Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

psad: could not add iptables block rule for: xxx.xxx.xxx.xxx and IPT_AUTO_CHAIN1 keyword not found #70

Open
flaggz opened this issue Feb 6, 2020 · 0 comments
Open

psad: could not add iptables block rule for: xxx.xxx.xxx.xxx and IPT_AUTO_CHAIN1 keyword not found #70

flaggz opened this issue Feb 6, 2020 · 0 comments

Comments

@flaggz
Copy link

flaggz commented Feb 6, 2020

Even after updating to GitHub version I still got these errors in the log and I can't auto block ip addresses.
Tried with ENABLE_OVERRIDE_FW_CMD Y or N but the problem remains

messages log:

psad: invalid IPT_AUTO_CHAIN1 keyword, INPUT chain does not exist.
psad: could not add iptables block rule for:

Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux

psad -V

[+] psad v2.4.6 by Michael Rash <[email protected]>

psad.conf

EMAIL_ADDRESSES             xxx;
HOSTNAME                    xxx;
HOME_NET                    NOT_USED;
EXTERNAL_NET                any;
FW_SEARCH_ALL               Y;
FW_MSG_SEARCH               DROP;
IFCFGTYPE                   ifconfig;
DANGER_LEVEL1               5;    
DANGER_LEVEL2               15;
DANGER_LEVEL3               150;
DANGER_LEVEL4               1500;
DANGER_LEVEL5               10000;
DL1_UNIQUE_HOSTS            10;
DL2_UNIQUE_HOSTS            20;
DL3_UNIQUE_HOSTS            50;
DL4_UNIQUE_HOSTS            100;
DL5_UNIQUE_HOSTS            500;
CHECK_INTERVAL              5;
SNORT_SID_STR               SID;
PORT_RANGE_SCAN_THRESHOLD   1;
PORT_RANGE_SWEEP_THRESHOLD  0; 
PROTOCOL_SCAN_THRESHOLD     5;
ENABLE_PERSISTENCE          Y;
SCAN_TIMEOUT                3600;  
PERSISTENCE_CTR_THRESHOLD   5;
MAX_SCAN_IP_PAIRS           0;
SHOW_ALL_SIGNATURES         N;
ALERTING_METHODS            noemail;
AUTO_DETECT_JOURNALCTL      Y;
ENABLE_SYSLOG_FILE          Y;
IPT_WRITE_FWDATA            Y;
IPT_SYSLOG_FILE             /var/log/messages;
SYSLOG_DAEMON               syslogd;
ENABLE_FW_MSG_READ_CMD      N;
FW_MSG_READ_CMD             /bin/journalctl;
FW_MSG_READ_CMD_ARGS        -f -k;
USE_FW_MSG_READ_CMD_ARGS    Y;
FW_MSG_READ_MIN_PKTS        30;
ENABLE_SIG_MSG_SYSLOG       Y;
SIG_MSG_SYSLOG_THRESHOLD    10;
SIG_SID_SYSLOG_THRESHOLD    10;
ENABLE_PSADWATCHD           N;
EXPECT_TCP_OPTIONS          Y;
MAX_HOPS                    20;
IGNORE_KERNEL_TIMESTAMP     Y;
IGNORE_CONNTRACK_BUG_PKTS   Y;
IGNORE_PORTS                NONE;
IGNORE_PROTOCOLS            NONE;
IGNORE_INTERFACES           NONE;
IGNORE_LOG_PREFIXES         NONE;
MIN_DANGER_LEVEL            1;
EMAIL_ALERT_DANGER_LEVEL    3;
ENABLE_IPV6_DETECTION       Y;
ENABLE_INTF_LOCAL_NETS      Y;
ENABLE_MAC_ADDR_REPORTING   N;
ENABLE_FW_LOGGING_CHECK     Y;
EMAIL_LIMIT                 20;
ENABLE_EMAIL_LIMIT_PER_DST  N;
EMAIL_LIMIT_STATUS_MSG      Y;
EMAIL_THROTTLE              0;
EMAIL_APPEND_HEADER         NONE;
ALERT_ALL                   Y;
IMPORT_OLD_SCANS            N;
SYSLOG_IDENTITY             psad;
SYSLOG_FACILITY             LOG_LOCAL7;
SYSLOG_PRIORITY             LOG_INFO;
TOP_PORTS_LOG_THRESHOLD     500;
STATUS_PORTS_THRESHOLD      20;
