[Snort-users] Snort on RH 9 question

Bennett Todd bet at ...6163...
Fri Jul 25 10:17:06 EDT 2003

2003-07-25T11:58:30 Richard Roy:
> I have a snort on RH9 [...] need to [...] secure the box.

Start with a design decision.

Is the box going to be remote managed, or is it going to be solely
accessible via the console? If it's going to be remote managed, it's
a good idea to have a separate NIC for attaching to the mgmt lan,
and let snort run on an unnumbered interface.

In this setup, snort's config doesn't necessarily need changing when
you relocate the box; snort's not interacting with the one network
port that has an IP addr assigned to it.

So on to securing Red Hat Linux.

Run "lsof -Pni" to list all the daemons that are currently running
listening on network interfaces. You want to turn them all off, with
the possible sole exception of sshd --- only leave that active if
you're going to keep it it patched up to date. The one that ships w/
RH9 isn't the most current, but AFAIK they've back-ported all
critical security fixes. Alternatively you could use the very nice
rpmming of the very latest, available from openssh.com; it builds
great on RH9.

Back to the daemons, for all the rest of them, turn the daemon off.
With the exception of rpc.lockd and rpc.statd (which are a service
called "nfslock"), the rest of the daemons are named the same as the
service. So run a command, built with the list of network-listening
daemons from the lsof command, something like

	for service in sendmail xinetd portmapper nfslock ...;do
		/sbin/service $service stop
		/sbin/chkconfig $service off

There you go, all secured.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030725/55204fa6/attachment.sig>

More information about the Snort-users mailing list