[Snort-users] Securing a Snort machine

Semerjian, Ohanes ohanes.semerjian at ...8907...
Thu Apr 17 07:26:23 EDT 2003


I run Snort sensors on Solaris boxes (on solaris I use the " ifconfig "
command and enter ip address as 0.0.0.0 also use rc script to make sure the
interface will be up when the box get booted) so don't how it is done on RH
(not much help on that sorry).
 
 
If you don't absolutely need to run Webmin then you better of not running it
coz then you'll have ports open which could be used to compromise the
sensor. IDS sensor are always perform a crucial task and using them for
multi-purpose means more ports are required to be opened, so keep the sensor
build very simple and only core application/libs that required for the
sensor to function just.
 
If you want to run ACID  web interface then use another machine to run the
web server and the database on it.
 Also you could harden the box further by:
 
1.  Removing packages not required for the sensor to operates
2. Use TCP wrapper to accept ssh connection from only fixed and known IP
(most likely the machine that u r using to access the box)
 

Best Regards 

Ohanes Semerjian 
Security Engineer, AsiaPac 
International Security Group  (Central Services) 
WorldCom International 

Ph:(02) 9434 5636 
Mob: 0410 657 249 

PGP kEY 
75DF 2980 5663 2DC1 12CD  E43E 94D6 7A9A 222D 3449 

-----Original Message-----
From: Elvira_Byrnes at ...8560...
[mailto:Elvira_Byrnes at ...8560...]
Sent: Thursday, 17 April 2003 3:36 PM
To: Semerjian, Ohanes; Elvira_Byrnes at ...8560...;
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Securing a Snort machine


Thanks a lot for your suggestions. What is the proper way to configure an
IPless interface on the RedHat? Is it safe to run Webmin on that box?
 
Thanks a lot.
 
Regards
 
Elvira

-----Original Message-----
From: Semerjian, Ohanes [mailto:ohanes.semerjian at ...8907...]
Sent: Thursday, 17 April 2003 3:06 PM
To: 'Elvira_Byrnes at ...8560...';
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Securing a Snort machine


Best way is to :
 
1. use IPless interfaces (specially one on Internet ) except the one that
will use it to connect to the box ( which is best to be located internally).
2. Use ssh to connect to the box via the internal interface on the LAN.
3. Close all ports (via shutting down ports and stopping scripts that are
not need to be run on the box) except for ssh.
4. Scan the box to find out if you do have any ports open other than ssh.
 

Best Regards 

Ohanes Semerjian 
Security Engineer, AsiaPac 
International Security Group  (Central Services) 
WorldCom International 

Ph:(02) 9434 5636 
Mob: 0410 657 249 

PGP kEY 
75DF 2980 5663 2DC1 12CD  E43E 94D6 7A9A 222D 3449 

-----Original Message-----
From: Elvira_Byrnes at ...8560...
[mailto:Elvira_Byrnes at ...8560...]
Sent: Thursday, 17 April 2003 2:08 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Securing a Snort machine


Hi Everybody
 
I have installed Snort and now want to make the machine secure. Snort will
be listening on border attacks (outside the network), on the dmz, and inside
the lan.
 
What is the best way of doing it on RedHat 8.0 and 9.0?
 
Thanks a lot.
 
Elvira
 



******************** Confidentiality Statement *************************** 


This message contains privileged and confidential information intended only
for the use of the addressee named above. If you are not the intended
recipient of this message, you must not disseminate, copy or take any action
in reliance on it. If you have received this message in error, please delete
it from your system and notify the sender immediately. Any views expressed
in this message are those of the individual sender, except where the sender
specifically states them to be the view of the company.




******************** Confidentiality Statement *************************** 


This message contains privileged and confidential information intended only
for the use of the addressee named above. If you are not the intended
recipient of this message, you must not disseminate, copy or take any action
in reliance on it. If you have received this message in error, please delete
it from your system and notify the sender immediately. Any views expressed
in this message are those of the individual sender, except where the sender
specifically states them to be the view of the company.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030417/ad58a61a/attachment.html>


More information about the Snort-users mailing list