Yea, opinions are like .... well, you know. Everyone has one. I think you're right, at least for my application, OpenBSD would be my preferred choice. I've done headless Linux machines, never tried that on OpenBSD. I've been using the Windows client so I can store the session data into a MySQL database until I can find a way to have the client do it. I think I'd rather just have the data off the public machine completely and PGP the reports when they are sent out.
> -----Original Message----- > From: twig les [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 24, 2002 1:58 PM > To: Bezalel, Yaakov; Darren Young > Cc: Nessus Nessus Mailing List > Subject: RE: Nessus Location > > > I hesitate to write this cause I *really* don't want > to start a religous war...but in my experience if you > want it critically secured, build a headless OpenBSD > box that only listens for ssh (and, hence, sftp). > Patch every 3 months or whenever OpenSSH gets hacked > again, problem solved for the most part... > > > --- "Bezalel, Yaakov" <[EMAIL PROTECTED]> wrote: > > Hi Darren, > > > > Suse has the encrypted file system, you could store > > output on such a > > file system > > (haven't tried it...). > > You could pgp it...don't know if nessus has a place > > you could intefere > > in the report file > > creation process. > > > > Jack. > > > > On Mon, 2002-06-24 at 21:00, Darren Young wrote: > > > > That's kind of what I thought. Are there any > > protections outside normal > > > > system hardening I should take on the public > > scanning machine? I was > > > > planning on Linux, probably RedHat 7.x, for this > > host. I guess TCP > > wrappers > > > > around nessusd would be out of the question. Is > > there any way to operate > > the > > > > scanner on a 'stealth' interface? It probably won't > > work as well. > > > > > > > > I'd hate to do scans for someone that have the > > resulting data being > > > > compromised. Perhaps the results should be stored on > > an internal / > > protected > > > > machine? > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > Hugo van der Kooij > > > > > Sent: Monday, June 24, 2002 12:50 PM > > > > > To: Nessus Nessus Mailing List > > > > > Subject: Re: Nessus Location > > > > > > > > > > > > > > > On Mon, 24 Jun 2002, Darren Young wrote: > > > > > > > > > > > Where is the "best" logical/physical position > > for a Nessus > > > > > scanning machine? > > > > > > In front of, behind or beside (DMZ) the > > firewall? When it's behind > > the > > > > > > firewall it generates quite a bit of noise with > > default > > > > > "passthrough" DENY > > > > > > and LOG rules. That's fine, I just want to be > > sure the firewall > > isn't > > > > > > dropping something that the scanner needs. > > Perhaps in a DMZ > > > > > with an "allow > > > > > > everything out and established"? > > > > > > > > > > Anything filtering in it's path will distort your > > measument and > > > > > invalidate > > > > > your findings. > > > > > > > > > > IMO the only allowed place would be outside your > > firewall if you want > > to > > > > > perform tests outside your own network. > > > > > > > > > > Hugo. > > > > > > > > > > -- > > > > > All email send to me is bound to the rules > > described on my homepage. > > > > > [EMAIL PROTECTED] > > http://hvdkooij.xs4all.nl/ > > > > > Don't meddle in the affairs of sysadmins, > > > > > for they are subtle and quick to anger. > > > > > > > ===== > ----------------------------------------------------------- > Only fools have all the answers. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com
