[Snort-users] System hardening

twig les twigles at ...131...
Wed Sep 3 12:26:24 EDT 2003


Have you checked out the Solaris hardening guide from SANS?
https://store.sans.org//store_category.php?category=consguides

I have it and it helps me out.  I know BSD pretty well but I am
a royal moron when it comes to Solaris.  Doesn't cover Solaris 9
though.

--- "James R. Hendrick" <hendrick at ...1997...> wrote:
> Have to jump in here..
> 
> Stop-A or EEPROM passwords are important only to guard against
> people with physical access.
> 
> If your system is in a restricted access area, they might not
> help much.
> 
> I would suggest following the advice of "Google for it" and
> find several references on hardening UNIX in general and
> Solaris in particular. 
> 
> The system needs to be looked at in terms of required services
> vs. risk. 
> 
> Think about what needs to be running on the system:
> - snort and its related programs
> - a way to access the system (local terminal)
> - a way to access the system remotely ?
> - time service (so that the timestamps in the sensor logs
> actually mean something)
> 
> Other than that, you should look at disabling as much as
> possible. The inetd is a good place to start. The startup
> scripts are another good place to look.
> 
> Learn to check the output from "netstat" to see what network
> services your computer is providing.
> Look at the output from "ps" to see what programs are running.
> 
> Think small. If you don't know what it is, find out. If you
> don't need it, find out how to disable it.
> 
> Please take a bit of time and research this before you start
> implementing. 
> 
> Make backups or be prepared to re-install from media. (not a
> bad thing to do anyway. You can often get a more secure system
> by installing a minimal set of packages. You may need to do
> this a few times to get to the "right" set. For example, you
> may not need any development tools if you can build software
> on another compatible system. If a system does not have
> libraries or compilers, it is less useful for many attackers.
> If you don't need a graphical environment, even better.
> X-windows and display managers are often too eager to allow
> remote connections. If you can do without them for your snort
> box, great.
> 
> 
> Good luck.
> 
> Jim
> 
> 
> 
> > -----Original Message-----
> > From: Slighter, Tim [mailto:tslighter at ...5174...]
> > Sent: Wednesday, September 03, 2003 11:18 AM
> > To: 'John Creegan'; snort-users at lists.sourceforge.net
> > Subject: RE: [Snort-users] System hardening
> > 
> > 
> > There are many hardening techniques that can be implemented
> aside from
> > Yassp.  This of course all depends upon one's definition of
> a 
> > secure system
> > as well as any mandated security requirements or criteria as
> 
> > specified by a
> > security policy or practice within their organization.  If
> you are
> > attempting this more along the lines of Ad-hoc, then just
> run a google
> > search on how to secure a Solaris system.  Primarily the 
> > first items that
> > should be done is to disable the STOP-A capability.  Locate
> the
> > /etc/default/kbd file and make sure that the KEYBOARD_ABORT
> is set to
> > disable.  Then set yourself with EEPROM security and
> password 
> > to prevent
> > unauthorized booting or EEPROM changes to the system.  Do 
> > this as follows
> > from a C shell:
> > 
> > setenv security-mode full
> > setenv security-password *******
> > 
> > Make sure that you never forget this EEPROM password or you 
> > will have to
> > call SUN to have them come out and replace the EEPROM.
> > 
> > My next recommendations would be to eliminate any
> unnecessary 
> > packages such
> > as TFTP, FTP, etc using "pkgrm" and then onto the services
> in 
> > /etc/rc2.d and
> > /etc/rc3.d...especially NFS.  Assuming that no remote 
> > connection access will
> > be required to this system, use an empty /etc/inetd.conf
> file 
> > and chmod 400
> > this file and kill -HUP inetd.  Check your
> /etc/default/login file and
> > disallow root console login by changing the line 
> > CONSOLE=/dev/console to
> > CONSOLE= whereby only normal users can log onto the system 
> > and either must
> > SU or issue command via SUDO (providing that package has
> been 
> > installed and
> > configured).  Essentially, your netstat -a should yield no 
> > listening ports.
> > That would be a decent starting point but there a many more 
> > security steps
> > that can be implemented.  
> > 
> > -----Original Message-----
> > From: John Creegan [mailto:jcreegan at ...9729...]
> > Sent: Wednesday, September 03, 2003 8:28 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] System hardening
> > 
> > 
> > I've got the basic snort and reporting systems up and
> running (snort,
> > ACID, MySQL) and I'm ready to turn my attention to 
> > protecting/hardening
> > my system (Solaris 8 on SPARC) before I do any more with
> snort
> > (barnyard, oinkmaster, etc.)
> > 
> > I'm looking at a tool (yassp) for going beyond the system
> hardening
> > described in the docs.  I can't find any mention of it (so
> far) in the
> > archives, FAQ or the recommended three books.  Yassp seems a
> bit old. 
> > It may work well for Solaris 8, but it appears there's been
> no recent
> > support for it.
> > 
> > Does anyone think it's worth hardening a system so much? 
> I've already
> > got tripwire running but that, to me, is a reactive
> approach.  I'd
> > rather prevent someone from changing my system files than to
> know they
> > already did it.
> > 
> > I'm aware that unless I proceed carefully I can make the 
> > system useless
> > for its intended purpose, running snort.
> > 
> > 
> > This message (including any attachments) contains
> confidential 
> > information intended for a specific individual and purpose, 
> > and is protected by law.  If you are not the intended
> recipient,
> > you should delete this message and are hereby notified that
> any 
> > disclosure,copying, or distribution of this message, or the
> taking 
> > of any action based on it, is strictly prohibited.
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> 
=== message truncated ===


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




More information about the Snort-users mailing list