Probes

[GDHough]

On Tuesday 18 November 2003 12:37, Teddy and Keith were discussing:
> > I got the idea. a box that has zero services and only a few utilities
> > like snort, tcpdump and a few other diagnostic tools before the
> > firewall.
>
> Even that's almost too general. Snort requires that your NIC is set in
> promiscious mode, so it's not a good idea to run anything on the same box.

Snort does not sniff in promiscious mode with the option -p. As for running 
other services on the same box, I know you're right but I do it anyway.
>
> > Is there already distros that do this? Are these things called "pawns" or
> > "sacrifical hosts" TNG "probes" or something? I got Smoothwall, maybe
> > I'll just disable all the services of Smoothwall and use that.
>
> AFAIK there are no distro's ready to roll for this. What I would suggest
> for you is to just put portsentry, hostsentry and logwatch on the firewall
> system and let them do their stuff. Together they do pretty good as
> tattle-tales, and you get to keep your extra boxen for other toys. Button
> down the box with tripwire just to keep an eye on the executables, and you
> should be reasonably safe and secure (without running things like
> netmeeting or kazaa, that is). Basically all you're doing here is
> hardening and adding some monitoring capability to your firewall.
>
Be sure to disable portsentry's interactive mode and it's cron cycle if you're 
not familiar with it. You may be left with no iptables running if you have 
some custom targets in your startup scripts.

> If you really want some good ideas on security do yourself a favor and get
> a copy of Hacking Linux Exposed. It will give you a lot of information on
> hardening your systems against comon backdoors and vulnerabilities and
> tightening your machine(s) against the more common garden variety of
> intruder attacks. It's not the 'end-all,be-all' of linux-based security,
> but it's a great start.
>
> Sacrificial hosts are generally setup within the internal network as bait.

Our Win98 box does that by default.

> They're a completely different story. All we're looking at so far is a
> network traffic monitor, and if, like I suggested, if it is set up outside
> the network, will be a very busy little box just on that task alone. You
> will see everything that hits your EXT_IFACE with snort, including
> everything not addressed for you. It is a LOT of traffic.

No doubt about that. I run snort strictly on the internal gateway IF. I am not 
overly concerned with what's being dropped outside. I am more interested in 
what the traffic within smells like. Activate all of snorts rules (policy, 
info, virus, chat and porn disabled by default) and you'll have plenty of 
alerts to analyze.

Now about the sacrificial lamb, any box on the net is vulnerable. If all you 
got is a Linux NAT box with an IP and one WinBox behind it for the kids to 
browse, how are you going to learn anything about the power of Linux without 
loading it up into a fully fledged multitasking environment? That was me 
three years ago. That box still holds the IP and the gateway for the network

I ran two snort daemons (INT & EXT) for a long time without any troubles. The 
stuff that gets through and flagged will generate double alerts though. The 
latest Snort-ACID-MySql combo is neat. The rulesets have matured. There are 
many to choose from above and beyond the defaults and you can write your own.

My personal record for my first Linux NAT firewall box is:

1) Load, update and config all services
    (installation disc choose >> install everything)
2) Bastille
3) Tripwire
4) Snort/ACID/MySql
5) Fire up all the services
6) Add more and run them too
7) Keep doing this until the machine reaches it's limit then back off 1/4 
turn.
8) Attempt to maintain that level of service with regular monitoring and 
updates.
9) Go for 180 days without a reboot
10) Start from scratch if you can no longer compile and patch your installed 
packages or RedHat throws a wrench in your werks.

farmer6re9


>
> HTH,
>
> Good luck with it.
>
> > Otherwise I'll have to make one up.
> > Make it so!
> >
> >
> > Keith says...
> >
> >> If 1) security is a condsideration; and 2) you want to see the traffic
> >> your firewall is battered with; and 3) you don't want to disable your
> >> packet filter; then put a machine running snort outside the firewall.
> >>
> >> > if  iptables rules drop that packet, will they be displayed in
> >> > tcpdump?
> >> > Im guessing no, since they packets dont even get in the front door.
> >> >
> >> > I guess my alternatives are to disable the rules and then use tcpdump,
> >> > or use the LOG functions in iptables...Probably easier to just
> >> > temporarily disable the offending iptables rules.
> >> >
> >> > Im really wary of security now. Like paranoid.
> >>
> >> If 1) security is a condiseration; and 2) you want to see the traffic
> >> your firewall is battered with; and 3) you don't want to disable your
> >> packet filter; then put a machine running snort outside the firewall.

-- 
Eating Crow is better with MyCrowSauce

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml