PSAD Port Scan Detection
PSAD (Port Scan Attack Detector) is a host-based port scan detection tool for Linux that analyzes firewall logs (typically from Netfilter via iptables) to identify, classify, and optionally respond to reconnaissance activity such as port scans. It is commonly deployed on internet-facing servers to detect and alert on scanning behavior that may precede exploitation attempts.
As host firewalls became standard on Linux servers, administrators began using firewall logs not only for troubleshooting but also for security monitoring. PSAD emerged to automate detection of scan patterns and suspicious probing by parsing Netfilter log events and applying signatures and thresholds to generate alerts and risk scores.
PSAD is most often found in environments that still rely on iptables logging, where a lightweight, host-local detection layer is desired without deploying a full IDS/IPS stack.
Maintained by
- Maintained by the PSAD project community.
Best When to Use
- You already use
iptableswith logging enabled and want automated scan detection from those logs. - You need host-local alerts for reconnaissance on a small set of servers or VPS instances.
- You want a simple detection layer that complements perimeter controls (cloud security groups, edge firewalls).
- You need an operationally lightweight tool that can run without deep packet inspection.
Not Suitable When
- Your firewall stack is primarily
nftableswithout compatible logging integration for PSAD workflows. - You require full IDS/IPS capabilities (protocol decoding, payload inspection, signatures across many services).
- You need centralized fleet-scale detection with unified policy and correlation (use SIEM/EDR/IDS platforms).
- You cannot enable firewall logging due to performance constraints or log volume limitations.
Compatibility Notes
- PSAD typically expects Netfilter log formats associated with
iptableslogging (LOGtarget) and common syslog locations. - On modern distributions that default to
nftables, you may need additional compatibility layers or alternative tooling. - Cloud images may log firewall events to systemd journal; confirm where firewall logs land before configuring PSAD.
- PSAD does not replace network-based IDS sensors; it depends on what the host firewall logs.
Firewall logging can generate high log volume on internet-facing hosts. Start with conservative logging rules and verify log rotation to avoid disk exhaustion.
How PSAD Works
PSAD monitors firewall log events, extracts connection and port activity, correlates patterns over time, and produces alerts and summaries.
Prerequisites
- Root or
sudoprivileges - A Netfilter firewall configured to log relevant events (commonly
iptables) - A functioning mail transport or alerting path if you want email notifications
- Log rotation configured and verified
Installation
Debian/Ubuntu
sudo apt update
sudo apt install psad
RHEL/CentOS Stream/Fedora
Package availability varies by distribution repositories. If a native package is available:
sudo dnf install psad
If not available, use the distribution’s supported package sources and follow the project’s installation guidance.
PSAD packaging and defaults vary across distributions. After installation, confirm the config paths, log source, and service unit names on your system.
Initial Safe Validation
Before enabling detection or auto-response, validate the environment.
Confirm firewall logging is producing entries
Read-only checks:
sudo journalctl -n 100 --no-pager | grep -i -E 'iptables|netfilter|UFW BLOCK|IN=' || true
If your system logs to a file (common examples):
sudo tail -n 100 /var/log/syslog 2>/dev/null | grep -i -E 'iptables|netfilter|IN=' || true
sudo tail -n 100 /var/log/messages 2>/dev/null | grep -i -E 'iptables|netfilter|IN=' || true
Confirm PSAD can parse logs
sudo psad --Status
sudo psad --Summary
Configuration
PSAD configuration is commonly located at:
/etc/psad/psad.conf/etc/psad/auto_dl(signature auto-download settings, if enabled)
Common settings to review in psad.conf:
| Setting Area | Purpose |
|---|---|
| - | |
| Log source | Where PSAD reads firewall logs (file path or syslog integration) |
| Alerting | Email destination, threshold levels, notification frequency |
| Scan thresholds | Sensitivity and time windows for classifying scans |
| Auto-response | Whether to take action (block) and how long to block |
| Home network | Defines “local” ranges to reduce false positives |
Automatic blocking can cause accidental lockouts, especially if misconfigured or if a trusted IP triggers thresholds. Enable detection-only first, verify alerts, then consider response actions.
