0

I installed PSAD on my Ubuntu server and then set the IPTables accordingly. But I still get this error by email:

You may just need to add a default logging rule to the /sbin/iptables 'filter' 'INPUT' chain (…)

Here are my iptables -S rules:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 678 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -j LOG

And my ip6tables -S rules (IPv6 is not enabled at this time):

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -j LOG

Also, I see in the log that PSAD is actually logging activity.

What do you think could cause the error I receive by email? Do you know how to solve that? Are my IPTables rules correct?

Sinklar
  • 93
  • 1
  • 6

1 Answers1

2

I don have a PSAD installation to hand to check but it might be smart enough to know that the order which your rules are presented will allow attacks that are not logged. Try putting the log rules before the ACCEPT rules.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • It's actually a little bit more complicated. As soon as I reboot the server, Fail2ban rules are added before everything else and the PSAD error is back. I don't know if it's possible to add rules before Fail2ban ones? – Sinklar Mar 06 '15 at 09:11
  • Configure the start order to ensure e2b starts after your firewall (ufw?). I don't know how to do that on Ubuntu. – user9517 Mar 06 '15 at 09:14