The default psad configuration sends a _lot_ of e-mail spamΒ #124
Description
It might be worth mentioning this in the guide that the default configuration will spam you with a lot of e-mails. Almost immediately after running the Ansible playbook, I got SMTP-blocked by my provider, because it sent like 50 e-mails about an ongoing port-scan that was happening on the Vultr instance I was testing out this guide on:
For me, I opted to tweak the e-mail and block threshholds; but I'm not sure what the best general solution is:
- name: Tweak psad config to be less e-mail noisy
become: true
ansible.builtin.lineinfile:
dest: /etc/psad/psad.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
# Give back to the community;
- {regexp: '^ENABLE_DSHIELD_ALERTS', line: 'ENABLE_DSHIELD_ALERTS Y;'}
# Don't e-mail for trivial alerts;
- {regexp: '^EMAIL_ALERT_DANGER_LEVEL', line: 'EMAIL_ALERT_DANGER_LEVEL 3;'}
# And use an increasing scale of auto-blocks for more severe alerts
- {regexp: '^AUTO_BLOCK_DL4_TIMEOUT', line: 'AUTO_BLOCK_DL4_TIMEOUT 86400;'}
- {regexp: '^AUTO_BLOCK_DL3_TIMEOUT', line: 'AUTO_BLOCK_DL3_TIMEOUT 21600;'}
- {regexp: '^AUTO_BLOCK_DL2_TIMEOUT', line: 'AUTO_BLOCK_DL2_TIMEOUT 300;'}
notify: "firewall : restart psad service"