Re: Snort on RH 9 question

[Bennett Todd <bet () rahul net>]

2003-07-25T11:58:30 Richard Roy:
> I have a snort on RH9 [...] need to [...] secure the box.

Start with a design decision.

Is the box going to be remote managed, or is it going to be solely
accessible via the console? If it's going to be remote managed, it's
a good idea to have a separate NIC for attaching to the mgmt lan,
and let snort run on an unnumbered interface.

In this setup, snort's config doesn't necessarily need changing when
you relocate the box; snort's not interacting with the one network
port that has an IP addr assigned to it.

So on to securing Red Hat Linux.

Run "lsof -Pni" to list all the daemons that are currently running
listening on network interfaces. You want to turn them all off, with
the possible sole exception of sshd --- only leave that active if
you're going to keep it it patched up to date. The one that ships w/
RH9 isn't the most current, but AFAIK they've back-ported all
critical security fixes. Alternatively you could use the very nice
rpmming of the very latest, available from openssh.com; it builds
great on RH9.

Back to the daemons, for all the rest of them, turn the daemon off.
With the exception of rpc.lockd and rpc.statd (which are a service
called "nfslock"), the rest of the daemons are named the same as the
service. So run a command, built with the list of network-listening
daemons from the lsof command, something like

        for service in sendmail xinetd portmapper nfslock ...;do
                /sbin/service $service stop
                /sbin/chkconfig $service off
        done

There you go, all secured.

-Bennett

Attachment: _bin
Description: