Shorewall users - Apr 2004 - PSAD requesting modifications to shorewall - necessary?

I''ve just installed Bastille, following a compromise, and this asks for
psad as well. Psad has sent the following message:

================================================================** The INPUT
chain in the iptables ruleset on _CHANGEME_ includes a
    default LOG rule for all protocols, but the rule does not have a log
    prefix of "DROP".  It appears as though the log prefix is set to
    "Shorewall:INPUT:REJECT:".  psad will not be able to detect scans
    without adding --log-prefix "DROP" to the rule.

 ** The INPUT chain in the iptables ruleset on _CHANGEME_ does not include
    a default DROP rule for all protocols.

 ** The INPUT chain in the iptables ruleset on _CHANGEME_ does not include
    default rules that will log and drop unwanted packets. You need to
    include two default rules; one that logs packets that have not been
    accepted by previous rules (this rule should have a logging prefix of
    "DROP"), and a final rule that drops any unwanted packets.

    FOR EXAMPLE:  Assuming you have already setup iptables rules to accept
    traffic you want to allow, you can probably execute the following two
    commands to have iptables log and drop unwanted packets in the INPUT
    chain by default.

              iptables -A INPUT -j LOG --log-prefix "DROP "
              iptables -A INPUT -j DROP

 ** Psad will not detect in the iptables INPUT chain scans without an
    iptables ruleset that includes rules similar to the two rules above.


 .. NOTE: IPTables::Parse does not yet parse user defined chains and so it
    is possible your firewall config is compatible with psad anyway.
=========================================================================
Especially in view of the last two lines, should I do anything at all?

Anthony


-- 
ac@acampbell.org.uk    ||  http://www.acampbell.org.uk
using Linux GNU/Debian ||  for book reviews, electronic 
Windows-free zone      ||  books and skeptical articles

Anthony Campbell wrote:
> 
> Especially in view of the last two lines, should I do anything at all?
> 
I don''t understand what you expect us to say. It appears that psad only
understands the most rudimentary iptables configurations.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 02 Apr 2004, Tom Eastep wrote:
> Anthony Campbell wrote:
> 
> >
> >Especially in view of the last two lines, should I do anything at all?
> >
> 
> I don''t understand what you expect us to say. It appears that psad
only
> understands the most rudimentary iptables configurations.
> 
> -Tom
It''s in much the same state as me, then. But I assume from what you say
that I should ignore this message.

Anthony

-- 
ac@acampbell.org.uk    ||  http://www.acampbell.org.uk
using Linux GNU/Debian ||  for book reviews, electronic 
Windows-free zone      ||  books and skeptical articles

Anthony Campbell wrote:
> On 02 Apr 2004, Tom Eastep wrote:
> 
>>Anthony Campbell wrote:
>>
>>
>>>Especially in view of the last two lines, should I do anything at
all?
>>>
>>
>>I don''t understand what you expect us to say. It appears that
psad only
>>understands the most rudimentary iptables configurations.
>>
>>-Tom
> 
> 
> It''s in much the same state as me, then. But I assume from what
you say
> that I should ignore this message.
It appears based on your evidence that psad and Shorewall are not 
compatible -- if you ignore the message then psad won''t work. OTOH, I 
don''t see how you can configure Shorewall to satisfy psad (at least 
given the messages that you posted).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 02 Apr 2004, Tom Eastep wrote:
> Anthony Campbell wrote:
> >On 02 Apr 2004, Tom Eastep wrote:
> >
> >>Anthony Campbell wrote:
> >>
> >>
> >>>Especially in view of the last two lines, should I do anything
at all?
> >>>
> >>
> >>I don''t understand what you expect us to say. It appears
that psad only
> >>understands the most rudimentary iptables configurations.
> >>
> >>-Tom
> >
> >
> >It''s in much the same state as me, then. But I assume from
what you say
> >that I should ignore this message.
> 
> It appears based on your evidence that psad and Shorewall are not
> compatible -- if you ignore the message then psad won''t work.
OTOH, I
> don''t see how you can configure Shorewall to satisfy psad (at
least
> given the messages that you posted).
> 
> -Tom
> --
Yes, fair enough. I suppose I''m fairly paranoid at the moment, having
spent about 3 days reinstalling my system after it was compromised, so I
was trying to install everything in sight to prevent a  recurrence. But
I''ll remove psad.

