etc/init.d/psad start
Starting psad: [ OK ]

Check you /var/log/messages : -
Nov 15 19:32:58 www psad: imported valid icmp types and codes Nov 15 19:32:58 www psad: imported p0f-based passive OS fingerprinting signatures Nov 15 19:32:58 www psad: imported TOS-based passive OS fingerprinting signatures Nov 15 19:32:58 www psad: imported Snort classification.config Nov 15 19:32:58 www psad: imported original Snort rules in /etc/psad/snort_rules/ for reference info Nov 15 19:32:58 www psad: imported 205 psad Snort signatures from /etc/psad/signatures
if you saw above message, that mean your system has been added another security layer :P


Then, i do scanning by my freeBSD ( so sorry this part i will exclude it.. it is dangerous to let u guy learn it :P hehe kidding lah, i just being lazy to write it out )


now, see i had received an email from my system that report have somebody scan my server :P
Sorry for i couldnt reveal the information that belong to my customer :-


































continue the picture

3 comments:

zkchong said...

A little add-on:
PSAD stands for Port Scan Attack Detector.

:D

DontKPKB said...

SPA seems more interesting..

i need time to study on it. :P

zkchong , keep going , u are the fast learner

DontKPKB said...

after i did the nmap scan to my server and i received the email from PSAD..

then i try to ping my server, im not able to ping it anymore

cool, is it??