The following active response features are supported by psad:

• Configurable minimum danger level an attacker must reach before an iptables blocking rule is added

• The ability to make blocking rules either permanent or temporary, based on a configurable time-out

• The use of separate iptables chains for all blocking rules so as to not interfere with any existing iptables policy on the local system

• The preservation of blocking rules across restarts of psad or even system reboots (this feature is configurable, but the default setting flushes any existing blocking rules at psad start time)

• The inclusion of status output for all currently blocked IP addresses, along with the remaining number of seconds before the associated iptables rules are removed

The ability to have an external process instruct psad to add or remove a blocking rule against a specific IP address by using the --fw-block-ip and --fw-rm-block-ip command-line arguments, respectively

The ability to differentiate between port scans and attacks that trigger a signature match, and the addition of a blocking rule in iptables that can be tied to either one

Email notifications when an IP address is added or deleted from the psad blocking chains

Was this article helpful?

0 0

Post a comment