Psad is a iptables log analysis and IDS tool, this guide shows how to install and basically configure this for a CentOS 6 box.
Install psad from the EPEL repo (Extra packages for enterprise Linux provided by the Fedora project)
Add the EPEL repo.
yum install epel-release
yum install psad
Change some settings in the psad.conf.
nano -w /etc/psad/psad.conf
Optional settings. This sets psad to auto enforce (I personally never use it in this mode so have no experience with any false positives but use at your own risk!) The official documentation for Auto IDS is here http://cipherdyne.org/psad/docs/config.html#ENABLE_AUTO_IDS
### If “Y”, enable automated IDS response (auto manages
### firewall rulesets).
Add the logging to iptables.
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
Now restart psad update the sinature file and load in the new signatures (the below is prettified as it obfuscates the –.
Add a cronjob to update the signatures.
And add the following
0 0 * * 7 /usr/sbin/psad –sig-update && /usr/sbin/psad -H
The official documentation for psad can be found here http://cipherdyne.org/psad/docs/