Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a rather unusual network setup, that is unfortunately not easy to change. I have a LAN behind a Debian firewalling box, which is unfortunately behind a Linksys VOIP router. The Linksys VOIP router has the Debian box in a DMZ (for port forwarding reasons).
I run snort and acid on there (though acid generates LOTS of php warnings) and don't see much of interest except "Double Decoding Attack"s and similar. So, what can I do to step up logging and give me more to feel assured by?
Originally posted by Matir The Linksys VOIP router has the Debian box in a DMZ (for port forwarding reasons).
So, what can I do to step up logging and give me more to feel assured by?
I really would change that DMZ setting if you can at all help it. If you need individual ports open, you can almost always forward individual ports. There are very few routers that cannot do this, and very few protocols that need special concideration when doing so (some ftp, usually this is also handled fine by the router).
I realize that I may be preaching to the choir on this, but it would be almost esential to my sanity if it were my box. (tried to look up your situation, but there are 6 linksys voip products, and the site anoyed me too much to continue)
P.S. I threw in my two cents, not because I wanted to ignore your original question, but because I wanted to make a recommendation (and because I don't have good knowledge to contribute on that angle). Security logging will only go so far. Once a hacker gets in, he will undoubtedly mess with the log files. Detection is important, but prevention is key.
What is the "Debian firewalling box"? Totally hand rolled, or built from a script?
I take it from your thread title that this about changing your security through through more useful logging, rather than by changing the basic firewalling packet decisions.
I feel my firewall is pretty strong (and yes, hand rolled), I just want to know how I can more effectively analyze WHAT I'm getting hit with.
As far as switching off the DMZ: I'll consider it, I'm just not sure how well I can portforward a VPN service through the Linksys router. I also use another half-dozen or so open ports. It's just easier to DMZ the Debian box and then portforward from it.
The Debian box used to be the only NAT until we got VoIP, so it was exposed directly to the internet for quite a while.
So are you more concerned about seeing all traffic going to the Linksys VoIP router or maximizing logging of what is currently being forwarded to the Debian box in the DMZ?
Well, there's not much I can do about what's going to the VOIP router, but I'd like to see more about what gets to the debian box. I wish I could make the router act like an ethernet bridge so the 192.168.1.1 (linksys router) IP doesn't appear everywhere. But that's later.
I have PPPoE FTTH DSL (FTTH=fiber to the home, for those who aren't aware) from BellSouth. I'm not sure what the VoIP router's model is, I'll check it when I go home tonight. I'm sitting at work right now, and am unable to check. I *THINK* it's an RT41P2, but I'm not sure.
Yes Matir it is I, the true pain in your behind. My network is the same as yours somewhat. Listen, I just purchsed lingo VOIP modem and I setup my network at follows:
I am having trouble once again with my firewall rules. What rules do I need in my IPTABLES to properly setup my VOIP modem on it won DMZ. I already added a third NIC (DMZ) and gave it 192.168.3.1. Lingo said to put it on its own DMZ and have no restriction to the VOIP modem to and from. Can you please direct me in the right direction. I am truly stumped. I want unrestricted traffic to my VOIP modem and from and I want to be able to analyze traffic like you. I do have on suggestion for better tracking check this link out for H323 tracking:
Originally posted by Matir
I run snort and acid on there (though acid generates LOTS of php warnings)
Not to sidetrack the main discussion, but BASE is based on the Acid code and is actually maintained as opposed to Acid, which I believe hasn't been maintained for a few years now.
Originally posted by Hangdog42 Not to sidetrack the main discussion, but BASE is based on the Acid code and is actually maintained as opposed to Acid, which I believe hasn't been maintained for a few years now.
I appreciate the remark. I just wish Debian would get themselves a nice Base package. I could go from source, but do like packages.
I know packages are nice, but Base is PHP, so all that you really need to do is untar the archive into somewhere your web server can access, and you're good to go. No compiling required and no files scattered around the hard drive.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
