Probes

Tue Nov 18 17:37:31 UTC 2003

> I got the idea. a box that has zero services and only a few utilities
> like snort, tcpdump and a few other diagnostic tools before the
> firewall.

Even that's almost too general. Snort requires that your NIC is set in
promiscious mode, so it's not a good idea to run anything on the same box.

> Is there already distros that do this? Are these things called "pawns" or
> "sacrifical hosts" TNG "probes" or something? I got Smoothwall, maybe
> I'll just disable all the services of Smoothwall and use that.

AFAIK there are no distro's ready to roll for this. What I would suggest
for you is to just put portsentry, hostsentry and logwatch on the firewall
system and let them do their stuff. Together they do pretty good as
tattle-tales, and you get to keep your extra boxen for other toys. Button
down the box with tripwire just to keep an eye on the executables, and you
should be reasonably safe and secure (without running things like
netmeeting or kazaa, that is). Basically all you're doing here is
hardening and adding some monitoring capability to your firewall.

If you really want some good ideas on security do yourself a favor and get
a copy of Hacking Linux Exposed. It will give you a lot of information on
hardening your systems against comon backdoors and vulnerabilities and
tightening your machine(s) against the more common garden variety of
intruder attacks. It's not the 'end-all,be-all' of linux-based security,
but it's a great start.

Sacrificial hosts are generally setup within the internal network as bait.
They're a completely different story. All we're looking at so far is a
network traffic monitor, and if, like I suggested, if it is set up outside
the network, will be a very busy little box just on that task alone. You
will see everything that hits your EXT_IFACE with snort, including
everything not addressed for you. It is a LOT of traffic.

HTH,

Good luck with it.

> Otherwise I'll have to make one up.
> Make it so!
>
>
> Keith says...
>> If 1) security is a condsideration; and 2) you want to see the traffic
>> your firewall is battered with; and 3) you don't want to disable your
>> packet filter; then put a machine running snort outside the firewall.
>>
>> > if  iptables rules drop that packet, will they be displayed in
>> > tcpdump?
>> > Im guessing no, since they packets dont even get in the front door.
>> >
>> > I guess my alternatives are to disable the rules and then use tcpdump,
>> > or use the LOG functions in iptables...Probably easier to just
>> > temporarily disable the offending iptables rules.
>> >
>> > Im really wary of security now. Like paranoid.
>>
>> If 1) security is a condiseration; and 2) you want to see the traffic
>> your firewall is battered with; and 3) you don't want to disable your
>> packet filter; then put a machine running snort outside the firewall.

-- 
Keith
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml