I was thinking about also using PSAD on my server in conjunction with FWSnort (which converts a bunch of snort rules into IPTables rules).
If using UFW then extra steps need to be taken for the two to play nicely together (https://gist.github.com/netson/c45b2dc4 ... psadandufw).
I'm just wondering if the same applies to CSF? I can find no mention of using the two together either on here or on the PSAD website. Does anyone here use the two and if so, did any extra steps need to be taken?
CSF and PSAD
Re: CSF and PSAD
Further to my original post, the documentation of PSAD states:
I can find instructions on getting it to work with UFW (below) but can find no guidance on using it alongside CSF.
So I could do with a bit of guidance on how to implement this with CSF. Is it enough to add those two rules to a script? And if so, do I set them to run before or after CSFs rules have been applied?The main requirement for an iptables policy to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
The rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy.Code: Select all
# iptables -A INPUT -j LOG # iptables -A FORWARD -j LOG
I can find instructions on getting it to work with UFW (below) but can find no guidance on using it alongside CSF.
To ensure UFW creates the proper logging rules for PSAD, we need to add some lines to the UFW configuration. UFW has 4 files with rules it will always add in a specifc order:
/etc/ufw/before.rules
/etc/ufw/before6.rules
/etc/ufw/after.rules
/etc/ufw/after6.rules
The before* rules are added before any other rules are added, and the after* rules are added afterwards. Obviously, the filenames ending with 6 are related to IPv6 and the other ones to IPv4. As of version 2.2, PSAD offers full IPv6 support.
To create the proper logging rules, edit the before*.rules files and add the following lines, at the end, but before the COMMIT line. If you place them after the COMMIT line, the rules will not be added to iptables.
These lines will ensure logging of all important traffic on the INPUT and FORWARD chains.Code: Select all
# custom psad logging directives -A INPUT -j LOG --log-tcp-options --log-prefix "[IPTABLES] " -A FORWARD -j LOG --log-tcp-options --log-prefix "[IPTABLES] "