Firewall Logging Setup (iptables)
PSAD relies on firewall logs. A minimal and controlled approach is to log denied inbound packets rather than everything.
If you change firewall rules on a remote system, you can lose SSH access. Always confirm SSH allow rules before applying deny rules, and keep a recovery path (console/serial access).
Safe approach (conceptual)
- Ensure SSH is allowed from your admin network.
- Log and drop unsolicited inbound packets at a controlled rate.
Example (illustrative; adjust interface, ports, and source ranges):
# Allow SSH first (example: allow from a trusted IP range)
sudo iptables -A INPUT -p tcp --dport 22 -s 203.0.113.0/24 -j ACCEPT
# Log dropped inbound packets with rate limiting
sudo iptables -A INPUT -m limit --limit 6/min --limit-burst 10 -j LOG --log-prefix "iptables-deny: " --log-level 4
# Drop unsolicited inbound traffic (ensure established traffic is allowed elsewhere in your ruleset)
sudo iptables -A INPUT -j DROP
In production, manage firewall rules using your distribution’s preferred framework (UFW, firewalld, nftables) or configuration management rather than ad-hoc commands. The key requirement for PSAD is reliable Netfilter logging that it can parse.
Common Commands
Status and summaries
sudo psad --Status
sudo psad --Summary
sudo psad --Top
Update signatures (if enabled)
sudo psad --sig-update
Reload / restart
Service names vary by distribution; common options include psad.
sudo systemctl restart psad
sudo systemctl status psad
Practical Use Cases
Detection-only deployment on an internet-facing server
- Enable controlled firewall logging.
- Configure PSAD to read the correct logs.
- Enable email or local alerting.
- Run for a period to tune thresholds and reduce false positives.
Validation:
sudo psad --Status
sudo psad --Summary
Identify repeated scanning sources
sudo psad --Top
sudo psad --Summary
Use results to:
- Add IPs/subnets to upstream blocks (cloud security groups, edge firewalls)
- Tune rate limits and default deny policies
- Inform SIEM correlation rules
Troubleshooting
| Symptom | Likely Cause | Safe Checks | Fix |
|---|---|---|---|
| -- | -- | ||
| PSAD shows no activity | Firewall logging not enabled or wrong log source | journalctl/tail on log locations, psad --Status | Enable Netfilter logging; set correct log file in psad.conf |
| High false positives | Sensitivity too high, local scans, monitoring tools | psad --Summary, review scanner IPs | Define home networks, tune thresholds, whitelist known scanners |
| Disk usage grows quickly | Excessive firewall logging | Check log size/rotation | Add rate limiting, reduce logged rules, ensure logrotate/journal limits |
| No email alerts | Mail not configured or blocked | Check local mail logs/queue | Configure MTA or route alerts to a supported channel |
| Auto-blocking breaks access | Response enabled too early | psad --Status, firewall rules | Disable auto-response, remove blocks via console access, tune first |
Security Notes
-
Treat PSAD as a detection layer, not a replacement for:
- Proper firewall policy (deny-by-default inbound)
- Upstream filtering (cloud security groups, edge firewalls)
- Patch management and service hardening
-
Keep logging rate-limited to avoid DoS-by-logging.
-
If enabling auto-response, scope it to trusted operational requirements and test in controlled conditions.
Quick Reference
| Goal | Command |
|---|---|
| -- | -- |
| Show status | sudo psad --Status |
| Show summary | sudo psad --Summary |
| Show top offenders | sudo psad --Top |
| Update signatures | sudo psad --sig-update |
| Restart service | sudo systemctl restart psad |
| View recent system logs | sudo journalctl -n 200 --no-pager |
This page is pending full migration and expansion. Replace this placeholder section with the finalized source content when available.