Hi,
I manage a network with a LAN and a DMZ and I installed a firewall on a Linux machine (Slackware 12.2) using iptables and it operates correctly.
Now, in an improvement effort, I installed psad (rel. 2.1.7) and configured it following the instructions written in the book "Linux firewalls" and, tried to see the effects of psad. Particularly I tried to test the psad ability in the detection of port scan.
So, from from a remote host, I hit the command
nmap -sT -n IP_net_address --max-rtt-timeout 500
obtaining the response
Starting Nmap 4.76 (
http://nmap.org ) at 2011-05-05 10:26 CEST
Interesting ports on zzz.zzz.zzz.zzz:
Not shown: 974 closed ports
PORT STATE SERVICE
23/tcp open telnet
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
1151/tcp filtered unknown
1723/tcp filtered pptp
4662/tcp filtered edonkey
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
6689/tcp filtered unknown
6692/tcp filtered unknown
6699/tcp filtered napster
6779/tcp filtered unknown
6788/tcp filtered unknown
6789/tcp filtered unknown
6792/tcp filtered unknown
6839/tcp filtered unknown
6881/tcp filtered bittorrent-tracker
6901/tcp filtered unknown
6969/tcp filtered acmsoda
7000/tcp filtered afs3-fileserver
9001/tcp filtered unknown
9002/tcp filtered unknown
Nmap done: 8 IP addresses (1 host up) scanned in 3.81 seconds
The problem I encounter is that there isn't no pertaining line in the file /var/log/messages and that the file /var/log/psad/fwdata is empty.
I have to say that the syslog daemon that I use is syslogd, so in the file /etc/psad/psad.conf the pertaining line is
SYSLOG_DAEMON syslogd;
and I modified the file /etc/syslog.conf introducing the line
kern.info |/var/lib/psad/psadfifo
Certainly I did some error in the configuration but I dont't understand it.
Can somebody help me?
aloisius-a