Anthony

-- 
ac@acampbell.org.uk    ||  http://www.acampbell.org.uk
using Linux GNU/Debian ||  for book reviews, electronic 
Windows-free zone      ||  books and skeptical articles

Am Freitag, 2. April 2004 18:37 schrieb Anthony
Campbell:
> On 02 Apr 2004, Tom Eastep wrote:
> > Anthony Campbell wrote:
> > >On 02 Apr 2004, Tom Eastep wrote:
> > >>Anthony Campbell wrote:
> > >>>Especially in view of the last two lines, should I do
anything at all?
> > >>
> > >>I don''t understand what you expect us to say. It
appears that psad only
> > >>understands the most rudimentary iptables configurations.
> > >>
> > >>-Tom
> > >
> > >It''s in much the same state as me, then. But I assume
from what you say
> > >that I should ignore this message.
> >
> > It appears based on your evidence that psad and Shorewall are not
> > compatible -- if you ignore the message then psad won''t work.
OTOH, I
> > don''t see how you can configure Shorewall to satisfy psad (at
least
> > given the messages that you posted).
> >
> > -Tom
> > --
>
> Yes, fair enough. I suppose I''m fairly paranoid at the moment,
having
> spent about 3 days reinstalling my system after it was compromised, so I
> was trying to install everything in sight to prevent a  recurrence. But
> I''ll remove psad.
>
> Anthony
Hi,

I''m running psad and shorewall on my router without problems (SuSE 8.2)

The only thing to change in the psad configuration (/etc/psad/psad.conf) was
FW_MSG_SEARCH               Shorewall:net2all:DROP:; (here you have to use the 
prefix from shorewall.conf, key LOGFORMAT=)

Here is my startscript (etc/init.d/psad). Ensure to start psad AFTER 
shorewall  !

 #!/bin/sh
#
# Startup script for psad
#
# chkconfig: 345 99 05
# description: The Port Scan Attack Detector (psad)
# processname: psad
# pidfile: /var/run/psad.pid
# config: /etc/psad/psad.conf
#
# $Id: psad-init.generic,v 1.5 2003/05/10 20:09:10 mbr Exp $

restart() {
    $0 stop
    $0 start
}

# See how we were called.
case "$1" in
start)
    if grep -q psadfifo /etc/syslog.conf; then
        echo -n "Starting the psad daemons. "
        ### psad enables signature matching and auto
        ### danger level assignment by default, so
        ### command line args are not necessary here.
        /usr/sbin/psad
        echo
    else
        echo "Syslog has not been configured to send kern.info messages
to"
        echo "/var/lib/psad/psadfifo.  Do you need to run the psad
installer?"
    fi
    ;;
stop)
    /usr/sbin/psad --Kill
    ;;
status)
    /usr/sbin/psad --Status
    ;;
restart)
    restart
    ;;
*)
    echo "Usage: psad {start|stop|status|restart}"
    exit 1
esac

Hope this helps. The Messages from psad start you can safely ignore ;)

Toni

On 02 Apr 2004, Horst Graffy wrote:

Thanks for this info. 
> Hi,
> 
> I''m running psad and shorewall on my router without problems (SuSE
8.2)
> 
> The only thing to change in the psad configuration (/etc/psad/psad.conf)
was
> FW_MSG_SEARCH               Shorewall:net2all:DROP:; (here you have to use
the
> prefix from shorewall.conf, key LOGFORMAT=)
> 
Sorry, I don''t quite follow this. My shorewall.conf has:
LOGFORMAT="Shorewall:%s:%s:"

and psad.conf has:

FW_MSG_SEARCH               DROP;

So what should I put here?

