[Snort-users] System hardening

Erek Adams erek at ...950...
Wed Sep 3 23:50:06 EDT 2003


On Wed, 3 Sep 2003, John Creegan wrote:

> I've got the basic snort and reporting systems up and running (snort,
> ACID, MySQL) and I'm ready to turn my attention to protecting/hardening
> my system (Solaris 8 on SPARC) before I do any more with snort
> (barnyard, oinkmaster, etc.)

[...snip...]

Skipping the other good suggestions you already have....

Edit /etc/inetd.conf.  Comment out _EVERYTHING_.  That's a good start.  :)

Make sure you have a good source of enthropy for SSH.  I tend to go back
and wipe the Sun version and install my own OpenSSH verison.  (note the
Sun verison has some stuff specific to Solaris...  Make sure you don't
need it before you whack it).  Solaris 9 has /dev/random, but you don't
have it on 8.  Check out SUNrand [0] (works quite well!) or the official
Sun patch to add it [1].

Kill everything in the /etc/rc?.d/ directories that you don't need.

Enable Strong Sequence numbers for TCP [2].

Install IPF [3].  Configure it to disallow all connections except for your
management boxes.

Remove/Don't install the _any_ packages you don't need.

Since you're going to be building on a development server and building
packages there that you will install on your box you don't need a
compiler--You are doing this aren't you? ;-)

Do you have remote access via a term server?  If so, don't disable your
STOP-A, you might need it.  Only worry about that if the box has a
keyboard/monitor connected and other people have access.

And no, I haven't done this for 10 years.  ;-)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.cosy.sbg.ac.at/~andi/SUNrand/
[1]	http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112438&rev=01
[2] 	add to /etc/default/inetinit :

		TCP_STRONG_ISS=2
[3]	http://coombs.anu.edu.au/~avalon/




More information about the Snort-users mailing list