PSAD (psad.conf)
Configuração para o PSAD
Categoria: Segurança
Software: PSAD
[ Hits: 9.310 ]
Por: Anderson L Tamborim
Para os que leram o meu artigo sobre PSAD, aqui está o conf do mesmo
devidamente configurado para melhorar a função do software.
Enjoy!
### Supports multiple email addresses (as a comma separated ### list). EMAIL_ADDRESSES root@localhost; ### Machine hostname HOSTNAME RootSec; HOME_NET ppp0; SYSLOG_DAEMON syslogd; DANGER_LEVEL1 5; ### Number of packets. DANGER_LEVEL2 50; DANGER_LEVEL3 1000; DANGER_LEVEL4 5000; DANGER_LEVEL5 10000; PSAD_CHECK_INTERVAL 5; SNORT_SID_STR SID; PORT_RANGE_SCAN_THRESHOLD 1; ENABLE_PERSISTENCE Y; SCAN_TIMEOUT 3600; ### seconds SHOW_ALL_SIGNATURES N; IGNORE_CONNTRACK_BUG_PKTS Y; IGNORE_PORTS NONE; EMAIL_ALERT_DANGER_LEVEL 1; PSAD_EMAIL_LIMIT 10; ALERT_ALL Y; IMPORT_OLD_SCANS N; ENABLE_DSHIELD_ALERTS N; ENABLE_AUTO_IDS Y; ### Block all traffic from offending IP if danger ### level >= to this value AUTO_IDS_DANGER_LEVEL 3; ### Set the auto-blocked timeout in seconds (the default ### is one hour). AUTO_BLOCK_TIMEOUT 50; ### Enable iptables blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) IPTABLES_BLOCK_METHOD Y; ### Specify the position or rule number within the iptables ### policy where auto block rules get added. IPTABLES_AUTO_RULENUM 1; ### Enable tcp wrappers blocking (only gets enabled if ### ENABLE_AUTO_IDS is also set) TCPWRAPPERS_BLOCK_METHOD N; ### Set the whois timeout WHOIS_TIMEOUT 60; ### seconds ### Set the number of times an ip can be seen before another dns ### lookup is issued. DNS_LOOKUP_THRESHOLD 20; ### Set the number of times an ip can be seen before another whois ### lookup is issued. WHOIS_LOOKUP_THRESHOLD 20; ### Enable psad to run an external script or program (use at your ### own risk!) ENABLE_EXT_SCRIPT_EXEC Y;### Example: EXTERNAL_SCRIPT /path/to/script --ip SRCIP -v; EXTERNAL_SCRIPT /usr/sbin/iptables -A INPUT -p tcp -s SRCIP -j DROP; ### Control execution of EXTERNAL_SCRIPT (only once per IP, or ### every time a scan is detected for an ip). EXEC_EXT_SCRIPT_PER_ALERT Y; ### Disk usage variables DISK_CHECK_INTERVAL 300; ### seconds ### This can be set to 0 to disable disk checking altogether DISK_MAX_PERCENTAGE 95; ### This can be set to 0 to have psad not place any limit on the ### number of times it will attempt to remove data from ### /var/log/psad/. DISK_MAX_RM_RETRIES 10; ### Only archive scanning ip directories that have reached a danger ### level greater than or equal to this value. Archiving old ### scanning ip directories only takes place at psad startup. MIN_ARCHIVE_DANGER_LEVEL 1; ### Directories PSAD_DIR /var/log/psad; SCAN_DATA_ARCHIVE_DIR /var/log/psad/scan_archive; PSAD_ERROR_DIR /var/log/psad/errs; ANALYSIS_MODE_DIR /var/log/psad/ipt_analysis; SNORT_RULES_DIR /etc/snort/rules; ### Files FW_DATA_FILE /var/log/psad/fwdata; FW_CHECK_FILE /var/log/psad/fw_check; PSAD_PID_FILE /var/run/psad/psad.pid; PSAD_CMDLINE_FILE /var/run/psad/psad.cmd; PSAD_SIGS_FILE /etc/psad/signatures; PSAD_ICMP_TYPES_FILE /etc/psad/icmp_types; PSAD_AUTO_DL_FILE /etc/psad/auto_dl; PSAD_POSF_FILE /etc/psad/posf; PSAD_FIFO /var/lib/psad/psadfifo; ETC_HOSTS_DENY /etc/hosts.deny; ETC_SYSLOG_CONF /etc/syslog.conf; ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; ETC_METALOG_CONF /etc/metalog/metalog.conf; ### PID files KMSGSD_PID_FILE /var/run/psad/kmsgsd.pid; PSADWATCHD_PID_FILE /var/run/psad/psadwatchd.pid; ### List of ips that have been auto blocked by iptables ### or tcpwrappers (the auto blocking feature is disabled by ### default, see the psad man page and the ENABLE_AUTO_IDS ### variable). AUTO_BLOCK_IPT_FILE /var/log/psad/auto_blocked_iptables; AUTO_BLOCK_TCPWR_FILE /var/log/psad/auto_blocked_tcpwr; FW_ERROR_LOG /var/log/psad/errs/fwerrorlog; PRINT_SCAN_HASH /var/log/psad/scan_hash; ### /proc interface for controlling ip forwarding PROC_FORWARD_FILE /proc/sys/net/ipv4/ip_forward; ### Packet counters for tcp, udp, and icmp protocols PACKET_COUNTER_FILE /var/log/psad/packet_ctr;### Counter file for Dshield alerts DSHIELD_COUNTER_FILE /var/log/psad/dshield_ctr; ### Counter file for iptables prefixes IPT_PREFIX_COUNTER_FILE /var/log/psad/ipt_prefix_ctr; ### system binaries shCmd /bin/sh; iptablesCmd /usr/sbin/iptables; mknodCmd /bin/mknod; psCmd /bin/ps; mailCmd /bin/mail; sendmailCmd /usr/sbin/sendmail; ifconfigCmd /sbin/ifconfig; syslogdCmd /sbin/syslogd; syslog-ngCmd /sbin/syslog-ng; ### only used if SYSLOG_DAEMON = syslog-ng killallCmd /usr/bin/killall; netstatCmd /bin/netstat; unameCmd /bin/uname; whoisCmd /usr/bin/whois_psad; dfCmd /bin/df; fwcheck_psadCmd /usr/sbin/fwcheck_psad; psadwatchdCmd /usr/sbin/psadwatchd; kmsgsdCmd /usr/sbin/kmsgsd; psadCmd /usr/sbin/psad;
Atenção a quem posta conteúdo de dicas, scripts e tal (2)
Configuração básica do Conky para mostrar informações sobre a sua máquina no Desktop
Aprenda a criar músicas com Inteligência Artificial usando Suno AI
Entendendo o que é URI, URL, URN e conhecendo as diferenças entre POST e GET
Ativando o Modo Noturno via Linha de Comando no GNOME/Wayland
Habilitando a importação de senhas no Firefox
Como corrigir o erro do VirtualBox travar a máquina virtual em tela cheia
Instalando Google Chrome no Ubuntu 24.04 LTS
Quantidade de caracteres suportados na barra de endereços dos navegadores
Altera pacote .pkg.tar do Arch Linux (16)
Segunda tela não dá vídeo mas reconhece o monitor no painel (3)
Erro ao fazer parse GUID string para GUID hexadecimal [AJUDA] (6)