Michael Rash, Security Researcher

psad Installation

Quick and easy installation instructions:

If you download psad as a tarball, just uncompress it and run the psad installation script from the psad sources directory: # ./ The installer will prompt you for several pieces of information, and after answering the questions will result in a functional installation of psad on your system. It is safe to run the script even if you already have psad installed on your system. The configuration can (optionally) be preserved from the previous installation (you will be prompted for this if an existing psad installation is detected). For more information, read on:

psad makes use of log messages that are generated by iptables/ip6tables as it logs (and drops) packets. Hence if your firewall is not configured to log packets, then psad will NOT detect port scans or anything else. Usually the best and most secure way to configure your firewall is to first put the minimal rules needed to allow only necessary traffic to and from your machine, and then have default drop-and-log rules toward the end of the firewall ruleset. Some example firewall rulesets that are compatible with psad are contained within the file FW_EXAMPLE_RULES. Note that psad is not compatible with the ipchains or ipfw firewalls that are included within pre-2.4.x Linux kernels.

Before executing the script, edit the config section at the beginning. Sensible defaults are provided so hopefully there will be a minimal number of things to change to get psad to work on your system, but if system binaries are in places the scripts don't know about then you will need to provide the correct paths. After the config section is the way you want it, just run '', and then run '/etc/init.d/psad-init start' to start psad, kmsgsd, and psadwatchd, or just run them from the command line. The script installs psad, kmsgsd, and psadwatchd in /usr/sbin/ by default.

You can install a new version of psad over an existing one; just run The installation script will preserve any old configuration parameters when installing the new versions of psad, psadwatchd, and kmsgsd. If you don't need or want any old configurations to be preserved, just execute "./ -n".

Even though it is a good idea to edit the config sections of each of the programs included with psad, both and psad attempt to use the correct system binaries even if an incorrect path is given. This is accomplished by simply using the path provided by 'which <system binary> if the binary is not found in the place specified in the config section.

psad can be completely removed from the system by executing with the --uninstall option.