Re: Locking Down a Linux Box

From: José Luis Domingo López (jdomingo@internautas.org)
Date: 12/21/01


Date: Fri, 21 Dec 2001 23:23:16 +0100
From: José Luis Domingo López <jdomingo@internautas.org>
To: focus-linux@securityfocus.com

On Friday, 21 December 2001, at 13:30:45 -0000,
Kevin Robitaille wrote:

> Any one out there know good reference for securing a
> Linux 7.2 Server OS. I'm new to using Linux and need
> to lock down a system for use as an IDS Sensor. Any
> help would be appreciated.
>
By "use as an IDS Sensor" I understand a machine plugged into the
network, capturing all the traffic that travels along it, and passing it
to a user-space program that implements some sort of network IDS (for
example, snort).

I have been told that you can configure a Linux box to sniff packets
without even giving the card a valid IP address: just put the interface
in promiscuous mode, and use TUN/TAP kernel module to pass Ethernet
frames to snort (maybe I am completely wrong, but something like this is
what I remember from a lecture someone gave some time ago: building a
stealth Linux-based network sensor using TUN/TAP and snort). Don't know
the details, but /usr/src/linux/Documentation/networking/tuntap.txt and
a search in www.google.com can give you additional information.

As the card attached to the network being monitored doesn't have an IP
address, if you want remote access to this machine, you kill need an
additional network card, and maybe (just to be safer), disable
ip_forward and reject (via ipchains/iptables) everything trying to enter
the machine from the card used for monitoring.

Once the above is done, or maybe before, uninstall unneeded software,
apply all relevant vendor patches, configure essential services, etc.
and finally, verify your sensor's strength against vulnerabilities using
software such as nessus.

Hope this helps.

-- 
José Luis Domingo López
Linux Registered User #189436     Debian Linux Woody (P166 64 MB RAM)
 
jdomingo EN internautas PUNTO org  => ¿ Spam ? Atente a las consecuencias



Relevant Pages

  • Re: [opensuse] Re: router DHCP suddenly not talking to one machine (10.1)
    ... into Windows the DHCP servers hands out the usual IP address ... It is only in Linux, after it worked with this network ... card for 2 days, that the problem happens. ...
    (SuSE)
  • Re: G/N pcmcia linux friendly network
    ... I am looking for PCMCIA network which is Linux friendly -- means I ... don't have to recompile my kernel. ... With a card that support n would be nice. ...
    (alt.linux)
  • [opensuse] [SLE] Slow transfers from Linux Server
    ... I am having performance issues with my file server running SUSE Linux ... cat5e via a PCI Netgear GA302T Gigabit card. ... reports that the card is connected at 1000FD and no network errors are ... The Windows box is connected to the same gigabit switch using a 3com ...
    (SuSE)
  • RE: [opensuse] router DHCP suddenly not talking to one machine (1 0.1)
    ... into Windows the DHCP servers hands out the usual IP address ... It is only in Linux, after it worked with this network ... network is down and that the DHCP client is still waiting. ... assign this card a static IP address. ...
    (SuSE)
  • The ultimate TOE design
    ... Linux TCP stack. ... indepenent network node_, with IP addressall its own. ... on the card across the PCI bus, using IP packets. ...
    (Linux-Kernel)