[Snort-users] System hardening

James R. Hendrick hendrick at ...1997...
Wed Sep 3 11:47:07 EDT 2003


Have to jump in here..

Stop-A or EEPROM passwords are important only to guard against people with physical access.

If your system is in a restricted access area, they might not help much.

I would suggest following the advice of "Google for it" and find several references on hardening UNIX in general and Solaris in particular. 

The system needs to be looked at in terms of required services vs. risk. 

Think about what needs to be running on the system:
- snort and its related programs
- a way to access the system (local terminal)
- a way to access the system remotely ?
- time service (so that the timestamps in the sensor logs actually mean something)

Other than that, you should look at disabling as much as possible. The inetd is a good place to start. The startup scripts are another good place to look.

Learn to check the output from "netstat" to see what network services your computer is providing.
Look at the output from "ps" to see what programs are running.

Think small. If you don't know what it is, find out. If you don't need it, find out how to disable it.

Please take a bit of time and research this before you start implementing. 

Make backups or be prepared to re-install from media. (not a bad thing to do anyway. You can often get a more secure system by installing a minimal set of packages. You may need to do this a few times to get to the "right" set. For example, you may not need any development tools if you can build software on another compatible system. If a system does not have libraries or compilers, it is less useful for many attackers. If you don't need a graphical environment, even better. X-windows and display managers are often too eager to allow remote connections. If you can do without them for your snort box, great.


Good luck.

Jim



> -----Original Message-----
> From: Slighter, Tim [mailto:tslighter at ...5174...]
> Sent: Wednesday, September 03, 2003 11:18 AM
> To: 'John Creegan'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] System hardening
> 
> 
> There are many hardening techniques that can be implemented aside from
> Yassp.  This of course all depends upon one's definition of a 
> secure system
> as well as any mandated security requirements or criteria as 
> specified by a
> security policy or practice within their organization.  If you are
> attempting this more along the lines of Ad-hoc, then just run a google
> search on how to secure a Solaris system.  Primarily the 
> first items that
> should be done is to disable the STOP-A capability.  Locate the
> /etc/default/kbd file and make sure that the KEYBOARD_ABORT is set to
> disable.  Then set yourself with EEPROM security and password 
> to prevent
> unauthorized booting or EEPROM changes to the system.  Do 
> this as follows
> from a C shell:
> 
> setenv security-mode full
> setenv security-password *******
> 
> Make sure that you never forget this EEPROM password or you 
> will have to
> call SUN to have them come out and replace the EEPROM.
> 
> My next recommendations would be to eliminate any unnecessary 
> packages such
> as TFTP, FTP, etc using "pkgrm" and then onto the services in 
> /etc/rc2.d and
> /etc/rc3.d...especially NFS.  Assuming that no remote 
> connection access will
> be required to this system, use an empty /etc/inetd.conf file 
> and chmod 400
> this file and kill -HUP inetd.  Check your /etc/default/login file and
> disallow root console login by changing the line 
> CONSOLE=/dev/console to
> CONSOLE= whereby only normal users can log onto the system 
> and either must
> SU or issue command via SUDO (providing that package has been 
> installed and
> configured).  Essentially, your netstat -a should yield no 
> listening ports.
> That would be a decent starting point but there a many more 
> security steps
> that can be implemented.  
> 
> -----Original Message-----
> From: John Creegan [mailto:jcreegan at ...9729...]
> Sent: Wednesday, September 03, 2003 8:28 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] System hardening
> 
> 
> I've got the basic snort and reporting systems up and running (snort,
> ACID, MySQL) and I'm ready to turn my attention to 
> protecting/hardening
> my system (Solaris 8 on SPARC) before I do any more with snort
> (barnyard, oinkmaster, etc.)
> 
> I'm looking at a tool (yassp) for going beyond the system hardening
> described in the docs.  I can't find any mention of it (so far) in the
> archives, FAQ or the recommended three books.  Yassp seems a bit old. 
> It may work well for Solaris 8, but it appears there's been no recent
> support for it.
> 
> Does anyone think it's worth hardening a system so much?  I've already
> got tripwire running but that, to me, is a reactive approach.  I'd
> rather prevent someone from changing my system files than to know they
> already did it.
> 
> I'm aware that unless I proceed carefully I can make the 
> system useless
> for its intended purpose, running snort.
> 
> 
> This message (including any attachments) contains confidential 
> information intended for a specific individual and purpose, 
> and is protected by law.  If you are not the intended recipient,
> you should delete this message and are hereby notified that any 
> disclosure,copying, or distribution of this message, or the taking 
> of any action based on it, is strictly prohibited.
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list