Linux Firewalls - Michael Rash [54]
The installer also creates a few files and directories within /var: A named pipe[39] is created at /var/lib/psad/psadfifo, the directory /var/log/psad is created along with the file /var/log/psad/fwdata, and finally, the install.pl script keeps an installation log at /var/log/psad/install.log. When psad runs, its main operational directory (where it keeps track of IP addresses associated with suspicious network traffic) is /var/log/psad.
Note
The directories where psad installs itself are not randomly selected—they are placed within standard directories that are defined within a document called the Filesystem Hierarchy Standard (FHS). This document codifies the purpose that each directory within a Unix filesystem directory structure is supposed to have. Any application that is consistent with this document makes predictable use of a Linux directory structure, helping to maintain some semblance of order in a forest of directories and files. The FHS can be found at http://www.pathname.com/fhs.
* * *
[37] 3 From a security perspective, it is more important to verify the GnuPG signature because it is cryptographically difficult to fake without access to my private key, whereas anyone who can alter the psad tarball can presumably also modify the file that contains the MD5 sum. For reference, the fingerprint of my public key is 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F, and you can verify this fingerprint after importing the key into your GnuPG key ring.
[38] 4 Daniel Gubser creates the psad Debian packages and makes them available at http://www.gutreu.ch/debian.
[39] 5 A named pipe is a special class of file that allows two processes to communicate. The mechanism is similar to connecting the STDOUT of one process to the STDIN of another process with a pipe (|) character (e.g., cat /etc/hosts |grep localhost), but a named pipe exists persistently within the filesystem.
psad Administration
Once you've installed psad, it's time to fire it up. This section gives an overview of basic psad administration and shows you how psad acquires log data from iptables. Run-time activities such as attack detection and passive OS fingerprinting are discussed in the next two chapters.
Starting and Stopping psad
Initialization scripts bundled with psad are suitable for Red Hat, Fedora, Slackware, Debian, Mandrake, and Gentoo Linux systems. As with many system daemons (such as syslog and Apache), psad should normally be started and stopped via the init script:
# /etc/init.d/psad start
* Starting psad ... [ ok ]
# /etc/init.d/psad stop
* Stopping psadwatchd ... [ ok ]
* Stopping kmsgsd ... [ ok ]
* Stopping psad ... [ ok ]
When psad is started via the init script, three daemons are also started: the main psad daemon, kmsgsd, and psadwatchd. The purpose of kmsgsd is to read all iptables log messages out of the /var/lib/psad/psadfifo named pipe and write them to a separate file, /var/log/psad/fwdata, for on-the-fly analysis by psad. In this way, psad is supplied with a pure data stream that exclusively contains iptables log messages.
Note
At install time, psad reconfigures the system syslog daemon to write all kernel messages that have a priority of info (or kern.info messages, in syslog parlance) to the /var/lib/psad/psadfifo named pipe.
The psadwatchd daemon simply makes sure that both the psad and kmsgsd daemons are running and restarts them if they are not. If psadwatchd must restart either of the other two daemons, it sends a warning email to the email address listed within the /etc/psad/psad.conf file.
Daemon Process Uniqueness
When psad is started, each of the three psad daemons writes its own process ID (PID) to files within /var/run/psad. If any daemon is started manually from the command line, it first checks to see if another instance is running; if so, the new instance exits immediately. This ensures any existing