search

mrash / psad

psad: Intrusion Detection and Log Analysis with iptables
http://www.cipherdyne.org/psad/
GNU General Public License v2.0
390 stars 76 forks source link

psad: could not add iptables block rule for: xxx.xxx.xxx.xxx and IPT_AUTO_CHAIN1 keyword not found #70

Open flaggz opened 4 years ago

flaggz commented 4 years ago

Even after updating to GitHub version I still got these errors in the log and I can't auto block ip addresses. Tried with ENABLE_OVERRIDE_FW_CMD Y or N but the problem remains

messages log:

psad: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
psad: could not add iptables block rule for:

Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux

psad -V

[+] psad v2.4.6 by Michael Rash <mbr@cipherdyne.org>

psad.conf

EMAIL_ADDRESSES             xxx;
HOSTNAME                    xxx;
HOME_NET                    NOT_USED;
EXTERNAL_NET                any;
FW_SEARCH_ALL               Y;
FW_MSG_SEARCH               DROP;
IFCFGTYPE                   ifconfig;
DANGER_LEVEL1               5;    
DANGER_LEVEL2               15;
DANGER_LEVEL3               150;
DANGER_LEVEL4               1500;
DANGER_LEVEL5               10000;
DL1_UNIQUE_HOSTS            10;
DL2_UNIQUE_HOSTS            20;
DL3_UNIQUE_HOSTS            50;
DL4_UNIQUE_HOSTS            100;
DL5_UNIQUE_HOSTS            500;
CHECK_INTERVAL              5;
SNORT_SID_STR               SID;
PORT_RANGE_SCAN_THRESHOLD   1;
PORT_RANGE_SWEEP_THRESHOLD  0; 
PROTOCOL_SCAN_THRESHOLD     5;
ENABLE_PERSISTENCE          Y;
SCAN_TIMEOUT                3600;  
PERSISTENCE_CTR_THRESHOLD   5;
MAX_SCAN_IP_PAIRS           0;
SHOW_ALL_SIGNATURES         N;
ALERTING_METHODS            noemail;
AUTO_DETECT_JOURNALCTL      Y;
ENABLE_SYSLOG_FILE          Y;
IPT_WRITE_FWDATA            Y;
IPT_SYSLOG_FILE             /var/log/messages;
SYSLOG_DAEMON               syslogd;
ENABLE_FW_MSG_READ_CMD      N;
FW_MSG_READ_CMD             /bin/journalctl;
FW_MSG_READ_CMD_ARGS        -f -k;
USE_FW_MSG_READ_CMD_ARGS    Y;
FW_MSG_READ_MIN_PKTS        30;
ENABLE_SIG_MSG_SYSLOG       Y;
SIG_MSG_SYSLOG_THRESHOLD    10;
SIG_SID_SYSLOG_THRESHOLD    10;
ENABLE_PSADWATCHD           N;
EXPECT_TCP_OPTIONS          Y;
MAX_HOPS                    20;
IGNORE_KERNEL_TIMESTAMP     Y;
IGNORE_CONNTRACK_BUG_PKTS   Y;
IGNORE_PORTS                NONE;
IGNORE_PROTOCOLS            NONE;
IGNORE_INTERFACES           NONE;
IGNORE_LOG_PREFIXES         NONE;
MIN_DANGER_LEVEL            1;
EMAIL_ALERT_DANGER_LEVEL    3;
ENABLE_IPV6_DETECTION       Y;
ENABLE_INTF_LOCAL_NETS      Y;
ENABLE_MAC_ADDR_REPORTING   N;
ENABLE_FW_LOGGING_CHECK     Y;
EMAIL_LIMIT                 20;
ENABLE_EMAIL_LIMIT_PER_DST  N;
EMAIL_LIMIT_STATUS_MSG      Y;
EMAIL_THROTTLE              0;
EMAIL_APPEND_HEADER         NONE;
ALERT_ALL                   Y;
IMPORT_OLD_SCANS            N;
SYSLOG_IDENTITY             psad;
SYSLOG_FACILITY             LOG_LOCAL7;
SYSLOG_PRIORITY             LOG_INFO;
TOP_PORTS_LOG_THRESHOLD     500;
STATUS_PORTS_THRESHOLD      20;
TOP_SIGS_LOG_THRESHOLD      500;
STATUS_SIGS_THRESHOLD       50;
TOP_IP_LOG_THRESHOLD        500;
STATUS_IP_THRESHOLD         25;
TOP_SCANS_CTR_THRESHOLD     1;
ENABLE_OVERRIDE_FW_CMD      Y;
FW_CMD                      /usr/sbin/iptables;
FW_CMD_ARGS                 NONE;
ENABLE_DSHIELD_ALERTS       N;
DSHIELD_ALERT_EMAIL         reports@dshield.org;
DSHIELD_ALERT_INTERVAL      6;  
DSHIELD_USER_ID             0;
DSHIELD_USER_EMAIL          NONE;
DSHIELD_DL_THRESHOLD        0;
HTTP_SERVERS                $HOME_NET;
SMTP_SERVERS                $HOME_NET;
DNS_SERVERS                 $HOME_NET;
SQL_SERVERS                 $HOME_NET;
TELNET_SERVERS              $HOME_NET;
AIM_SERVERS                 [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS                  80;
SHELLCODE_PORTS             !80;
ORACLE_PORTS                1521;
ENABLE_SNORT_SIG_STRICT     Y;
ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       3;
AUTO_BLOCK_TIMEOUT          604800;
AUTO_BLOCK_DL1_TIMEOUT      300;
AUTO_BLOCK_DL2_TIMEOUT      900;
AUTO_BLOCK_DL3_TIMEOUT      1200;
AUTO_BLOCK_DL4_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT      0;   
ENABLE_AUTO_IDS_REGEX       N;
AUTO_BLOCK_REGEX            ESTAB;  
ENABLE_RENEW_BLOCK_EMAILS   N;
ENABLE_AUTO_IDS_EMAILS      Y;
IPTABLES_BLOCK_METHOD       Y;
IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT           Y;
