Linux Firewalls - Michael Rash [57]
descr: CHINANET shandong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: WG1-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINATELECOM-sd
changed: hostmaster@ns.chinanet.cn.net 20030820
status: ALLOCATED NON-PORTABLE
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: lqing@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET
source: APNIC
You can see from this output that the IP address 219.146.161.10 is part of a large network from IP address 219.146.0.0 through 219.147.31.255, and an organization called China Telecom controls this network. Using the whois output to actually contact the administrator of this network may prove ineffective in catching the perpetrator of an attack, since the network contains over 70,000 IP addresses—any one of which could be associated with a real system. However, having accurate whois output provides valuable information that at least makes this step feasible.
psad Configuration
All psad daemons reference the file psad.conf within /etc/psad, and this file follows a simple convention where comment lines begin with a hash (#) mark, and configuration parameters are specified in a key-value format. For example, the HOSTNAME variable in psad.conf defines the hostname of the system where psad is deployed:
### System hostname
HOSTNAME psad.cipherdyne.org;
Each value for a configuration variable must be terminated with a semicolon to denote the end of the value string. This allows comments to be included on the same line after the semicolon to aid in documentation, as in this example:
WHOIS_TIMEOUT 60; ### seconds
Finally, psad variable values may contain subvariables that are expanded as psad parses its configuration. For example, the main logging directory used by psad is defined by the PSAD_DIR variable and is set to /var/log/psad by default. Other configuration variables can reference the PSAD_DIR variable like so:
STATUS_OUTPUT_FILE $PSAD_DIR/status.out;
/etc/psad/psad.conf
The psad.conf file is psad's main configuration file. It contains well over 100 configuration variables to control various aspects of psad's operations. In this section we'll discuss a few of the more important configuration variables and the reasons they are significant.
Note
The minor configuration variables are not covered here, but comprehensive documentation is available at http://www.cipherdyne.org/psad/docs/index.html.
EMAIL_ADDRESSES
The EMAIL_ADDRESSES variable defines the email address(es) to which psad sends scan alerts, informational messages, and other notices. Multiple email addresses are supported as a comma-separated list:
EMAIL_ADDRESSES root@localhost, you@domain.com;
DANGER_LEVEL{n}
All malicious activity is associated with a danger level by psad so that alerts can be prioritized. Danger levels range from one to five (with five being the worst) and are assigned to each IP address from which an attack or scan is detected. The danger level values are assigned based on three factors: characteristics of a scan (number of packets, port range, and time interval), whether a specific packet is associated with a signature defined in the /etc/psad/signatures file, and whether the packet originates from an IP or network listed in the /etc/psad/auto_dl file.
For port scans and corresponding packet counts, the DANGER_LEVEL{n} variables in the psad.conf file specify the number of packets required to reach each successive danger level:
DANGER_LEVEL1 5;
DANGER_LEVEL2 15;
DANGER_LEVEL3 150;
DANGER_LEVEL4 1500;
DANGER_LEVEL5 10000;
HOME_NET
Because psad uses modified Snort rules to detect suspicious network traffic (as we'll see in Chapter 7), the variables psad uses in the psad.conf file are similar to the ones Snort uses. The HOME_NET variable defines the local network where the system running psad is deployed.