Home / server / Questions / 611865
Accepted
Sfisioza
Asked: 2014-07-12 02:20:25 +0800 CST

Allow port scans for specific addresses in psad

  • 772

How to enable port scans for specific address (or range) in psad?

By default I get a lot of logs coming from my own monitoring service. How can I tell psad to treat my addresses or domains as trusted ones?

I'd like to avoid adding them to the /etc/hosts.allow file.

Here's sample log file message:

   Scanned UDP ports: [36604-53945: 3 packets, Nmap: -sU]
   iptables chain: INPUT, 3 packets

   Source: a.b.c.200
   DNS: ns3-cache.example.com

   Destination: a.b.c.185
   DNS: my.machine.example.com
configuration

1 Answers

  1. Best Answer

    To whitelist IPs or ranges use the /etc/psad/auto_dl file:

    It has examples that show its functionality:

    #  <IP address>  <danger level>  <optional protocol>/<optional ports>;
#
# Examples:
#
#  10.111.21.23    5;                # Very bad IP.
#  127.0.0.1       0;                # Ignore this IP.
#  10.10.1.0/24    0;                # Ignore traffic from this entire class C.
#  192.168.10.4    3    tcp;         # Assign danger level 3 if protocol is tcp.
#  10.10.1.0/24    3    tcp/1-1024;  # Danger level 3 for tcp port range

    You want the Ignore type of rule, as it sets the danger level to zero, effectively ignoring that IP/range.

    • 3