Linux Firewalls - Michael Rash [53]
We will cover all of these features in the next two chapters, but for now, we'll concentrate on the installation and configuration of psad.
psad Installation
Before installing psad, you need to download the latest version from http://www.cipherdyne.org/psad/download. All programs released on http://www.cipherdyne.org, including psad, are bundled with an installation program, install.pl, in their respective source trees. Once you download the tarball, it is a good idea to verify both the MD5 sum and the GnuPG signature.[37] You can find my GnuPG public key at http://www.cipherdyne.org/public_key. Here's how to perform these steps for version 2.0.8:
$ cd /usr/local/src
$ wget http://www.cipherdyne.org/psad/download/psad-2.0.8.tar.bz2
$ wget http://www.cipherdyne.org/psad/download/psad-2.0.8.tar.bz2.md5
$ wget http://www.cipherdyne.org/psad/download/psad-2.0.8.tar.bz2.asc
$ md5sum -c psad-2.0.8.tar.bz2.md5
psad-2.0.8.tar.bz2: OK
$ gpg --verify psad-2.0.8.tar.bz2.asc
gpg: Signature made Sun Jul 29 13:18:58 2007 EDT using DSA key ID A742839F
gpg: Good signature from "Michael Rash gpg: aka "Michael Rash $ tar xfj psad-2.0.8.tar.bz2 $ su - Password: # cd /usr/local/src/psad-2.0.8 # ./install.pl The install.pl script will prompt you for several pieces of input, including an email address to which email alerts will be sent, the type of syslog daemon currently running on the system (syslogd, syslog-ng, or metalog), whether to have psad analyze only iptables log messages that contain a specific logging prefix, and whether to send log data to the DShield Distributed IDS. You can either manually enter information or use the defaults (just press enter) and soon you will have a functioning installation of psad. You can also install psad as an RPM for Linux distributions based on the Red Hat Package Manager, as a Debian package for Debian systems,[38] or out of the Portage tree for Gentoo systems. Using one of these installation methods may make better sense for your particular Linux system if you want to maintain a consistent method for software installation. Note Because psad is strongly tied to the iptables firewall, it has not yet been ported to operating systems other than Linux. However, if you do not intend to use any of psad's active response capabilities, you can deploy it on a syslog server that is running a different operating system and that is accepting iptables log messages from a separate Linux system. A successful installation of psad on Linux will result in the creation of several new files and directories within the local filesystem. Perl is the programming language used to develop the main psad daemon (the helper daemons kmsgsd and psadwatchd, discussed later, are written in C), and several Perl modules are used that are not included within the core Perl module set. By installing all such Perl modules within /usr/lib/psad, psad can maintain a strict separation between Perl modules that are already installed in the system Perl library tree (usually located at /usr/lib/perl5) and the modules psad requires. These modules are required: Date::Calc Net::Ipv4Addr Unix::Syslog IPTables::Parse IPTables::ChainMgr Three system daemons make up psad: psad, kmsgsd, and psadwatchd. All of these daemons are installed within /usr/sbin, and each references the psad.conf file within /etc/psad. The psad installer also creates the /etc/psad/archive directory and copies any existing psad daemon configuration files there so that old configurations are preserved