VPS Admins: Anyone use psad ????

[linickx]

psad is an Intrusion Detection/Protection System (yup it can block nastiness) for iptables - see full description here.

I have at home a PC running the same version / config / etc of CentOS as my VPS, but psad doesn't seem to work on my VPS. I just wondered if anyone else was trying the same thing ?

Thanks in Advance

[Vin DSL]

Interesting!

I've never run that proggie, but going by past experience, sometimes these things require that other proggies are available, you know? Like, Shorewall, TCP wrapper, and so forth, and so on.

Are you sure your home machine and your VPS are configured exactly the same?

Maybe something is missing in the background.

[linickx]

Are you sure your home machine and your VPS are configured exactly the same?

Well as sure as you can be when you didn't actually install the OS

I'll keep digging, it'd be nice to see if anyone else has any luck.

[Vin DSL]

I was reading the docs, and it says Netfilter is needed for NAT (NAPT) translation.

Is that available on your VPS?

They also suggested using Shorewall to build your policies, but that should be neither here nor there, for the moment.

The basic task of psad is to make use of firewall log messages generated by either ipchains or iptables to detect suspect network traffic. To accomplish this task, psad needs a way of efficiently getting the data it needs from the log messages the firewall writes to syslog. Hence, upon installation psad creates a named pipe called psadfifo in the /var/log/ directory and reconfigures syslogd to write all kern.info messages to the pipe. In syslog parlance both ipchains and iptables log messages are reported via the kern facility at a log level of info. The bulk of the work done by psad is accomplished by two separate dæmons: kmsgsd and psad.

Interesting, indeed!

[Vin DSL]

Heh! Sorry for being rudimentary, but...

I noticed that this proggie is written in Perl. You have the permissions set correctly, right?

[linickx]

Hi thanks for your posts, I contacted the developer, he thinks there maybe something wrong with my syslog set up, but still no joy in getting it to work.

Looks like psad relies on kern.info messages, but I'm not getting any kern.* messages in /var/log/kern , I'm wondering if the virtuozzo mix is effecting stuff (since the kernel is the main thing that's different between a VPS and any other CentOS install)

Do you have any kern logs ?

[Vin DSL]

Do you have any kern logs ?

No...

Sorry, I should have explained that I'm not a "VPS Admin".

I have a semi-dedicated account, so I guess I'm a SDX Admin.

[JPC-Veena]

linickx,

There will be no kernel logs or dmesg on a vps since there is no kernel present on a vps, the kernel is actually installed on the hardware node (the physical server your vps is on). Only the OS and control panel etc are on the vps. In case this software relies on a specific kernel module, please contact support with details of the module so we can check if it is available on the hardware node kernel.

[linickx]

Sorry, I should have explained that I'm not a "VPS Admin".

No worries

This is interesting....

There will be no kernel logs or dmesg on a vps since there is no kernel present on a vps

Perhaps I'll contact support and see if there is anything that can be done from their side.

[Vin DSL]

This is interesting...

Yes, very interesting!

There will be no kernel logs or dmesg on a vps since there is no kernel present on a vps

That would certainly explain the 'problem'...

[linickx]

A quick update for any future googlers for VPS admins.

Firstly I would like to publicly thank the JPC support team, I've thrown a couple of odd balls at them, and I've had successful resolutions on both counts - much better than my last host.

Ok, so the resolution... note I have a CentOS machine, so anyone else's mileage may vary.

1st up: Check with support that kernel module for logging iptables traffic is loaded (ipt_LOG.ko)

Next: You need edit /etc/rc.d/init.d/syslog, find ...

Code:

start() {
        echo -n $"Starting system logger: "
        daemon syslogd $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        echo -n $"Starting kernel logger: "
        passed klogd skipped #daemon klogd $KLOGD_OPTIONS
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
        return $RETVAL
}

Change

Code:

passed klogd skipped #daemon klogd $KLOGD_OPTIONS

to

Code:

daemon klogd $KLOGD_OPTIONS

Then in

Code:

stop() {
        echo -n $"Shutting down kernel logger: "
        passed klogd skipped#killproc klogd
        echo
        echo -n $"Shutting down system logger: "
        killproc syslogd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/syslog
        return $RETVAL
}

Change

Code:

passed klogd skipped#killproc klogd

to

Code:

killproc klogd

finally: restart syslog,

Code:

/etc/init.d/syslog restart

Follow the psad documentation for the rest of the install, step back and watch the e-mails fly in as you suddenly realise how many unsociable people are trying to attack your server !