I've been fooling around with IDS and specifically psad and I thought it would be fun to try installing psad on my raspberry pi. Little did I know, installing psad on an ARM processor running Arch Linux with systemd is not a simple process. It took me great effort to get psad running correctly, so I thought I'd take the time to document my struggles in the hopes that this will be useful to someone else.

What is psad?

psad is an intrusion detection system (IDS) which works by monitoring logs generated by iptables (a network firewall common to most Linux distros). You can find more information on psad here.

Scope of this document

The focus of this document is on challenges I ran into while trying to get psad to install and run on a raspberry pi and my solutions. This document does not cover how to configure or use psad. It does cover things which I had to taken into consideration due to the raspberry pi CPU being an ARM processor and due to my OS being Arch Linux with systemd.

Contact

Many of my solutions are hacks and probably suboptimal hacks at that. If you see anything wrong with this guide or have better solutions to the problems I covered here, feel free to contact me at cmyagema@syr.edu.

Other Useful Resources

• psad homepage
• An installation guide that helped me (Edit: This blog no longer exists)
• A guide on configuring psad

Installing psad for ARM from AUR

Since psad is not included in the main Arch Linux repositories, it has to be downloaded, compiled, and built from the AUR repository.

First, create a file (I will name it "list.txt") and write in it the following URLs:

https://aur.archlinux.org/packages/pe/perl-unix-syslog/perl-unix-syslog.tar.gz
https://aur.archlinux.org/packages/pe/perl-iptables-parse/perl-iptables-parse.tar.gz
https://aur.archlinux.org/packages/pe/perl-iptables-chainmgr/perl-iptables-chainmgr.tar.gz
https://aur.archlinux.org/packages/ps/psad/psad.tar.gz

These are the tarballs which we will need from AUR.

Next, run the following commands to untar the tarballs, build them, and install them:

cat list.txt | xargs wget
tar xzvf perl-iptables-parse.tar.gz
cd perl-iptables-parse
makepkg -Acs
sudo pacman -U perl-iptables-parse-1.1-2-any.pkg.tar.xz
cd ..
tar xzvf perl-unix-syslog.tar.gz
cd perl-unix-syslog
makepkg -Acs
sudo pacman -U perl-unix-syslog-1.1-4-any.pkg.tar.xz
cd ..
tar xzvf perl-iptables-chainmgr.tar.gz
cd perl-iptables-chainmgr
makepkg -Acs
sudo pacman -U perl-iptables-chainmgr-1.2-2-any.pkg.tar.xz
cd ..
tar xzvf psad.tar.gz
cd psad
makepkg -Acs
sudo pacman -U --force psad-2.2.3-1-armv6h.pkg.tar.xz

Now if you are lucky, unlike me, this should be all you have to do. However, I ran into many additional problems which is what I will focus on in the next section.

Configuration

As I mentioned earlier, I am not going to cover how to configure psad. There is, however, one configuration which I will mention because it's different from other systems. Namely, the location for syslog is in an usual location because of how systemd logs.

To fix this setting, list the contents of your /var/log/journal/ directory. You should see a directory containing a bunch of letters and numbers and inside that directory should be a file called system.journal. I found that this is the file which psad has to be pointed to.

Once you have identified this path, open /etc/psad/psad.conf and point IPT_SYSLOG_FILE to this file. In my case, this means:

IPT_SYSLOG_FILE /var/log/journal/37ed4fd73b0c416886710f1c8ffa083b/system.journal;

If you want to try port scanning yourself or in general test your psad installation, be mindful that the raspberry pi has very limited computing resources so it might take awhile for your test to reflect in psad's status.

Troubleshooting

wget fails due to certificates

This one is easy, just replace the cat link | xargs wget with cat link | xargs wget --no-check-certificate.

makepkg fails and returns a build error

Try rebooting the raspberry pi. Sometimes not having enough memory can cause the build to fail.

psad is installed, but when I run sudo psad -S I get the message pid file [...]/psadwatchd.pid does not exist

If you're seeing this towards the top of the output for sudo psad -S:

[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on HOSTNAME

Then you probably have the same problem I had.

This was the most painful of the problems I ran into and this was the problem which was big enough to convince me to write this document. If I hadn't ran into this issue (and the systemd logging issue), I wouldn't have bothered writing any of this. The problem in my case was "psadwatchd" wasn't starting for some reason when "psad" started. To confirm this as the source of the problem, run:

ps -A | grep "psad"

If you only see one process called "psad" and no "psadwatchd", then you're having the same problem as me.

The solution I came up for this is very much a hack, but it works decently. Basically, I got around this by making a separate service for psadwatchd.

First, create a new file: /etc/systemd/system/psadwatchd.service

In this file, write:

[Unit]
Description=Port scan attack detector daemon
After=psad.service
[Service]
ExecStart=/usr/sbin/psadwatchd
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

Next, confirm that you wrote this service file correctly by starting it in systemctl:

sudo systemctl start psadwatchd

If all went as it should, you should be able to execute the following two commands:

ps -A | grep "psad"
sudo psad -S

The first command should return both a psad process and a psadwatchd process. The second command should now show information on psadwatchd and no longer show an error about missing PID files.

Now that you've made a working psadwatchd service file, add this new service to systemd's startup list:

sudo systemctl enable psadwatchd

And that should be it (hopefully).