TOP_SIGS_LOG_THRESHOLD      500;
STATUS_SIGS_THRESHOLD       50;
TOP_IP_LOG_THRESHOLD        500;
STATUS_IP_THRESHOLD         25;
TOP_SCANS_CTR_THRESHOLD     1;
ENABLE_OVERRIDE_FW_CMD      Y;
FW_CMD                      /usr/sbin/iptables;
FW_CMD_ARGS                 NONE;
ENABLE_DSHIELD_ALERTS       N;
DSHIELD_ALERT_EMAIL         [email protected];
DSHIELD_ALERT_INTERVAL      6;  
DSHIELD_USER_ID             0;
DSHIELD_USER_EMAIL          NONE;
DSHIELD_DL_THRESHOLD        0;
HTTP_SERVERS                $HOME_NET;
SMTP_SERVERS                $HOME_NET;
DNS_SERVERS                 $HOME_NET;
SQL_SERVERS                 $HOME_NET;
TELNET_SERVERS              $HOME_NET;
AIM_SERVERS                 [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
HTTP_PORTS                  80;
SHELLCODE_PORTS             !80;
ORACLE_PORTS                1521;
ENABLE_SNORT_SIG_STRICT     Y;
ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       3;
AUTO_BLOCK_TIMEOUT          604800;
AUTO_BLOCK_DL1_TIMEOUT      300;
AUTO_BLOCK_DL2_TIMEOUT      900;
AUTO_BLOCK_DL3_TIMEOUT      1200;
AUTO_BLOCK_DL4_TIMEOUT      $AUTO_BLOCK_TIMEOUT;
AUTO_BLOCK_DL5_TIMEOUT      0;   
ENABLE_AUTO_IDS_REGEX       N;
AUTO_BLOCK_REGEX            ESTAB;  
ENABLE_RENEW_BLOCK_EMAILS   N;
ENABLE_AUTO_IDS_EMAILS      Y;
IPTABLES_BLOCK_METHOD       Y;
IPT_AUTO_CHAIN1             DROP, src, filter, INPUT, 1, PSAD_BLOCK_INPUT, 1;
IPT_AUTO_CHAIN2             DROP, dst, filter, OUTPUT, 1, PSAD_BLOCK_OUTPUT, 1;
IPT_AUTO_CHAIN3             DROP, both, filter, FORWARD, 1, PSAD_BLOCK_FORWARD, 1;
FLUSH_IPT_AT_INIT           Y;
IPTABLES_PREREQ_CHECK       1;
TCPWRAPPERS_BLOCK_METHOD    N;
ENABLE_WHOIS_LOOKUPS        Y;
WHOIS_TIMEOUT               60;  
WHOIS_LOOKUP_THRESHOLD      20;
ENABLE_WHOIS_FORCE_ASCII    N;
ENABLE_WHOIS_FORCE_SRC_IP   N;
ENABLE_DNS_LOOKUPS          Y;
DNS_LOOKUP_THRESHOLD        20;
ENABLE_EXT_SCRIPT_EXEC      N;
EXTERNAL_SCRIPT             /bin/true;
EXEC_EXT_SCRIPT_PER_ALERT   N;
ENABLE_EXT_BLOCK_SCRIPT_EXEC      N;
EXTERNAL_BLOCK_SCRIPT             /bin/true;
ENABLE_CUSTOM_SYSLOG_TS_RE      N;
CUSTOM_SYSLOG_TS_RE             ^\s*((?:\S+\s+){2}\S+)\s+(\S+)\s+kernel\:;
DISK_CHECK_INTERVAL         300;  
DISK_MAX_PERCENTAGE         95;
DISK_MAX_RM_RETRIES         10;
ENABLE_SCAN_ARCHIVE         N;
TRUNCATE_FWDATA             Y;
MIN_ARCHIVE_DANGER_LEVEL    1;
MAIL_ALERT_PREFIX           [psad-alert];
MAIL_STATUS_PREFIX          [psad-status];
MAIL_ERROR_PREFIX           [psad-error];
MAIL_FATAL_PREFIX           [psad-fatal];
SIG_UPDATE_URL              http://www.cipherdyne.org/psad/signatures;
PSADWATCHD_CHECK_INTERVAL   5;  
PSADWATCHD_MAX_RETRIES      10;
INSTALL_ROOT                /;
PSAD_DIR                    $INSTALL_ROOT/var/log/psad;
PSAD_RUN_DIR                $INSTALL_ROOT/var/run/psad;
PSAD_FIFO_DIR               $INSTALL_ROOT/var/lib/psad;
PSAD_LIBS_DIR               $INSTALL_ROOT/usr/lib/psad;
PSAD_CONF_DIR               $INSTALL_ROOT/etc/psad;
PSAD_ERR_DIR                $PSAD_DIR/errs;
CONF_ARCHIVE_DIR            $PSAD_CONF_DIR/archive;
