I hesitate to write this cause I *really* don't want to start a religous war...but in my experience if you want it critically secured, build a headless OpenBSD box that only listens for ssh (and, hence, sftp). Patch every 3 months or whenever OpenSSH gets hacked again, problem solved for the most part...
--- "Bezalel, Yaakov" <[EMAIL PROTECTED]> wrote: > Hi Darren, > > Suse has the encrypted file system, you could store > output on such a > file system > (haven't tried it...). > You could pgp it...don't know if nessus has a place > you could intefere > in the report file > creation process. > > Jack. > > On Mon, 2002-06-24 at 21:00, Darren Young wrote: > > That's kind of what I thought. Are there any > protections outside normal > > system hardening I should take on the public > scanning machine? I was > > planning on Linux, probably RedHat 7.x, for this > host. I guess TCP > wrappers > > around nessusd would be out of the question. Is > there any way to operate > the > > scanner on a 'stealth' interface? It probably won't > work as well. > > > > I'd hate to do scans for someone that have the > resulting data being > > compromised. Perhaps the results should be stored on > an internal / > protected > > machine? > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > Hugo van der Kooij > > > Sent: Monday, June 24, 2002 12:50 PM > > > To: Nessus Nessus Mailing List > > > Subject: Re: Nessus Location > > > > > > > > > On Mon, 24 Jun 2002, Darren Young wrote: > > > > > > > Where is the "best" logical/physical position > for a Nessus > > > scanning machine? > > > > In front of, behind or beside (DMZ) the > firewall? When it's behind > the > > > > firewall it generates quite a bit of noise with > default > > > "passthrough" DENY > > > > and LOG rules. That's fine, I just want to be > sure the firewall > isn't > > > > dropping something that the scanner needs. > Perhaps in a DMZ > > > with an "allow > > > > everything out and established"? > > > > > > Anything filtering in it's path will distort your > measument and > > > invalidate > > > your findings. > > > > > > IMO the only allowed place would be outside your > firewall if you want > to > > > perform tests outside your own network. > > > > > > Hugo. > > > > > > -- > > > All email send to me is bound to the rules > described on my homepage. > > > [EMAIL PROTECTED] > http://hvdkooij.xs4all.nl/ > > > Don't meddle in the affairs of sysadmins, > > > for they are subtle and quick to anger. > > ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
