PSAD Configuration for Port Scan Detection
PSAD (Port Scan Attack Detector) is an intrusion detection system that analyzes iptables logs to detect port scans and suspicious network activity. This guide covers installation, rule tuning, and alert configuration.
Table of Contents
- Introduction
- Basic Concepts
- Installation
- Configuration
- Security Hardening
- Usage
- Troubleshooting
- Integration with Other Tools
- Advanced Topics
- References
Introduction
PSAD (Port Scan Attack Detector) is a lightweight system daemon that works with Linux iptables/ip6tables/firewalld to detect port scans and other suspicious network traffic. It’s designed to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more. Unlike traditional intrusion detection systems (IDS) that may require significant resources, PSAD leverages existing firewall logs to detect malicious activity, making it efficient for both powerful servers and resource-constrained environments.
Key features of PSAD include:
- Detection for TCP SYN, FIN, NULL, and XMAS scans as well as UDP scans
- Support for both IPv4 and IPv6 logs generated by iptables
- Detection of many signature rules from the Snort intrusion detection system
- Automatic blocking of scanning IP addresses via iptables/ip6tables and/or tcpwrappers
- DShield reporting capabilities
- Email alerts with TCP/UDP/ICMP scan characteristics, reverse DNS and whois information
- Passive operating system fingerprinting (similar to p0f)
PSAD offers a unique approach compared to other intrusion detection systems by focusing specifically on firewall log analysis rather than packet capture. This makes it particularly lightweight and efficient for single-host or small network environments. Here’s how it compares to other popular solutions:
| Feature | PSAD | Snort | Suricata | Zeek/Bro |
|---|---|---|---|---|
| Resource Usage | Very Low | Moderate | High | High |
| Installation Complexity | Simple | Moderate | Complex | Complex |
| Detection Method | Log Analysis | Packet Inspection | Packet Inspection | Network Monitoring |
| Ideal Environment | Single Host/Small Network | Medium Networks | Large Networks | Enterprise |
| Auto-Response | Yes | Limited | Limited | No (by design) |
| Integration Complexity | Low | Moderate | High | High |
Basic Concepts
PSAD works by analyzing firewall logs for suspicious patterns that indicate potential attacks. Since PSAD relies on iptables to generate appropriate log messages for unauthorized packets, it’s only as good as the logging rules included in your iptables ruleset. If your firewall is not configured to log packets, PSAD will NOT detect port scans or anything else.
The primary components include:
- psad: The main daemon responsible for analyzing logs and detection
- kmsgsd: (deprecated) Reads messages written to the named pipe and writes them to a dedicated file
- psadwatchd: Ensures psad and kmsgsd daemons continue running
All information PSAD analyzes is gathered from iptables log messages. PSAD typically reads the system log file for new iptables messages and optionally writes them out to a dedicated file. It then applies danger threshold and signature logic to determine whether a port scan has taken place, sends appropriate alert emails, and optionally blocks offending IP addresses.
Installation
Prerequisites
Before installing PSAD, ensure your system meets these requirements:
- Linux kernel 2.4 or later
- iptables/ipchains with logging enabled
- Perl 5.004 or later
- Required Perl modules:
- Bit::Vector
- IPTables::Parse
- IPTables::ChainMgr
- Unix::Syslog
- Date::Calc
- NetAddr::IP
- Net::IPv4Addr
- Storable
Package Manager Installation
For most major Linux distributions, PSAD is available through package managers:
Debian/Ubuntu:
1
2
sudo apt update
sudo apt install psad
RHEL/CentOS/Fedora:
1
sudo yum install psad
Arch Linux:
1
sudo pacman -S psad
Installation from Source
Installing from source provides the most flexibility and ensures you have the latest version:
1
2
3
4
5
6
7
# Download the latest PSAD source
wget https://github.com/mrash/psad/archive/master.zip
unzip master.zip
cd psad-master
# Run the installation script
./install.pl
During the installation, you’ll be prompted to answer several configuration questions. The default values are usually appropriate for most installations, but you may want to customize email notifications and other settings.
Configuration
PSAD’s configuration files are located in /etc/psad/. The main configuration file is /etc/psad/psad.conf.