SCAN_DATA_ARCHIVE_DIR       $PSAD_DIR/scan_archive;
ANALYSIS_MODE_DIR           $PSAD_DIR/ipt_analysis;
SNORT_RULES_DIR             $PSAD_CONF_DIR/snort_rules;
FWSNORT_RULES_DIR           /etc/fwsnort/snort_rules;  
FW_DATA_FILE                $PSAD_DIR/fwdata;
ULOG_DATA_FILE              $PSAD_DIR/ulogd.log;
FW_CHECK_FILE               $PSAD_DIR/fw_check;
DSHIELD_EMAIL_FILE          $PSAD_DIR/dshield.email;
SIGS_FILE                   $PSAD_CONF_DIR/signatures;
PROTOCOLS_FILE              $PSAD_CONF_DIR/protocols;
ICMP_TYPES_FILE             $PSAD_CONF_DIR/icmp_types;
ICMP6_TYPES_FILE            $PSAD_CONF_DIR/icmp6_types;
AUTO_DL_FILE                $PSAD_CONF_DIR/auto_dl;
SNORT_RULE_DL_FILE          $PSAD_CONF_DIR/snort_rule_dl;
POSF_FILE                   $PSAD_CONF_DIR/posf;
P0F_FILE                    $PSAD_CONF_DIR/pf.os;
IP_OPTS_FILE                $PSAD_CONF_DIR/ip_options;
PSAD_FIFO_FILE              $PSAD_FIFO_DIR/psadfifo;
ETC_HOSTS_DENY_FILE         /etc/hosts.deny;
ETC_SYSLOG_CONF             /etc/syslog.conf;
ETC_RSYSLOG_CONF            /etc/rsyslog.conf;
ETC_SYSLOGNG_CONF           /etc/syslog-ng/syslog-ng.conf;
ETC_METALOG_CONF            /etc/metalog/metalog.conf;
STATUS_OUTPUT_FILE          $PSAD_DIR/status.out;
ANALYSIS_OUTPUT_FILE        $PSAD_DIR/analysis.out;
INSTALL_LOG_FILE            $PSAD_DIR/install.log;
PSAD_PID_FILE               $PSAD_RUN_DIR/psad.pid;
PSAD_FW_READ_PID_FILE       $PSAD_RUN_DIR/psad_fw_read.pid;
PSAD_CMDLINE_FILE           $PSAD_RUN_DIR/psad.cmd;
KMSGSD_PID_FILE             $PSAD_RUN_DIR/kmsgsd.pid;
PSADWATCHD_PID_FILE         $PSAD_RUN_DIR/psadwatchd.pid;
AUTO_BLOCK_IPT_FILE         $PSAD_DIR/auto_blocked_iptables;
AUTO_BLOCK_TCPWR_FILE       $PSAD_DIR/auto_blocked_tcpwr;
AUTO_IPT_SOCK               $PSAD_RUN_DIR/auto_ipt.sock;
FW_ERROR_LOG                $PSAD_ERR_DIR/fwerrorlog;
PRINT_SCAN_HASH             $PSAD_DIR/scan_hash;
PROC_FORWARD_FILE           /proc/sys/net/ipv4/ip_forward;
PACKET_COUNTER_FILE         $PSAD_DIR/packet_ctr;
TOP_SCANNED_PORTS_FILE      $PSAD_DIR/top_ports;
TOP_SIGS_FILE               $PSAD_DIR/top_sigs;
TOP_ATTACKERS_FILE          $PSAD_DIR/top_attackers;
DSHIELD_COUNTER_FILE        $PSAD_DIR/dshield_ctr;
IPT_PREFIX_COUNTER_FILE     $PSAD_DIR/ipt_prefix_ctr;
IPT_OUTPUT_PATTERN          psad_iptout.XXXXXX;
IPT_ERROR_PATTERN           psad_ipterr.XXXXXX;
iptablesCmd      /sbin/iptables;
ip6tablesCmd     /sbin/ip6tables;
shCmd            /bin/sh;
wgetCmd          /usr/bin/wget;
gzipCmd          /bin/gzip;
mknodCmd         /bin/mknod;
psCmd            /bin/ps;
mailCmd          /bin/mail;
sendmailCmd      /usr/sbin/sendmail;
ifconfigCmd      /sbin/ifconfig;
ipCmd            /sbin/ip;
killallCmd       /usr/bin/killall;
netstatCmd       /bin/netstat;
unameCmd         /bin/uname;
whoisCmd         $INSTALL_ROOT/usr/bin/whois_psad;
dfCmd            /bin/df;
fwcheck_psadCmd  $INSTALL_ROOT/usr/sbin/fwcheck_psad;
psadwatchdCmd    $INSTALL_ROOT/usr/sbin/psadwatchd;
kmsgsdCmd        $INSTALL_ROOT/usr/sbin/kmsgsd;
psadCmd          $INSTALL_ROOT/usr/sbin/psad;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@flaggz