![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Snort on RH 9 question
From: Bennett Todd <bet () rahul net>
Date: Fri, 25 Jul 2003 13:16:52 -0400
2003-07-25T11:58:30 Richard Roy:
I have a snort on RH9 [...] need to [...] secure the box.
Start with a design decision. Is the box going to be remote managed, or is it going to be solely accessible via the console? If it's going to be remote managed, it's a good idea to have a separate NIC for attaching to the mgmt lan, and let snort run on an unnumbered interface. In this setup, snort's config doesn't necessarily need changing when you relocate the box; snort's not interacting with the one network port that has an IP addr assigned to it. So on to securing Red Hat Linux. Run "lsof -Pni" to list all the daemons that are currently running listening on network interfaces. You want to turn them all off, with the possible sole exception of sshd --- only leave that active if you're going to keep it it patched up to date. The one that ships w/ RH9 isn't the most current, but AFAIK they've back-ported all critical security fixes. Alternatively you could use the very nice rpmming of the very latest, available from openssh.com; it builds great on RH9. Back to the daemons, for all the rest of them, turn the daemon off. With the exception of rpc.lockd and rpc.statd (which are a service called "nfslock"), the rest of the daemons are named the same as the service. So run a command, built with the list of network-listening daemons from the lsof command, something like for service in sendmail xinetd portmapper nfslock ...;do /sbin/service $service stop /sbin/chkconfig $service off done There you go, all secured. -Bennett
Attachment:
_bin
Description:
Current thread:
- Snort on RH 9 question Richard Roy (Jul 25)
- Re: Snort on RH 9 question Bennett Todd (Jul 25)