Basic Configuration
After installation, perform these basic configuration steps:
Configure firewall logging:
Ensure your iptables configuration includes logging rules. The best practice is to set up the firewall with default “drop and log” rules at the end of the ruleset, and include rules above this that only allow traffic that should be permitted:
1 2
sudo iptables -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] " sudo iptables -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
The
--log-tcp-optionsargument is important for passive operating system fingerprinting capabilities.Configure email alerts:
Edit
/etc/psad/psad.confand set:1 2
EMAIL_ADDRESSES [email protected]; HOSTNAME your-hostname;
Define your home network and external networks:
1 2
HOME_NET 192.168.0.0/24; EXTERNAL_NET any;
If you have only one interface on your box (such as a colo web server), you can set
HOME_NETtoNOT_USED.Update signatures:
1
sudo psad --sig-update
Restart PSAD:
1
sudo systemctl restart psad
Advanced Configuration
The following settings in /etc/psad/psad.conf allow for finer control:
Scan Detection Settings
1
2
3
4
5
6
7
8
9
# Number of packets required for port scan alerts at each danger level
SCAN_THRESHOLD 15; # danger level 1
SCAN_THRESHOLD2 30; # danger level 2
SCAN_THRESHOLD3 150; # danger level 3
SCAN_THRESHOLD4 1500; # danger level 4
SCAN_THRESHOLD5 10000; # danger level 5
# Time interval (in seconds) for port scan detection
PORT_RANGE_SCAN_THRESHOLD 1;
If you’re experiencing high traffic, increasing SCAN_THRESHOLD values reduces false positives but might miss low-volume scans. For busy servers, you might want to use higher thresholds like SCAN_THRESHOLD 50, SCAN_THRESHOLD2 100, etc.
Detection Window
1
2
3
# Time windows for tracking scans
MAX_SCAN_IP_LIFETIME 3600; # Keep IP in memory for 1 hour
SCAN_TIMEOUT 3600; # Timeout for scan detection (if ENABLE_PERSISTENCE is "N")
Signature Matching
1
2
3
# Signature matching settings
ENABLE_PERSISTENCE Y; # Track persistent scanning
PERSISTENCE_SCAN_THRESHOLD 1000; # Alert threshold for persistent scans
The ENABLE_PERSISTENCE option is particularly important. If set to “Y” (the default), PSAD will keep all scans in memory and not let them timeout. This helps discover stealthy scans where an attacker tries to slip beneath IDS thresholds by only scanning a few ports over a long period of time.
Danger Levels
PSAD classifies threats on a scale of 1-5, with 5 being the most severe. PSAD uses a scoring system to track the severity a scan reaches over time. The DANGER_LEVEL variables define the number of packets that must be dropped by the firewall before PSAD assigns the respective danger level to the scan:
1
2
3
4
5
6
# Danger level thresholds
DANGER_LEVEL1 5; # Low danger
DANGER_LEVEL2 15; # Medium-low danger
DANGER_LEVEL3 50; # Medium danger
DANGER_LEVEL4 100; # Medium-high danger
DANGER_LEVEL5 500; # High danger
Based on your environment, you might want to adjust PSAD’s sensitivity:
- DANGER_LEVEL1, LEVEL2, LEVEL3
These represent escalating thresholds for suspicious behavior:- LEVEL1: Mild suspicion (e.g., a few port probes).
- LEVEL2: Significant scanning activity.
- LEVEL3: Aggressive or sustained attack attempts.
Auto-Block Level
This determines at which Danger Level PSAD will automatically block the attacker’s IP viaiptables.
Lower numbers = more aggressive defense.- Email Alerts
PSAD can immediately alert you when certain thresholds are hit.
Sending emails for lower levels increases responsiveness but could lead to alert fatigue if set too low.
| Environment Type | Recommended Danger Level Settings | Auto-Block Level | Email Alerts |
|---|---|---|---|
| Home Network | DANGER_LEVEL1: 5 DANGER_LEVEL2: 15 DANGER_LEVEL3: 50 | 3 | Level 3+ |
| Small Business | DANGER_LEVEL1: 3 DANGER_LEVEL2: 10 DANGER_LEVEL3: 30 | 2 | Level 2+ |
| Critical Infrastructure | DANGER_LEVEL1: 1 DANGER_LEVEL2: 5 DANGER_LEVEL3: 15 | 1 | All Levels |
A scan may also be assigned a danger level if it matches a particular signature contained in the signatures file.