> Here is my startscript (etc/init.d/psad). Ensure to start psad AFTER
> shorewall  !
> 
How do I arrange this delayed start?
>  #!/bin/sh
> #
> # Startup script for psad
> #
> # chkconfig: 345 99 05
> # description: The Port Scan Attack Detector (psad)
> # processname: psad
> # pidfile: /var/run/psad.pid
> # config: /etc/psad/psad.conf
> #
> # $Id: psad-init.generic,v 1.5 2003/05/10 20:09:10 mbr Exp $
> 
> restart() {
>     $0 stop
>     $0 start
> }
> 
> # See how we were called.
> case "$1" in
> start)
>     if grep -q psadfifo /etc/syslog.conf; then
>         echo -n "Starting the psad daemons. "
>         ### psad enables signature matching and auto
>         ### danger level assignment by default, so
>         ### command line args are not necessary here.
>         /usr/sbin/psad
>         echo
>     else
>         echo "Syslog has not been configured to send kern.info
messages to"
>         echo "/var/lib/psad/psadfifo.  Do you need to run the psad
installer?"
>     fi
>     ;;
> stop)
>     /usr/sbin/psad --Kill
>     ;;
> status)
>     /usr/sbin/psad --Status
>     ;;
> restart)
>     restart
>     ;;
> *)
>     echo "Usage: psad {start|stop|status|restart}"
>     exit 1
> esac
> 
> Hope this helps. The Messages from psad start you can safely ignore ;)
> 
> Toni
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> ________________________________________________________________________
> This email has been scanned using the CleanPort MEF antivirus
> system. Funded for members by the Doctors.net.uk Bulletin service
> How does this protect me? http://www.Doctors.net.uk/qualityemail 
> ________________________________________________________________________
> 
> 
-- 
ac@acampbell.org.uk    ||  http://www.acampbell.org.uk
using Linux GNU/Debian ||  for book reviews, electronic 
Windows-free zone      ||  books and skeptical articles

Am Freitag, 2. April 2004 20:01 schrieb Anthony Campbell:
> On 02 Apr 2004, Horst Graffy wrote:
>
> Thanks for this info.
>
> > Hi,
> >
> > I''m running psad and shorewall on my router without problems
(SuSE 8.2)
> >
> > The only thing to change in the psad configuration
(/etc/psad/psad.conf)
> > was FW_MSG_SEARCH               Shorewall:net2all:DROP:; (here you
have
> > to use the prefix from shorewall.conf, key LOGFORMAT=)
>
> Sorry, I don''t quite follow this. My shorewall.conf has:
> LOGFORMAT="Shorewall:%s:%s:"
Thats fine; the %s:%s is replaced by running shorewall with the chainname and 
DROP.
You need to change that in psad.conf, because psad is using a FIFO for 
checking the syslog and all lines starting with that signature are counted. 
(see psad Documentation)

e.g a line from my syslog:
Apr  2 20:53:47 snake kernel: Shorewall:net2all:DROP: IN=ppp0 OUT= MAC= 
SRC=80.135.120.197 DST=82.83.141.50 LEN=44 TOS=0x00
PREC=0x00 TTL=57 ID=14282 DF PROTO=TCP SPT=50230 DPT=4660 WINDOW=65535 
RES=0x00 SYN URGP=0

The net2all-chain is the chain where the packets are LOGged and DROPped
(look at "shorewall show" for all the chains created from shorewall)
>
> and psad.conf has:
>
> FW_MSG_SEARCH               DROP;
>
> So what should I put here?
>
> > Here is my startscript (etc/init.d/psad). Ensure to start psad AFTER
> > shorewall  !
>
> How do I arrange this delayed start?
On an SuSE System you can use insserv. That prog does the magic to order the 
scripts in the right order.
On other systems the order of the rc-scripts is depending on the name. So you 
create symbolic links for each script.
(eg. in /etc/init.d/rc5.d the link for starting shorewall is S09shorewall and 
the link for psad is S12psad.)

