I'm a firm believer in hosting my own email and other services, and after running some updates to deal with Shellshock I realized it was time to replace my provisioning scripts and bring my personal systems under proper configuration management. It was while doing this that I found out there isn't a PSAD module for Puppet! This is something I just couldn't allow, so I've spent some time over the last few days fixing that problem.
PSAD is one of my favorite security tools for services. It works with the existing firewall to detect post scans and actively block them. It has the ability to persist data, meaning it can catch scans that are occurring over long periods of time, and it has a variety of configuration options to suite all needs. Further, because it's using the firewall logs themselves you can add and remove new firewall rules without needing to change any of the PSAD configurations- whitelisting an IP address is a simple matter of adding that change to your firewall.
The PSAD module handles everything you need to get PSAD up and running.
- It can be used to control the entire configuration of PSAD.
- It adds the firewall logging rules that are needed.
- It adds a cronjob to keep PSADs signatures up to date.
- Of course, it also installs PSAD and keeps the service running.