Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I wanted to know if IPCop did anything other than log suspicious activity when detected. In particular, I would like to know if IPCop would block the activity if triggered to do so. Thank you!
I have no idea whether snort in Ipcop is a IDS or IPS.
As far as i know, endian firewall provides the interface for oyu to download the rules from snort official website based on the permission/packages you register.
I don't know whether Ipcop allow you do the above task. If you know, please let me know.
I do not believe IPCop has IPS capability out-of-the-box. I do not know the latest capabilities of IPCop (I ran it maybe a year ago, doing a bake-off between IPCop, Smoothwall, and ClarkConnect), but I don't believe it has the capability you speak of.
Perusing the IPCop site and reading the FAQ and docs, I didn't see any mention of autoblocking capability. When I was using it, I had to manually block any questionable activity I observed. The other two gateway OSs I used were the same way.
I'd check the ruleset to be sure. The rules should hint at what is done with malicious activity (as an IPS, Snort blocks based on what is indicated in the rules).
Does we need to edit the default rules of IpTables and snort rules ?
Thanks for your help.
I believe it requires more than just editing the default rules of Snort and IPTables. I believe you also need to utilize Snort-inline, which, from my understanding, turns your gateway device into more of a router (with the capability of blocking)...dunno if that is what you want to persue. If you want to go that route, I'd suggest a separate box with Snort-inline installed, placing it before your IPCop box (on the network).
Please take what I say with somewhat of a grain of salt, as I've never installed an IPS before. The setup is quite different than an IDS (which I do have experience with), from what I've read. They may appear similar and Snort-inline may be based off of Snort but setting up Snort-inline doesn't seem to be a trivial install. I don't know the hardware specs of your IPCop machine, but a box that inspects packets at the level of an IDS PLUS performs routing and firewalling duties would definitely have to be beefy, especially if you're using it in an environment that will track lots of traffic.
I ask because I have been running SmoothWall Express (SWE) 2.0 for about 3 years, but last weekend I did a public demonstration of SWE 3.0 side-by-side w/ IPCop 1.4.16. As a result I am convinced that I want to upgrade my SWE 2.0, but I'm undecided between SWE 3.0 & IPCop. I would appreciate your input.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.