PSAD is Giving a Firewall Setup Warning. But UFW Logging is enabled.

[THpubs]

I have setup PSAD on my server. It asks me to add the following iptables rules:

Code:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

I'm using UFW to manage iptables. So, I simply ran the command sudo ufw logging on But, whenever I restart PSAD or restart my server, I get an email saying:

message subject : [psad-status] firewall setup warning on server!

HTML Code:

[-] You may just need to add a default logging rule to the /sbin/iptables
    'filter' 'INPUT' chain on *server*.  For more information,
    see the file "FW_HELP" in the psad sources directory or visit:

    cipherdyne.org/psad/docs/fwconfig.html

[-] You may just need to add a default logging rule to the /sbin/ip6tables
    'filter' 'INPUT' chain on *server*.  For more information,
    see the file "FW_HELP" in the psad sources directory or visit:

    cipherdyne.org/psad/docs/fwconfig.html

PS : The machine have Ubuntu 12.04 and the latest PSAD 2.2 (compiled from the source)

[Quantum]

iptables -L |grep LOG

I don't know about ufw, but with Shorewall I get:

Code:

LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:DROP:"
LOG        all  --  anywhere             anywhere             LOG level warning
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2local:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2net:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2fw:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2net:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info ip-options prefix "Shorewall:logflags:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2fw:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2local:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:smurfs:DROP:"

I've just installed psad and will test.

[THpubs]

iptables -L |grep LOG

I don't know about ufw, but with Shorewall I get:

Code:

LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:DROP:"
LOG        all  --  anywhere             anywhere             LOG level warning
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2local:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2net:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2fw:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2net:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info ip-options prefix "Shorewall:logflags:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2fw:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2local:DROP:"
LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:smurfs:DROP:"

I've just installed psad and will test.

My iptables -L |grep LOG output is. I have set the log level to warn... will it be enough for PSAD? :

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "

[Quantum]

Not if you want to see scans.

[THpubs]

Not if you want to see scans.

Then what level should I set?

[Quantum]

info, as above.

[THpubs]

info, as above.

Sorry, there's no info in UFW.... Here are the logging levels of UFW :

Code:

       off    disables ufw managed logging

       low    logs  all  blocked packets not matching the default policy (with
              rate limiting), as well as packets matching logged rules

       medium log level low, plus all allowed packets not matching the default
              policy,  all  INVALID  packets,  and  all  new connections.  All
              logging is done with rate limiting.

       high   log level medium (without rate limiting), plus all packets  with
              rate limiting

       full   log level high without rate limiting

       Loglevels  above  medium  generate  a  lot  of  logging output, and may
       quickly fill up your disk.  Loglevel  medium  may  generate  a  lot  of
       logging output on a busy system.

       Specifying ’on’ simply enables logging at log level ’low’ if logging is
       currently not enabled.

[Quantum]

Oh, as I say I don't know ufw. The end result should be :info when you iptables -L . I could tell you how to do it in Shorewall, but you don't seem to have the needed control in ufw.

[THpubs]

Is it better than UFW? Is it easy to configure? Do i need to learn is specifically? In UFW, I doesn't do much other than blocking the unneeded ports

[THpubs]

Fixed the issue Just added the rules :

Code:

-A INPUT -j LOG
-A FORWARD -j LOG

to the end of /etc/ufw/after.rules and /etc/ufw/after6.rules (Before COMMIT)

Restarted and no warnings Thanks for the help