[NTLUG:Discuss] If you were using an intrusion detection system...
Kyle Davenport
Kyle_Davenport at compusa.com
Mon May 8 10:16:05 CDT 2006
*** Authentication Certificate ***
From: Leroy Tennison
> What would you use?
snort.
OK, so I would rather stop them before they intrude. I have perhaps gone
overboard in applying security to my internet gateway, but I consider it a
learning opportunity. Does the gang here see anything I've missed? I
know I could have started with a more secure distribution, like Trustix,
but I'm used to Redhat, so I started with Fedora Core 3.
0. Restrict accounts, strengthen id/passwds, test crackers
1. configure firestarter firewall, default deny.
2. default deny in tcpwrappers
3. blockhosts.py (tcpwrappers)
4. denyhosts.sf.net (blacklist)
5. PeerGuardian (blacklist)
6. iptables repeated new connections timeout (/etc/firestarter/user-post)
7. tripwire (used AIDE instead)
8. rpm -V
9. strict sudo
10 disable remote root logins
11 restrict hosts in ssh
12 squidGuard blacklist for squid proxy
13 blackholes.mail-abuse.org for sendmail
14 make http://localhost/robots.txt a bot-only php script
15 snort + snort-mysql + acid + base
16 nessus + metasploit + chkrootkit
17 grsecurity + PaX (patch kernel!)
18 analyse webserver security - verify auth
I actually haven't been able to do the official grsecurity yet, because
they are falling way behind kernel releases.
Kyle
More information about the Discuss
mailing list