IPTABLES_PREREQ_CHECK       1;
TCPWRAPPERS_BLOCK_METHOD    N;
ENABLE_WHOIS_LOOKUPS        Y;
WHOIS_TIMEOUT               60;  
WHOIS_LOOKUP_THRESHOLD      20;
ENABLE_WHOIS_FORCE_ASCII    N;
ENABLE_WHOIS_FORCE_SRC_IP   N;
ENABLE_DNS_LOOKUPS          Y;
DNS_LOOKUP_THRESHOLD        20;
ENABLE_EXT_SCRIPT_EXEC      N;
EXTERNAL_SCRIPT             /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT   N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC      N;
EXTERNAL_BLOCK_SCRIPT             /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE      N;
CUSTOM_SYSLOG_TS_RE             ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL         300;  
DISK_MAX_PERCENTAGE         95;
DISK_MAX_RM_RETRIES         10;
ENABLE_SCAN_ARCHIVE         N;
TRUNCATE_FWDATA             Y;
MIN_ARCHIVE_DANGER_LEVEL    1;
MAIL_ALERT_PREFIX           [psad-alert];
MAIL_STATUS_PREFIX          [psad-status];
MAIL_ERROR_PREFIX           [psad-error];
MAIL_FATAL_PREFIX           [psad-fatal];
SIG_UPDATE_URL              http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL   5;  
PSADWATCHD_MAX_RETRIES      10;
INSTALL_ROOT                /;
PSAD_DIR                    $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR                $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR               $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR               $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR               $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR                $PSAD_DIR/errs;
CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  
FW_DATA_FILE                $PSAD_DIR/fwdata;
ULOG_DATA_FILE              $PSAD_DIR/ulogd.log;
FW_CHECK_FILE               $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE          $PSAD_DIR/dshield.email;
SIGS_FILE                   $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE              $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE             $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE            $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE                $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE          $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE                   $PSAD_CONF_DIR/posf;
P0F_FILE                    $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE                $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE              $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE         /etc/hosts.deny;
ETC_SYSLOG_CONF             /etc/syslog.conf;
ETC_RSYSLOG_CONF            /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF            /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE          $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE        $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE            $PSAD_DIR/install.log;
PSAD_PID_FILE               $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE       $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE           $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE             $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG                $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH             $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE         $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE      $PSAD_DIR/top_ports;
TOP_SIGS_FILE               $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE          $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE        $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE     $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN          psad_iptout.XXXXXX;
IPT_ERROR_PATTERN           psad_ipterr.XXXXXX;
iptablesCmd      /sbin/iptables;
ip6tablesCmd     /sbin/ip6tables;
shCmd            /bin/sh;
wgetCmd          /usr/bin/wget;
gzipCmd          /bin/gzip;
mknodCmd         /bin/mknod;
psCmd            /bin/ps;
mailCmd          /bin/mail;
sendmailCmd      /usr/sbin/sendmail;
ifconfigCmd      /sbin/ifconfig;
ipCmd            /sbin/ip;
killallCmd       /usr/bin/killall;
netstatCmd       /bin/netstat;
unameCmd         /bin/uname;
whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd            /bin/df;
fwcheck_psadCmd  $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd    $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd          $INSTALL_ROOT/usr/sbin/psad;