This post will show you how to configure Port Scan Attack Detector (or PSAD) to ignore specific IP ranges.
What is PSAD?
PSAD is a collection of lightweight system daemons that run on Linux. You use PSAD to analyze the ‘
Examples of PSAD Alerts
Here are some examples of PSAD email alerts:
Home Network
[psad-alert] DL3 src: 192.168.1.103 dst: ap-op-mars.local
NetRange: 192.168.0.0 – 192.168.255.255
CIDR: 192.168.0.0/16
Comment: This is a computer on the local network.
Google DNS
[psad-alert] DL2 src: google-public-dns-a.google.com dst: ap-op-mars.local
NetRange: 8.0.0.0 – 8.127.255.255
CIDR: 8.0.0.0/9
Comment: Google DNS services is interacting with the local pc.
Local
[psad-alert] DL5 src: thehost.com dst: thehost.com
NetRange: 127.0.0.0 – 127.255.255.255
CIDR: 127.0.0.0/8
Comment: This is the local pc.
How to Ignore IP Ranges in PSAD
Open the PSAD /etc/psad/auto_dl file and add the following lines:
127.0.0.0/8 0; # Ignore on server calls
192.168.0.0/16 0; # Ignore home network
8.0.0.0/9 0; #ignore goodle dns
Restart PSAD when you updated the auto_dl file:
sudo service psad restart
In Conclusion
Adjusting the IP rules for PSAD is quite easy! Need more help? Then read ‘blocking port scan attack‘ by OpenToDo for some brilliant in-depth information.
I hope you liked this post. If so, please click the like button and you will receive a million years of good Luck! Feel free to read other great posts at https://anto.online/.
