Linux Firewalls - Michael Rash [58]
HOME_NET 71.157.X.X/24, 192.168.10.0/24;
EXTERNAL_NET
The EXTERNAL_NET variable defines the set of external networks. The default value is any, but it can be set to an arbitrary list of networks, similar to the HOME_NET variable. For most setups, the default is probably best:
EXTERNAL_NET any;
SYSLOG_DAEMON
The SYSLOG_DAEMON variable tells psad which syslog daemon is running on the local system. Possible values for this variable are: syslogd, syslog-ng, ulogd, and metalog. This variable allows psad to verify that the corresponding syslog configuration file is set up properly so that kern.info messages are written to the /var/lib/psad/psadfifo named pipe, with one exception: If psad is configured to acquire iptables log messages via ulogd, no syslog daemon is required to be running, because messages are written to disk directly by ulogd.[40] The kmsgsd daemon is not even started by psad in this situation.
CHECK_INTERVAL
Most of psad's time is spent sleeping; it only wakes up to see if new iptables log messages have appeared in the /var/log/psad/fwdata file. The time interval between successive checks is defined in seconds by the CHECK_INTERVAL variable; the default is five seconds. This interval can be set as low as one second, but it is not usually necessary to do so unless you want alerts to be generated as quickly as possible.
SCAN_TIMEOUT
By default, the SCAN_TIMEOUT variable is set to 3,600 seconds (one hour), and psad uses this value as the time interval over which a scan is tracked. That is, if malicious traffic from a particular IP address does not reach a danger level of one within this time period, psad will not generate an alert. The SCAN_TIMEOUT variable can effectively be ignored by setting ENABLE_PERSISTENCE to Y (see below).
ENABLE_PERSISTENCE
Port scan detection software generally must set two thresholds in order to catch a port scan: the number of ports probed and the time interval. An attacker can attempt to slip beneath these thresholds by either reducing the number of scanned ports or slowing down the scan. The ENABLE_PERSISTENCE variable instructs psad not to use the SCAN_TIMEOUT variable as a factor in scan detection. This is useful to thwart attempts by a scanner to slip beneath the timeout threshold by slowly scanning a target system over days or weeks. As soon as a scan involves at least the number of packets defined by the DANGER_LEVEL1 variable (regardless of how long the scan takes to send this number of packets), an alert is sent by psad.
PORT_RANGE_SCAN_THRESHOLD
This variable allows you to define the minimum range of ports that must be scanned before psad will assign a danger level to a port scan. By default, PORT_RANGE_SCAN_THRESHOLD is set to one, which means that at least two different ports must be scanned before a danger level of one is reached. In other words, an IP address could repeatedly scan a single port and psad would never send an alert. (Alerts are not sent for any activity that does not have at least a danger level of one assigned, and psad can be configured not to send alerts until a minimum danger level from one to five is reached; see "EMAIL_ALERT_DANGER_LEVEL" below.) If you don't want psad to factor in the range of scanned ports at all, then set PORT_RANGE_SCAN_THRESHOLD to zero.
EMAIL_ALERT_DANGER_LEVEL
This variable allows you to set a minimum on the danger level value so that psad will not send any email alerts unless an IP address has been assigned a danger level that is at least equal to this value. The default setting is one.
MIN_DANGER_LEVEL
The MIN_DANGER_LEVEL threshold acts as a global threshold for all