Re: 'mirror' with iptables
On 14 Nov 2001, Tim Haynes wrote:
> Personally, I go for
> a) DROP-by-default firewall with stateful filtering in iptables;
> b) such ports that are wide open (22, 80, 53/udp... whatever) are still
> behind the protection of `INVALID';
> c) such services that listen on the open ports are as secured as possible -
> latest versions, no extra apache modules, the whole 9 yards of BIND
> security, libsafe, etc;
> d) fwlogwatch to mail me firewall alerts every night;
> e) snort to keep an eye on what tricks people are playing with those few
> services that are open;
> f) AIDE to mail me filesystem changes every night.
>
> It's pretty rarely that I see any abuse that gets as far down the chain as
> to deserve human intervention.
that looks pretty practical. have you considered looking at something
like 'guardian' http://www.chaotic.org/guardian/ to do automated
response to selected snort rules? it's clever enough to maintain a
rolling window of blocking, so you don't end up with a huge packetfilter
and stale dynamic addresses over time...
anyway, i believe we are on close to the same page.
-thomas
>
> ~Tim
>
--
Do what thou wilt shall be the whole of the Law.
-- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Reply to: