[Snort-users] Snort on RH 9 question
bet at ...6163...
Fri Jul 25 10:17:06 EDT 2003
2003-07-25T11:58:30 Richard Roy:
> I have a snort on RH9 [...] need to [...] secure the box.
Start with a design decision.
Is the box going to be remote managed, or is it going to be solely
accessible via the console? If it's going to be remote managed, it's
a good idea to have a separate NIC for attaching to the mgmt lan,
and let snort run on an unnumbered interface.
In this setup, snort's config doesn't necessarily need changing when
you relocate the box; snort's not interacting with the one network
port that has an IP addr assigned to it.
So on to securing Red Hat Linux.
Run "lsof -Pni" to list all the daemons that are currently running
listening on network interfaces. You want to turn them all off, with
the possible sole exception of sshd --- only leave that active if
you're going to keep it it patched up to date. The one that ships w/
RH9 isn't the most current, but AFAIK they've back-ported all
critical security fixes. Alternatively you could use the very nice
rpmming of the very latest, available from openssh.com; it builds
great on RH9.
Back to the daemons, for all the rest of them, turn the daemon off.
With the exception of rpc.lockd and rpc.statd (which are a service
called "nfslock"), the rest of the daemons are named the same as the
service. So run a command, built with the list of network-listening
daemons from the lsof command, something like
for service in sendmail xinetd portmapper nfslock ...;do
/sbin/service $service stop
/sbin/chkconfig $service off
There you go, all secured.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users