On Friday, 21 December 2001, at 13:30:45 -0000, Kevin Robitaille wrote: > Any one out there know good reference for securing a > Linux 7.2 Server OS. I'm new to using Linux and need > to lock down a system for use as an IDS Sensor. Any > help would be appreciated. > By "use as an IDS Sensor" I understand a machine plugged into the network, capturing all the traffic that travels along it, and passing it to a user-space program that implements some sort of network IDS (for example, snort).
I have been told that you can configure a Linux box to sniff packets without even giving the card a valid IP address: just put the interface in promiscuous mode, and use TUN/TAP kernel module to pass Ethernet frames to snort (maybe I am completely wrong, but something like this is what I remember from a lecture someone gave some time ago: building a stealth Linux-based network sensor using TUN/TAP and snort). Don't know the details, but /usr/src/linux/Documentation/networking/tuntap.txt and a search in www.google.com can give you additional information. As the card attached to the network being monitored doesn't have an IP address, if you want remote access to this machine, you kill need an additional network card, and maybe (just to be safer), disable ip_forward and reject (via ipchains/iptables) everything trying to enter the machine from the card used for monitoring. Once the above is done, or maybe before, uninstall unneeded software, apply all relevant vendor patches, configure essential services, etc. and finally, verify your sensor's strength against vulnerabilities using software such as nessus. Hope this helps. -- José Luis Domingo López Linux Registered User #189436 Debian Linux Woody (P166 64 MB RAM) jdomingo EN internautas PUNTO org => ¿ Spam ? Atente a las consecuencias
