Given the highly configurable nature of psad, the active response examples in this section can be made rigorous only if we agree upon a specific set of values for the configuration of psad. Although not every configuration variable in /etc/psad/psad.conf is listed, the relevant active response and danger level variables are as follows. (More detailed explanations of some of these variables can be found in Chapter 5, and a complete psad.conf file can be downloaded from http://www.cipherdyne.org/LinuxFirewalls.)
DANGER_LEVEL1 DANGER_LEVEL2 DANGER_LEVEL3 DANGER_LEVEL4 DANGER_LEVEL5 PORT_RANGE_SCAN_THRESHOLD ENABLE_PERSISTENCE CHECK_INTERVAL ENABLE_AUTO_IDS AUTO_IDS_DANGER_LEVEL AUTO_BLOCK_TIMEOUT ENABLE_AUTO_IDS_REGEX AUTO_B LOCK_REGEX ENABLE_RENEW_BLOCK_EMAILS IPTABLES_BLOCK_METHOD FLUSH_IPT_AT_INIT IPT_AUTO_CHAIN1 DROP, IPT_AUTO_CHAIN2 DROP, IPT_AUTO_CHAIN3 DROP,
### number of packets
### from fwsnort log prefixes
N; # disable emails for old blocking rules Y; # use iptables
Y; # flush old rules at psad initialization src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1; dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1; both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
There are several things to note about this active response configuration. First, psad will not permanently block an attacker by virtue of the AUTO_BLOCK_TIMEOUT variable (it will only add the blocking rules against an attacker for 3,600 seconds—one hour). Secondly, an attacker must reach at least DANGER_LEVEL3 before a blocking rule is instantiated; this implies that no action will be taken for scans that do not involve at least 150 packets, trip a signature with psad_dl set to 3 in /etc/psad/signatures, or have an automatically assigned danger level of at least 3 in /etc/psad/auto_dl. Finally, because ENABLE_AUTO_IDS_REGEX is set to N, psad will not require the filtering policy to generate any special logging prefixes in order for an IP address to be blocked.
Was this article helpful?