I installed PSAD, but it gave an error and didn't run. I had to do several things to get it working. Those should be done by the ebuild or at least shown after emerge IMHO. 1) PSAD installs Mailx, but let's it misconfigured. You must edit /etc/ssmtp/ssmtp.conf and put a correct HOSTNAME or mailx won't be able to send a mail with a domain name without a dot. 2) Googling I found in Sourceforge the config changes to make PSAD and Shorewall to work (don't know if not using Shorewall, this is evitable: "Howto use psad (1.2.1) and shorewall (1.4.5) changes: file: /etc/shorewall/shorewall.conf ------------------------------------------- LOGFORMAT="DROP " ------------------------------------------- file: /etc/psad/psad.conf ------------------------------------------- FW_MSG_SEARCH DROP; ------------------------------------------- file: /etc/init.d/psad ------------------------------------------- /usr/sbin/psad --no-fwcheck ###(--no-fwcheck: Disable firewall rules verification) ------------------------------------------- restart services #/etc/init.d/shorewall restart #/etc/init.d/psad restart" This is the page: http://sourceforge.net/mailarchive/forum.php?forum_id=12850&max_rows=25&style=nested&viewmonth=200307 In conclusion: 1) Is always needed and 2) perhaps is only needed when using Shorewall.
psad installs upstream starter configs. It's seperate from shorewall so I won't make the ebuild worry about shorewall at all. That's a program-to-program interaction. The shorewall config changes are listed in the psad README, which is installed to /usr/share/doc/psad-${PV}. They are readily available on a live system. As for the mailx thing, that's a limitation of ssmtp, not mailx or psad. ssmtp is a simple smtp relay layer, which sends mail through a predetermined external smtp server. It's intended to provide mail transfer facilities to systems with no mail transfer agent. That means you need to tell it your own external relay server, which can't be assigned a default.
Sounds reasonable. Thanks a lot.