A nmap SYN scan might trigger danger level 3, while a sustained attack with multiple exploits might trigger level 5
You can also configure the threshold for sending email alerts:
1
2
# Minimum danger level before sending email alerts
EMAIL_ALERT_DANGER_LEVEL 1; # Send alerts for all danger levels
Auto-Response Configuration
PSAD can automatically block IPs that reach certain danger levels through its Auto-IDS capability. Note that this feature is disabled by default since it’s possible for an attacker to spoof packets from a well-known site to make it look like the site is scanning your machine, which would result in blocking legitimate traffic.
1
2
3
4
5
6
7
8
# Auto-response settings
ENABLE_AUTO_IDS Y; # Enable automatic blocking
AUTO_BLOCK_TIMEOUT 3600; # Block for 1 hour
AUTO_BLOCK_DL 3; # Block at danger level 3+
# Command to execute for blocking
ENABLE_AUTO_IDS_EXEC Y;
AUTO_BLOCK_EXEC_CMD /usr/sbin/psad --fw-block-ip $TARGET$ $MODE$ -b;
The ENABLE_AUTO_IDS option enables dynamic blocking of IPs that have reached a configurable danger level through modification of iptables or tcpwrapper rulesets.
Whitelisting
To prevent false positives, whitelist trusted IPs:
1
2
3
4
5
6
7
# Whitelists (space or comma separated)
HOME_NET 192.168.0.0/16,10.0.0.0/8;
IGNORE_PORTS 20,21,22,25,53,80,443;
IGNORE_PROTOCOLS 6,17; # TCP and UDP
# Specific IPs to ignore
IGNORE_SCAN_IP 127.0.0.1;
Add your mail server IP to
IGNORE_SCAN_IPto prevent alerts when it does DNS lookups –>
Security Hardening
To maximize PSAD’s effectiveness and security:
Run with least privilege:
Restrict access to configuration files to prevent unauthorized modifications:
1 2 3 4
# Check permissions on config files sudo chmod 600 /etc/psad/psad.conf sudo chmod 600 /etc/psad/auto_dl sudo chmod 600 /etc/psad/signatures
Restrict access to status information:
Protect PSAD status output from unauthorized users:
1 2 3
# In psad.conf ENABLE_CREDENTIALS_FILE Y; CREDENTIALS_FILE /etc/psad/psad.credentials;
Create and secure the credentials file:
1 2
echo "username:password" > /etc/psad/psad.credentials chmod 600 /etc/psad/psad.credentials
Enable process accounting:
This helps track potential attacks against the PSAD process itself:
1 2
# In psad.conf ENABLE_PROCESS_ACCOUNTING Y;
Use secure email alerts:
Configure encrypted email alerts to prevent leakage of security information:
1 2 3 4
# Configure encrypted email alerts ENABLE_ENCRYPTED_EMAIL Y; EMAIL_KEY_PATH /path/to/public/key; EMAIL_KEY_ID 0xABCDEF01;
Make sure to generate and configure GPG keys properly.
Harden firewall rules:
Add additional rules to detect and block suspicious packet patterns:
1 2 3 4 5 6 7 8 9 10 11
# Log and drop illegal packets with bad flags sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "[IPTABLES SUSPICIOUS]: " sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # Block null packets sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "[IPTABLES NULL]: " sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Block XMAS packets sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix "[IPTABLES XMAS]: " sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
Configure syslog properly:
Use syslog-ng or rsyslog with proper permissions and rotation:
For rsyslog, create a configuration file
/etc/rsyslog.d/10-psad.conf:1 2 3
# Dedicated log file for firewall messages :msg, contains, "[IPTABLES]" /var/log/psad/fwdata & stop
Restart rsyslog:
1
sudo systemctl restart rsyslogRegular updates:
Keep PSAD and its signatures up to date:
1 2 3 4 5
# Update PSAD sudo apt update && sudo apt upgrade psad # Update signatures sudo psad --sig-update
Consider automating this with a cron job:
1
echo "0 1 * * * root /usr/sbin/psad --sig-update" > /etc/cron.d/psad-updates
Monitor PSAD logs:
Regularly check PSAD logs for unusual activity:
1
sudo tail -f /var/log/psad/psad.log
Consider integrating with a log monitoring solution like Logwatch.
