Re: Linux hardening

From: Daniel Margolis (dmargoli_at_seas.upenn.edu)
Date: 08/30/05

  • Next message: Kir: "Re[4]: Linux hardening"
    Date: Mon, 29 Aug 2005 19:13:17 -0400
    To: AragonX <aragonx@dcsnow.com>
    
    

    On Aug 21, 2005, at 8:13 AM, AragonX wrote:

    > Installed Smothwall on a separate box.
    > Installed & configured AIDE, Snort and chkrootkit
    > Ran Bastille

    I'm not sure I'd run Snort on the server itself. Given that Snort has
    itself had remote code execution vulnerabilities in the past, it's at
    best a trade off, and it seems unlikely that the information you get
    will be useful in any case but after the fact (unless you're reading
    logs religiously). You might gain something by putting Snort on some
    other box on the same hub, just for logging purposes, but if I were
    you I'd make it a box I didn't care about (i.e. one without anything
    important running on it).

    Feel free to disagree, of course.

    Dan


  • Next message: Kir: "Re[4]: Linux hardening"

    Relevant Pages

    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.security.firewalls)
    • Re: Is snort an overkill for desktop only environment ?
      ... The answer to your question probably depends on what level of security ... One way to save money and management overhead with Snort might be to ... Another option is to install it on a small, ... Securing Apache Web Server with thawte Digital Certificate ...
      (Security-Basics)
    • RE: Any ideas?
      ... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ...
      (Security-Basics)
    • RE: Any ideas?
      ... this time the first two Packets from Snort show the third part of the TCP ... because the attacker allready knows your server ... These are entries from my Snort IDS logs and my firewall logs for the IP ...
      (Security-Basics)