[Snort-users] Remote location

shawn . moyer shawn at ...1184...
Tue May 15 13:46:49 EDT 2001


Dan Fiorito wrote:

> I have a remote location that has for some reason gained the attention
>of some undesirable entity via the Net. Does anyone have a suggestion on
> how to securely manage Snort/Acid remotely.

Need more details... Are ACID and the DB on the same box as Snort? Is it
possible to firewall off access to all three? 

The short answer is ssh and stunnel (http://www.openssh.com and
http://www.stunnel.org, respectively), plus some firewalling, either via
an actual separate firewall box or ipchains / iptables, or (my fave)
ipfilter. 

Also, any NIDS box should contain as bare an install of whatever OS as
possible, with additional host security measures like
AIDE/Osiris/Tripwire and Swatch / Logcheck, and all of the latest
patches, plus minimal network services.

Like I said, we need more details: 

What OS?
Where's Snort? 
Where's ACID?
Where's the DB?
What's the network look like?
How are you currently accessing the box?
What protections are currently in place?
What leads you to conclude someone is targeting the box and/or you? Did
you piss somebody off on EffNet? :)





--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"May the forces of evil become 
confused on the way to your house."

                    --George Carlin




More information about the Snort-users mailing list