Usage
Starting and Stopping
1
2
3
4
5
6
7
8
# Start PSAD
sudo systemctl start psad
# Stop PSAD
sudo systemctl stop psad
# Enable at boot
sudo systemctl enable psad
Status Checking
Check PSAD’s current status and detected scans:
1
2
3
4
5
6
7
8
9
10
11
# Check overall status
sudo psad -S
# Check status for a specific IP
sudo psad --Status -i 192.168.1.100
# View current auto-blocked IPs
sudo psad --fw-list
# Analyze firewall ruleset to verify it's configured correctly for PSAD
sudo psad --fw-analyze
The status output will show information such as:
- Top signature matches
- Top attackers with their danger levels, packet counts, and signature matches
- Top scanned ports
- Current IP status details
Log Analysis
1
2
3
4
5
6
7
8
9
10
11
# View recent alerts
sudo grep -i "scan detected" /var/log/psad/psad.log
# Check email alerts
sudo grep -i "email alert" /var/log/psad/psad.log
# View top attackers
sudo psad --top 10
# Analyze an iptables logfile for scans and exit
sudo psad -A /var/log/syslog
Troubleshooting
Common issues and solutions:
| Issue | Possible Cause | Solution |
|---|---|---|
| No alerts despite scans | Missing iptables LOG rules | Check with psad --fw-analyze |
| Too many false positives | Low danger thresholds | Increase threshold values |
| PSAD not starting | Configuration error | Check logs and run psad --config-check |
| Legitimate traffic blocked | Missing whitelist entries | Add networks to /etc/psad/auto_dl |
| Mail alerts not received | Mail configuration issue | Check mail settings in psad.conf |
No detection occurring:
The most common reason for PSAD not detecting anything is that your firewall isn’t configured to log packets properly. Check if firewall logs are being generated:
1
sudo tail -f /var/log/syslog | grep IPTABLES
If no logs appear, your firewall isn’t configured for logging. Make sure you have the necessary logging rules in your iptables configuration:
1 2
sudo iptables -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] " sudo iptables -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
IPT_SYSLOG_FILE pointing to wrong location:
PSAD needs to know where to find your syslog messages. Check and update the location in
/etc/psad/psad.conf:1 2 3 4
# Point to the correct syslog file for your distribution IPT_SYSLOG_FILE /var/log/syslog; # Ubuntu/Debian # or IPT_SYSLOG_FILE /var/log/messages; # CentOS/RHEL
Missing dependencies:
If PSAD fails to start or function properly, you might be missing required Perl modules:
1 2
sudo apt install libdate-calc-perl libnet-ipv4addr-perl libunix-syslog-perl \ libnet-dns-perl libnetaddr-ip-perl libiptables-parse-perl
Excessive alerts:
If you’re receiving too many alerts, you can:
- Increase thresholds in
/etc/psad/psad.conf - Add noisy IPs to the whitelist
- Adjust the
EMAIL_ALERT_DANGER_LEVELto only receive alerts for higher danger levels
- Increase thresholds in
PSAD not starting:
Check logs for specific errors:
1
sudo journalctl -u psad
Auto-blocking not working:
Verify that the
ENABLE_AUTO_IDSoption is set toYand that the danger level thresholds are appropriate:1 2
ENABLE_AUTO_IDS Y; AUTO_BLOCK_DL 3; # Only block at danger level 3 or higher
Also check that you have the correct
AUTO_BLOCK_EXEC_CMDsetting.Email alerts not being received:
Make sure your server can send emails. Test with:
1
echo "Test email" | mail -s "PSAD test" [email protected]
You may need to install and configure a mail transfer agent like Postfix or use a relay service.
Verify PSAD is running:
1
ps aux | grep psadYou should see at least two processes: the main psad daemon and psadwatchd.
Integration with Other Tools
Fwsnort Integration
PSAD works exceptionally well with Fwsnort (Firewall Snort), which translates Snort rules to iptables rules. This integration enhances PSAD’s ability to detect application layer attacks.
1
2
3
4
5
6
7
8
9
10
11
# Install fwsnort
sudo apt install fwsnort
# Update Snort rules
sudo fwsnort --update-rules
# Generate iptables rules from Snort signatures
sudo fwsnort
# Apply the generated rules
sudo sh /etc/fwsnort/fwsnort.sh
When combined with fwsnort and the iptables string match extension, PSAD can generate alerts for application layer buffer overflow attacks, suspicious application commands, and other suspect layer 7 traffic.
