Harden Debian 7 Server with PSAD

Install Port Scan Attack Detector on Debian 7 Server

sudo apt-get install psad
sudo vi /etc/psad/psad.conf

change these lines
EMAIL_ADDRESSES me@seleads.com;
HOSTNAME my.seleads.com;
HOME_NET NOT_USED;
ALERTING_METHODS noemail;
IPT_SYSLOG_FILE /var/log/syslog;
EMAIL_LIMIT_STATUS_MSG N;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 2;
AUTO_BLOCK_TIMEOUT 2592000;
ENABLE_AUTO_IDS_EMAILS N;

Restart psad

psad -R
psad --sig-update
psad -H
sudo vi /etc/cron.hourly/save-bad-ips

#!/bin/sh
PATH=/usr/share:/usr/sbin:/usr/bin:/sbin:/bin

/sbin/iptables-save -c > /tmp/iptables-save.txt
#echo "SELECT lockdown_IP FROM wp_lockdowns;" | /usr/bin/mysql --skip-column-names -u -p www_seleads_com >> /tmp/iptables-save.txt
/bin/grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' /tmp/iptables-save.txt | sort | uniq > /home/seleads/bad_ips_$(/bin/date +\%Y\%m\%d\%H\%M\%S).txt
/bin/grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' /tmp/iptables-save.txt | sort | uniq > /home/seleads/new-iptables-save.txt
/usr/sbin/psad --sig-update
/usr/sbin/psad -H

*(EOF leave a blank line)

sudo chmod 755 /etc/cron.hourly/save-bad-ips

You may also like...