Re: psad
El Thu, 29 Aug 2013 07:41:41 -0500, Joaquin Moyares Rojas escribió:
> saludos, necesito si alguno ha usado psad, ver la forma de que cuando se
> reinicie el servicio no pierda la lista de ip bloqueadas en el archivo
> auto_blocked_iptables
En su FAQ dicen:
***
http://cipherdyne.org/psad/docs/faq.html#auto_block
3.2. Can psad automatically block IP addresses that have scanned my
system?
psad has the capability of automatically blocking IP addresses with both
iptables and/or tcpwrappers. Furthermore, psad can be configured to only
block an IP after it has reached a certain danger level which the admin
defines. The two relevant configuration variables in the /etc/psad/
psad.conf file are "ENABLE_AUTO_IDS" and "AUTO_IDS_DANGER_LEVEL". Note
that the auto blocking feature is disabled by default; please see the
next question.
3.3. Is it a good idea to set ENABLE_AUTO_IDS="Y" to automatically block
scans?
In general no, and this feature is disabled by default. The reason for
this is that a scan can be spoofed from any IP address (see the -S option
to nmap). If psad is configured to automatically block scans then an
attacker can spoof a scan, say, from www.yahoo.com and then you will be
parsing your firewall ruleset to discover why you can't browse Yahoo's
website, (or you can just execute "psad --Flush" to remove any auto-
generated firewall rules). Also, an advanced scanning technique called
the TCP Idle Scan requires that scan packets are spoofed by the attacker
from a seemingly unrelated IP address from the viewpoint of the target.
Nmap implements the Idle scan with its -sI option, and a good explanation
of the technique can be found here.
***
Saludos,
--
Camaleón
Reply to:
- References:
- psad
- From: Joaquin Moyares Rojas <jmrojas@mtpgto.co.cu>