DShield Reporting
DShield is a community-based collaborative firewall log correlation system. Configure PSAD to report attacks to DShield:
1
2
3
4
# In psad.conf
ENABLE_DSHIELD_ALERTS Y;
DSHIELD_USER_ID YOUR_ID; # Get this from dshield.org
DSHIELD_ALERT_EMAIL [email protected];
This helps the wider security community track and respond to emerging threats.
AfterGlow Visualization
PSAD can generate CSV output that can be used as input to AfterGlow for visualization:
1
2
3
4
5
6
# Generate CSV data for visualization
sudo psad --CSV > psad_data.csv
# Use AfterGlow to create visualization (if installed)
cat psad_data.csv | perl afterglow.pl -c color.properties > psad_graph.dot
dot -Tpng -o psad_graph.png psad_graph.dot
Integrating with Fail2ban
You can create a custom Fail2ban action to work with PSAD:
1
2
# Create a custom Fail2ban action
sudo nano /etc/fail2ban/action.d/psad-block.conf
Add the following content:
1
2
3
4
5
6
7
8
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /usr/sbin/psad -b <ip>
actionunban = /usr/sbin/psad -u <ip>
[Init]
Then configure a Fail2ban jail to use this action:
1
2
3
4
5
6
7
8
[psad-attackers]
enabled = true
filter = psad
action = psad-block
logpath = /var/log/psad/psad.log
maxretry = 1
findtime = 86400
bantime = 86400
This setup allows Fail2ban to trigger PSAD’s blocking capabilities based on custom filters applied to PSAD’s logs.
PSAD works best when integrated into a comprehensive security strategy:
- Perimeter Defense: Firewalls, VPNs
- Network Monitoring: PSAD, Suricata, Netflow analysis
- Endpoint Security: AV, EDR, Application whitelisting
- Log Management & SIEM: Integration with ELK, Graylog, Splunk
- Incident Response: Automation with Ansible, custom scripts
Advanced Topics
Custom Signatures
PSAD can use custom signatures to detect specific types of traffic. Create or modify signatures in /etc/psad/signatures:
1
2
# Format: signature_id:msg:proto:src_port:dst_port:flags:threshold
1000001:CUSTOM-SIGNATURE Detect unusual SSH scan:6:any:22:S:5
The fields in each signature are:
- signature_id: Unique identifier for the signature
- msg: Description of the signature
- proto: Protocol number (6 for TCP, 17 for UDP, 1 for ICMP)
- src_port: Source port (or “any”)
- dst_port: Destination port (or “any”)
- flags: TCP flags (S=SYN, F=FIN, A=ACK, P=PSH, R=RST, U=URG)
- threshold: Number of packets required to trigger the signature
After adding custom signatures, restart PSAD:
1
sudo systemctl restart psad
Active Response Scripts
Create custom response scripts triggered by specific danger levels:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/bash
# /usr/local/bin/psad-response.sh
# Usage: psad-response.sh <IP> <DANGER_LEVEL>
IP=$1
DL=$2
if [ $DL -ge 4 ]; then
# For high danger levels, take additional actions
logger -t psad-response "High danger attack (level $DL) from $IP - taking additional actions"
# Example: Block at router level via API call
curl -s "http://router.local/api/block?ip=$IP&duration=24h"
# Example: Send SMS alert
echo "SECURITY ALERT: Attack level $DL from $IP" | mail -s "Critical Security Alert" [email protected]
fi
Configure in psad.conf:
1
2
ENABLE_AUTO_IDS_EXEC Y;
AUTO_BLOCK_EXEC_CMD /usr/local/bin/psad-response.sh $TARGET$ $DANGER_LEVEL$;
These custom scripts allow for complex responses beyond simple IP blocking.
Passive OS Fingerprinting
PSAD can identify the operating system of scanning hosts through passive fingerprinting. To enable this feature:
- Ensure your iptables logging rules include the
--log-tcp-optionsflag - Check that
/etc/psad/posf(passive OS fingerprinting) file exists - Verify that
ENABLE_PASSIVE_OS_FINGERPRINTINGis set toYin/etc/psad/psad.conf
PSAD will then include OS information in its alerts and status output.
