Results 1 to 5 of 5

Thread: Do we need PSAD if we already have Fail2Ban?

  1. #1
    Join Date
    Jan 2012
    Beans
    65

    Do we need PSAD if we already have Fail2Ban?

    I already have installed Fail2Ban on my server. I planned to install PSAD on it. Are they equal? Isn't it a good idea to keep them both?

  2. #2
    Join Date
    Jan 2012
    Beans
    65

    Re: Do we need PSAD if we already have Fail2Ban?

    Any idea?

  3. #3
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Do we need PSAD if we already have Fail2Ban?

    Quote Originally Posted by THPubs View Post
    I already have installed Fail2Ban on my server.
    Good choice.


    Quote Originally Posted by THPubs View Post
    I planned to install PSAD on it. Are they equal?
    They are not. The PSAD web site tells you about its origin, its reason-for-being and how it implements things. Know that and you can determine if they are equal.


    Quote Originally Posted by THPubs View Post
    Isn't it a good idea to keep them both?
    Since you run a server look at what services you provide and how you have hardened them. Then look at what and how you audit for anomalies, errors and malicious activity. Then look at what the past and current "threatscape" tells you about how ninety nine per cent of (say web) servers get compromised. Putting that together should give you an idea of how reconnaissance, exploiting and aftermath should have been detected (and prevented or mitigated) at the network and the application level.

    Then ask yourself if your server would benefit from running a substitute (partial detection based on an approximation of part of the functionality something else provides, requiring three daemon processes, syslog-filling LOG target rules, doing NS and WHOIS requests for each alert sent and the constant "entertainment" of having to figure out what these email actually try to convey) instead of the functionality the original provides.

  4. #4
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Do we need PSAD if we already have Fail2Ban?

    Port scans are a part of life for systems open to the web. You don't need to be notified of them (unless you really, really want to). Limiting exposure with iptables is probably a better option than logging every possible port scan with PSAD.

    Of the two, Fail2Ban is more valuable because it deals with access attempts.

  5. #5
    Join Date
    Sep 2012
    Beans
    1

    Re: Do we need PSAD if we already have Fail2Ban?

    Quote Originally Posted by OpSecShellshock View Post

    Of the two, Fail2Ban is more valuable because it deals with access attempts.
    PSAD can deal with access attempts as well (by blocking the attempts, an option that isn't set as default). You can set this by enabling "ENABLE_AUTO_IDS" within the conf file.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •