I've been fooling around with IDS and specifically psad and I thought it would be fun to try installing psad on my raspberry pi. Little did I know, installing psad on an ARM processor running Arch Linux with systemd is not a simple process. It took me great effort to get psad running correctly, so I thought I'd take the time to document my struggles in the hopes that this will be useful to someone else.
What is psad?
psad is an intrusion detection system (IDS) which works by monitoring logs generated by iptables (a network firewall common to most Linux distros). You can find more information on psad here.
Scope of this document
The focus of this document is on challenges I ran into while trying to get psad to install and run on a raspberry pi and my solutions. This document does not cover how to configure or use psad. It does cover things which I had to taken into consideration due to the raspberry pi CPU being an ARM processor and due to my OS being Arch Linux with systemd.
Many of my solutions are hacks and probably suboptimal hacks at that. If you see anything wrong with this guide or have better solutions to the problems I covered here, feel free to contact me at email@example.com.
Other Useful Resources
- psad homepage
- An installation guide that helped me (Edit: This blog no longer exists)
- A guide on configuring psad
Installing psad for ARM from AUR
Since psad is not included in the main Arch Linux repositories, it has to be downloaded, compiled, and built from the AUR repository.
First, create a file (I will name it "list.txt") and write in it the following URLs:
https://aur.archlinux.org/packages/pe/perl-unix-syslog/perl-unix-syslog.tar.gz https://aur.archlinux.org/packages/pe/perl-iptables-parse/perl-iptables-parse.tar.gz https://aur.archlinux.org/packages/pe/perl-iptables-chainmgr/perl-iptables-chainmgr.tar.gz https://aur.archlinux.org/packages/ps/psad/psad.tar.gz
These are the tarballs which we will need from AUR.
Next, run the following commands to untar the tarballs, build them, and install them:
cat list.txt | xargs wget tar xzvf perl-iptables-parse.tar.gz cd perl-iptables-parse makepkg -Acs sudo pacman -U perl-iptables-parse-1.1-2-any.pkg.tar.xz cd .. tar xzvf perl-unix-syslog.tar.gz cd perl-unix-syslog makepkg -Acs sudo pacman -U perl-unix-syslog-1.1-4-any.pkg.tar.xz cd .. tar xzvf perl-iptables-chainmgr.tar.gz cd perl-iptables-chainmgr makepkg -Acs sudo pacman -U perl-iptables-chainmgr-1.2-2-any.pkg.tar.xz cd .. tar xzvf psad.tar.gz cd psad makepkg -Acs sudo pacman -U --force psad-2.2.3-1-armv6h.pkg.tar.xz
Now if you are lucky, unlike me, this should be all you have to do. However, I ran into many additional problems which is what I will focus on in the next section.
As I mentioned earlier, I am not going to cover how to configure psad. There is, however, one configuration which I will mention because it's different from other systems. Namely, the location for syslog is in an usual location because of how systemd logs.
To fix this setting, list the contents of your
/var/log/journal/ directory. You should see a directory containing a bunch of letters and numbers and inside that directory should be a file called
system.journal. I found that this is the file which psad has to be pointed to.
Once you have identified this path, open
/etc/psad/psad.conf and point
IPT_SYSLOG_FILE to this file. In my case, this means:
If you want to try port scanning yourself or in general test your psad installation, be mindful that the raspberry pi has very limited computing resources so it might take awhile for your test to reflect in psad's status.
wget fails due to certificates
This one is easy, just replace the
cat link | xargs wget with
cat link | xargs wget --no-check-certificate.
makepkg fails and returns a build error
Try rebooting the raspberry pi. Sometimes not having enough memory can cause the build to fail.
psad is installed, but when I run
sudo psad -S I get the message
pid file [...]/psadwatchd.pid does not exist
If you're seeing this towards the top of the output for
sudo psad -S:
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on HOSTNAME
Then you probably have the same problem I had.
This was the most painful of the problems I ran into and this was the problem which was big enough to convince me to write this document. If I hadn't ran into this issue (and the systemd logging issue), I wouldn't have bothered writing any of this. The problem in my case was "psadwatchd" wasn't starting for some reason when "psad" started. To confirm this as the source of the problem, run:
ps -A | grep "psad"
If you only see one process called "psad" and no "psadwatchd", then you're having the same problem as me.
The solution I came up for this is very much a hack, but it works decently. Basically, I got around this by making a separate service for psadwatchd.
First, create a new file:
In this file, write:
[Unit] Description=Port scan attack detector daemon After=psad.service [Service] ExecStart=/usr/sbin/psadwatchd Type=oneshot RemainAfterExit=yes [Install] WantedBy=multi-user.target
Next, confirm that you wrote this service file correctly by starting it in systemctl:
sudo systemctl start psadwatchd
If all went as it should, you should be able to execute the following two commands:
ps -A | grep "psad" sudo psad -S
The first command should return both a
psad process and a
psadwatchd process. The second command should now show information on psadwatchd and no longer show an error about missing PID files.
Now that you've made a working psadwatchd service file, add this new service to systemd's startup list:
sudo systemctl enable psadwatchd
And that should be it (hopefully).