Tuning for High Traffic Environments
For servers with high legitimate traffic, adjust these settings:
1
2
3
4
5
6
7
8
9
10
11
12
13
# Higher thresholds for busy servers
SCAN_THRESHOLD 50;
SCAN_THRESHOLD2 100;
SCAN_THRESHOLD3 200;
SCAN_THRESHOLD4 300;
SCAN_THRESHOLD5 1500;
# Wider tracking windows
PORT_RANGE_SCAN_THRESHOLD 3;
# Limit email alerts to avoid flooding
PSAD_EMAIL_LIMIT 10;
EMAIL_ALERT_DANGER_LEVEL 2; # Only alert on level 2+ scans
These adjustments reduce false positives while still catching significant threats.
Using PSAD with UFW
If you’re using UFW (Uncomplicated Firewall) on Ubuntu, you’ll need to modify the UFW configuration to work with PSAD:
- Edit the UFW before rules:
1
sudo nano /etc/ufw/before.rules
- Add logging rules before the COMMIT line:
1
2
3
# log all traffic so psad can analyze
-A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
-A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "
- Restart UFW and PSAD:
1
2
sudo ufw disable && sudo ufw enable
sudo systemctl restart psad
This configuration ensures that UFW will log traffic for PSAD to analyze.
Sample Custom Configurations
Basic Security Server Configuration
This configuration is suitable for a standard server that needs protection without extensive tuning:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Basic security server settings
EMAIL_ADDRESSES [email protected];
HOSTNAME webserver1;
HOME_NET 192.168.1.0/24;
EXTERNAL_NET any;
# Standard threshold settings
DANGER_LEVEL1 5;
DANGER_LEVEL2 15;
DANGER_LEVEL3 50;
DANGER_LEVEL4 100;
DANGER_LEVEL5 500;
# Alert on all scans but only auto-block severe ones
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_BLOCK_DL 4;
AUTO_BLOCK_TIMEOUT 3600;
# Ignore common legitimate services
IGNORE_PORTS tcp/80,tcp/443,udp/53;
High Security DMZ Configuration
For servers in a DMZ that need heightened security:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# High security DMZ settings
EMAIL_ADDRESSES [email protected],[email protected];
HOSTNAME dmz-server;
HOME_NET 10.0.0.0/24;
EXTERNAL_NET any;
# More aggressive thresholds
DANGER_LEVEL1 3;
DANGER_LEVEL2 10;
DANGER_LEVEL3 30;
DANGER_LEVEL4 60;
DANGER_LEVEL5 200;
# Auto-block even low danger levels
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_BLOCK_DL 2;
AUTO_BLOCK_TIMEOUT 7200;
# Only whitelist essential services
IGNORE_PORTS tcp/443;
# Enable all detection features
ENABLE_PERSISTENCE Y;
ENABLE_PASSIVE_OS_FINGERPRINTING Y;
High Traffic Web Server Configuration
For busy web servers that need protection without excessive alerts:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# High traffic web server settings
EMAIL_ADDRESSES [email protected];
HOSTNAME web-prod-01;
HOME_NET 192.168.0.0/16;
EXTERNAL_NET any;
# Higher thresholds to reduce false positives
DANGER_LEVEL1 20;
DANGER_LEVEL2 50;
DANGER_LEVEL3 200;
DANGER_LEVEL4 500;
DANGER_LEVEL5 2000;
# Only alert on serious events
EMAIL_ALERT_DANGER_LEVEL 3;
ENABLE_AUTO_IDS Y;
AUTO_BLOCK_DL 5;
AUTO_BLOCK_TIMEOUT 1800;
# Ignore legitimate web traffic
IGNORE_PORTS tcp/80,tcp/443,tcp/8080;
PORT_RANGE_SCAN_THRESHOLD 5;
PSAD_EMAIL_LIMIT 20;
Honeypot Configuration
For a honeypot designed to attract and monitor attackers:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Honeypot settings
EMAIL_ADDRESSES [email protected];
HOSTNAME honeypot;
HOME_NET 172.16.0.0/24;
EXTERNAL_NET any;
# Very low thresholds to catch everything
DANGER_LEVEL1 1;
DANGER_LEVEL2 5;
DANGER_LEVEL3 10;
DANGER_LEVEL4 20;
DANGER_LEVEL5 50;
# Alert but don't block
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS N;
# Don't ignore any ports
IGNORE_PORTS NONE;
# Maximum tracking of persistent scanners
ENABLE_PERSISTENCE Y;
MAX_SCAN_IP_LIFETIME 86400; # Track for 24 hours