The fish just haven't been biting here in the Land of Cheese this year. So that has gave me tons more time in my lab geekin' and phrackin'. I was playing around in my lab the other day trying to build out a low to no cost SMB security design and hide out from my in laws. Of course many vendors already offer good solutions to this problem. But as a victim of the IBM, Unisys days of "My way or the highway" I never ever like to turn over control of my network to a vendor. Plus it really helps me to see the value add of what a vendor is really providing. If it is just a X-Window interface over Linux; then it's "Thanks for lunch, there's the door."
I wanted to see what it would take to build out a full SMB network that would pass audits and be secure enough that hackers would classify it as non low hanging fruit and move on to the next target.
I started messin' around with Port Knocking and Single Packet Authentication. I grabbed one of my favorite Linux reference guides; "Linux Firewalls" by Michael Rash. If you have not read this book, you're missin' out on the best thing since cornbread found pinto beans. Super friggen awesome book!
On my way to chapter 12, I happened to stumble across Port Scan Attack Detector (PSAD). Wholly smokes! I have completely overlooked this awesome utility! PSAD at one time in a galaxy not so far away was called Bastille Linux NIDS. It is still part of the that awesome package but now called PSAD. If you are looking for a great OS hardening package look no further then: http://bastille-linux.sourceforge.net/
PSAD is basically, a active log grep-ing tool that scans logs and takes action based upon already classified information. It works on common sense. Did the firewall (IPtables) detect and flag a packet that did not conform to a local security policy? Then let's do something about it!
But it is really more then that. PSAD can detect not only port scans but also the OS of the machine that initiated the scan (most of the time). It can also detect DDOS's and reuse the Snort signature set to generate alerts. PSAD integrates very well into the normal system processes. Heck even the three daemons each start their own unique process.
PSAD is wrote in Perl with some C as well. It's a place of cake to install. Especially, if you use Ubuntu/Deb:
sudo apt-get install psad
Make sure you also config syslogD to pass data to PSAD. I did this by piping kernel info with the append:
Config'ing up PSAD is normal and nothing out of the ordinary. Just editing out the /etc/psad/psad.conf file with you favorite editor. Like any good open source prog it's the options that really add the value. I config up email alerts, danger levels, enable_persistence and a few others as the mood strikes me. Start to finish install and config is only around 30 minutes max from a base level system. Heck fire it's even easier if you go to:
http://www.cipherdyne.org/LinuxFirewalls/ch05/ cut, copy, paste the conf file!! After editing both syslog and PSAD restart each process.
A simple: psad -S confirmed everything was up and kickin' it. Time to test it out! In some baseline setting testing; I ran a NMAP TCP and UDP scan against a couple servers.
nmap -sT -n 192.168.1.55 and nmap -sU -n 192.168.1.55
Sure enough and true to form, PSAD flagged detected the scan and shot me over an email on my Postcast Server once I hit the Danger Level I config'ed with the info and a reverse DNS lookup on the attacker a OS guess on TCP scans which means it must be pulling it from the SYN packet.
I love the common sense approach Michael Rash took with not only coding up PSAD but with also writing a great book. Due to the portability of this code and low overhead involved, I am going to start trying to install/port this on my DD-WRT imagine. More on that to be posted later...
PSAD can be downloaded at: http://www.cipherdyne.org/psad/ as well as install and config guides.
I was thinking about ending with a cheesy used car salesman tag line like; "You won't Be Sad with PSAD" But that is too goober-ific and would never work...
Jimmy Ray Purser
Trivia File Transfer Protocol
James Brown's wife tried to get her traffic tickets dismissed because of "diplomatic immunity" in June of 1988. She claimed her husband is the official "ambassador of soul". She lost the case
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.