For some time now I’ve been searching for some way to integrate firewall log alerts into my desktop.
A few years back (before I started to truly enjoy iptables) I was a firestarter user, I even wrote a handy script for it and really liked the notifications it provided.
Nowadays I crave for iptables scripts and can’t stand firestarter interface, this became a problem. How could I have an elegant way of being notified of potential threats without depending on email alerts or log watching?
Using conky seemed a cool alternative and its scripting capabilities were indeed a solution for my problem. But soon realized I always keep windows maximized and didn’t notice conky on the background, alerts were ignore and the idea buried. Yesterday, as I watched a pop-up notification on my screen another idea just poped (pun intended).
There should be a way to easily parse iptables logs matching them with known attack signatures, and guess what?… There is, it’s called psad, and you probably remember me talking about it a few posts ago. Using psad to parse the log files you can be notified of network attacks in real time, the end of the tiresome log surfing after the attack already taken place.
The only thing we’re missing is the notification, well, that was easier than I thought because psad can execute a script every time an attack is detected. Keeping this in mind, and using notify-send capabilities, we can have a visual notification spawned by psad upon an attack detection.
Here follows the configurations I’ve used to turn the idea into reality. (I’ve tested it on xubuntu, but this would be identical on other distros)
First the software requirements:
For the iptables configuration you may use my template and tailor it to you likings.
Edit the psad configuration file
/etc/psad/psad.conf and change the following variables accordingly, I’ll explain each one of them.
Change USERNAME with your system username.
All done, save the file.
Deploy your iptables rules policy, restart psad daemon, go to another machine on the network and run nmap against your host, for example a simple syn scan without pinging:
You should now be presented with something like this on your host:
Special thanks to Michael Rash for psad and the one of my favorite books Attack Detection and Response with iptables, psad, and fwsnort.