# ls /etc/init.d/rc3.d/S*
lrwxrwxrwx    1 root     root            9 May 19  2003 S01random ->
../random
lrwxrwxrwx    1 root     root           10 Aug  2  2003 S05network 
-> ../network
lrwxrwxrwx    1 root     root            9 May 19  2003 S06syslog ->
../syslog
lrwxrwxrwx    1 root     root           10 May 19  2003 S07hotplug 
-> ../hotplug
lrwxrwxrwx    1 root     root            8 Feb  6 18:23 S09cyrus -> ../cyrus
lrwxrwxrwx    1 root     root           12 Feb  6 18:55 S09fetchmail 
-> ../fetchmail
lrwxrwxrwx    1 root     root           10 May 19  2003 S09portmap 
-> ../portmap
lrwxrwxrwx    1 root     root           12 Feb  6 18:23 S09saslauthd 
-> ../saslauthd
lrwxrwxrwx    1 root     root           12 Aug 27  2003 S09shorewall 
-> ../shorewall
lrwxrwxrwx    1 root     root           15 May 19  2003 S09splash_early 
-> ../splash_early
lrwxrwxrwx    1 root     root            9 Sep 18  2003 S09webmin ->
../webmin
lrwxrwxrwx    1 root     root            6 May 20  2003 S11nfs -> ../nfs
lrwxrwxrwx    1 root     root           12 May 20  2003 S13alsasound 
-> ../alsasound
lrwxrwxrwx    1 root     root            9 Feb 27 21:32 S13amavis ->
../amavis
lrwxrwxrwx    1 root     root            8 May 20  2003 S13fbset -> ../fbset
lrwxrwxrwx    1 root     root           12 Mar 21 12:54 S13mailgraph 
-> ../mailgraph
lrwxrwxrwx    1 root     root            8 Aug  5  2003 S13named -> ../named
lrwxrwxrwx    1 root     root           17 May 20  2003 S13rpmconfigcheck 
-> ../rpmconfigcheck
lrwxrwxrwx    1 root     root            7 Aug  4  2003 S13sshd -> ../sshd
lrwxrwxrwx    1 root     root           12 May 20  2003 S13vncserver 
-> ../vncserver
lrwxrwxrwx    1 root     root            9 Oct 31 14:45 S13xinetd ->
../xinetd
lrwxrwxrwx    1 root     root            7 Aug  5  2003 S14cups -> ../cups
lrwxrwxrwx    1 root     root            6 May 20  2003 S14kbd -> ../kbd
lrwxrwxrwx    1 root     root            9 May 20  2003 S14splash ->
../splash
lrwxrwxrwx    1 root     root            9 May 20  2003 S15hwscan ->
../hwscan
lrwxrwxrwx    1 root     root           10 Aug  5  2003 S15postfix 
-> ../postfix
lrwxrwxrwx    1 root     root            9 Aug  5  2003 S15smpppd ->
../smpppd
lrwxrwxrwx    1 root     root            8 Nov  4 18:57 S15xntpd -> ../xntpd
lrwxrwxrwx    1 root     root            9 Feb  6 18:23 S17apache ->
../apache
lrwxrwxrwx    1 root     root            6 Nov  4 18:57 S17atd -> ../atd
lrwxrwxrwx    1 root     root            7 Nov  4 18:57 S17cron -> ../cron
lrwxrwxrwx    1 root     root            7 Nov  4 18:57 S17nscd -> ../nscd
lrwxrwxrwx    1 root     root            8 Feb  6 18:23 S18squid -> ../squid
lrwxrwxrwx    1 root     root            7 Mar 21 12:54 S21psad -> ../psad
lrwxrwxrwx    1 root     root           14 Mar 21 12:54 S21splash_late 
-> ../splash_late

>
> >  #!/bin/sh
> > #
> > # Startup script for psad
> > #
> > # chkconfig: 345 99 05
> > # description: The Port Scan Attack Detector (psad)
> > # processname: psad
> > # pidfile: /var/run/psad.pid
> > # config: /etc/psad/psad.conf
> > #
> > # $Id: psad-init.generic,v 1.5 2003/05/10 20:09:10 mbr Exp $
> >
> > restart() {
> >     $0 stop
> >     $0 start
> > }
> >
> > # See how we were called.
> > case "$1" in
> > start)
> >     if grep -q psadfifo /etc/syslog.conf; then
> >         echo -n "Starting the psad daemons. "
> >         ### psad enables signature matching and auto
> >         ### danger level assignment by default, so
> >         ### command line args are not necessary here.
> >         /usr/sbin/psad
> >         echo
> >     else
> >         echo "Syslog has not been configured to send kern.info
messages
> > to" echo "/var/lib/psad/psadfifo.  Do you need to run the
psad
> > installer?" fi
> >     ;;
> > stop)
> >     /usr/sbin/psad --Kill
> >     ;;
> > status)
> >     /usr/sbin/psad --Status
> >     ;;
> > restart)
> >     restart
> >     ;;
> > *)
> >     echo "Usage: psad {start|stop|status|restart}"
> >     exit 1
> > esac
> >
> > Hope this helps. The Messages from psad start you can safely ignore ;)
> >
> > Toni
Toni
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> > http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> >
> >
________________________________________________________________________
> > This email has been scanned using the CleanPort MEF antivirus
> > system. Funded for members by the Doctors.net.uk Bulletin service
> > How does this protect me? http://www.Doctors.net.uk/qualityemail
> >
________________________________________________________________________

Horst Graffy wrote:
> 
> The net2all-chain is the chain where the packets are LOGged and DROPped
> (look at "shorewall show" for all the chains created from
shorewall)
That is where all packets *originating in the ''net'' zone* are
logged and
dropped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net