Detecting suspicious network traffic with psad
Source: Newsforge - Posted by Pax Dickinson   
Intrusion Detection Have you ever wondered how many people are scanning your server looking for weaknesses? One way to find out is to install the Port Scan Attack Detector (psad), is a collection of three lightweight system daemons that alert you to suspicious network activity by analyzing iptables log files.

Once you've met the requirements, install psad using the installation script included in the product's download. Just run the script install.pl and answer a few simple questions about your system's configuration. If you need to make future changes to psad's configuration, you can edit its configuration file, /etc/psad/psad.conf.

When you start psad with the command /etc/rc.d/psad start, you actually start psad and its two helper daemons, kmsgsd and psadwatchd. kmsgsd parses out all of the iptables-related messages that the kernel receives and sends them to psad's data file /var/log/psad/fwdata. The psadwatchd daemon runs every five seconds to make sure that both psad and kmsgsd are running. If they are not, it restarts them and sends an email alerting the system administrator to this fact.

Read this full article at Newsforge

Only registered users can write comments.
Please login or register.

Powered by AkoComment!