This guide for Linux users will show you how to detect the IP addresses that are used in denial of service attacks and block them.
We ran an article on How to block an IP address in iptables in Linux a few days ago. Here’s a complimentary article that shows you how to detect the IP addresses of attackers in case of a a denial of service (or DOS) attack.
To do this we will use free software called psad. psad works in sync with iptables and monitors the iptables logs and checks for port scans and other suspicious traffic which are usually signs of someone trying to break into your Linux server.
To begin, install psad. If you are running a flavor of Linux that has a fancy package management system like Ubuntu or Fedora you should be able to use either of the following commands to get psad on your system:
# sudo apt-get install psad
# yum install psad
If this doesn’t work for you head to the psad download page and download the format that works for you.
As I use an Ubuntu Linux server the rest of this tutorial will be Ubuntu specific. However, with some minor tweaking you should be able to make it work on other flavors of Linux. Open the syslog.conf file with your favorite text editor:
# vim /etc/syslog.conf
Add the following line at the end of the of the file:
You can use the following command to accomplish the same thing:
# echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf
Now restart the sysklogd and klog daemons:
The way psad works is that it will detect and instruct iptables to block any suspicious IPs. Sometimes this might result in the blocking of an IP which you use. To overcome this issue you should create a file containing a list of safe IP addresses. Create a file like this one:
# vim /home/calvin/safeiplist.cfg
Enter the IP addresses that you need psad to whitelist:
No use a script like following one to configure iptables with the necessary rules. Note that this script will remove all previous settings from your iptables setup. Copy and paste the following script on your Linux server, and replace the variables WORKDIR and SAFEIPLIST with the correct settings from your setup.
if [ -f $SAFEIPLIST ]; then
IPS=$(grep -Ev “^#” $SAFEIPLIST)
for i in $IPS
iptables -A INPUT -s $i -j ACCEPT
iptables -A INPUT -m state –state NEW -m recent –set
iptables -A INPUT -m state –state NEW -m recent –update –seconds $INTERVAL –hitcount $HITCOUNT -j LOG
What the script does is that it logs an IP address if it makes five or more attempts at making a connection in the span of five seconds. I would suggest you use the script as is unless you know what you are doing while modifying it. One you are done, give it executable permissions and run it.
# chmod +x /home/calvin/ipblock.sh
Now back to psad. Open the psad configuration file and edit it. These are the changes I suggest you make. Feel free to go through the psad documentation and make other changes:
Set machine’s hostname:
If you have only one network interface on this server, set HOME_NET to:
You can also need to adjust danger levels for psad, and define a set of ports to ignore, for example to ask psad ignore udp ports 80 and 8080, make the following change:
IGNORE_PORTS udp/80, udp/8080;
Save and close the file. Then restart psad:
# /etc/init.d/psad restart
You are now good to go. To monitor psad’s reports run the following command:
# psad -S
To remove automatically clocked IPs run the following command:
# psad -F
psad is a very versatile and powerful tool. If you know how to use it it can do wonders for you, but if you don’t you can really mess up your computer. So please use psad with caution.