Allow port scans for specific addresses in psad

Question

How to enable port scans for specific address (or range) in psad?

By default I get a lot of logs coming from my own monitoring service. How can I tell psad to treat my addresses or domains as trusted ones?

I'd like to avoid adding them to the /etc/hosts.allow file.

Here's sample log file message:

   Scanned UDP ports: [36604-53945: 3 packets, Nmap: -sU]
   iptables chain: INPUT, 3 packets

   Source: a.b.c.200
   DNS: ns3-cache.example.com

   Destination: a.b.c.185
   DNS: my.machine.example.com

score 3 · Accepted Answer · answered Jul 11 '14 at 11:05

To whitelist IPs or ranges use the /etc/psad/auto_dl file:

It has examples that show its functionality:

#  <IP address>  <danger level>  <optional protocol>/<optional ports>;
#
# Examples:
#
#  10.111.21.23    5;                # Very bad IP.
#  127.0.0.1       0;                # Ignore this IP.
#  10.10.1.0/24    0;                # Ignore traffic from this entire class C.
#  192.168.10.4    3    tcp;         # Assign danger level 3 if protocol is tcp.
#  10.10.1.0/24    3    tcp/1-1024;  # Danger level 3 for tcp port range

You want the Ignore type of rule, as it sets the danger level to zero, effectively ignoring that IP/range.

how do you whitelist ipv6 addresses? doesnt seem to work when adding them in /etc/psad/auto_dl — c0rrupt, Jan 29 '19 at 05:35

Allow port scans for specific addresses in psad

1 Answers1