I have a linux server running on Ubuntu 16.04. Today I installed PSAD, a Intrusion Detection System.
PSAD works by analyzing the logfiles of iptables. So, first thing to do before using PSAD is enabling logging of iptables.
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
I ran a port scan and called the PSAD status afterwards. It should display that a port scan occured, but nothing was displayed. Just that there haven't been a port scan yet.
After some time I realized, iptables isn't logging. No log-file has iptables logs in it. I looked into
/var/log/messages, where they should be in by default, but the file is empty/var/log/kern.log/var/log/syslog
There is nothing. Maybe it is worth noting that I use UFW. I followed a tutorial about PSAD and UFW, but still nothing happens. No logs in the new files, created in the tutorial either.
What could be the reason? I haven't set up the server on my own. The most important securings have been done before me. Maybe they have removed some packages. It would be great if you could help me, the server has to be secure.
Best Answer
Probably kernel logging is disabled in (r)syslog. Add this in /etc/rsyslog.conf file:
kern.warn /var/log/firewall.logand reload syslog.After, make some rule like,
iptables -A -p tcp --dport 22 -j LOG --log-prefix " ALERT " --log-level=warningAnd scan your SSH port.