psad Installation
Quick and easy installation instructions:If you download psad as a tarball, just uncompress it and run the psad installation script install.pl from the psad sources directory:
# ./install.pl
The installer will prompt you for several pieces of information, and after
answering the questions will result in a functional installation of psad
on your system. It is safe to run the install.pl script even
if you already have psad installed on your system. The configuration
can (optionally) be preserved from the previous installation (you will
be prompted for this if an existing psad installation is detected).
For more information, read on:IMPORTANT:
psad makes use of log messages that are generated by Netfilter as it logs (and drops) packets. Hence if your firewall is not configured to log packets, then psad will NOT detect port scans or anything else. Usually the best and most secure way to configure your firewall is to first put the minimal rules needed to allow only necessary traffic to and from your machine, and then have default drop-and-log rules toward the end of the firewall ruleset. Some example firewall rulesets that are compatible with psad are contained within the file FW_EXAMPLE_RULES. Note that psad is not compatible with the ipchains or ipfw firewalls that are included within pre-2.4.x Linux kernels.
A note on Netfilter: As of kernel version 2.4.13, there is a bug in the connection tracking code that denies packets that are part of legitimate tcp sessions. Since these packets are denied, psad interprets them as potentially belonging to a scan. The source of the problem is an inappropriately low timeout value, and fortunately this problem is easily fixed by the trivial kernel patch "conntrack_patch" included with the psad source code. If you start noticing lots of ACK/FIN, ACK, and even RST packets being denied by Netfilter from IP's that are part of legtimate sessions, then you may want to apply the patch. This will of course require that the patch be applied and then the kernel to be recompiled. For more information on how to do this, see the Kernel-HOWTO available at: http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html.
Before executing the install.pl script, edit the config section at the beginning. Sensible defaults are provided so hopefully there will be a minimal number of things to change to get psad to work on your system, but if system binaries are in places the scripts don't know about then you will need to provide the correct paths. After the config section is the way you want it, just run 'install.pl', and then run '/etc/init.d/psad-init start' to start psad, kmsgsd, and psadwatchd, or just run them from the command line. The install.pl script installs psad, kmsgsd, and psadwatchd in /usr/sbin/ by default.
You can install a new version of psad over an existing one; just run install.pl. The installation script will preserve any old configuration parameters when installing the new versions of psad, psadwatchd, and kmsgsd. If you don't need or want any old configurations to be preserved, just execute "./install.pl -n".
Even though it is a good idea to edit the config sections of each of the programs included with psad, both install.pl and psad attempt to use the correct system binaries even if an incorrect path is given. This is accomplished by simply using the path provided by 'which <system binary> if the binary is not found in the place specified in the config section.
psad can be completely removed from the system by executing install.pl with the --uninstall option.
