LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-16-2006, 10:32 PM   #1
nitro001
LQ Newbie
 
Registered: Mar 2004
Posts: 5

Rep: Reputation: 0
Question Securing SuSE Linux 10.0


All,

I have recently upgraded my IDS database server to SuSE 10. It is a good distribution that I have been running on my desktop since it was released. My existing configuration has a Snort box that is listening on my cable modem on 1 subnet (192.168.1.x), a hub (not a switch), then a firewall/router and my desktop is behind that on another subnet (192.168.2.x). Attached to the hub are two machines, a honeypot and snort box and the honeypot is in front of the DMS on the 192.168.x network. On another network card in each of these machines is a direct connection to my IDS database server. The 3rd network card in the IDS server is connected to the internal network (192.168.2.x). If the Snort/Honeypot boxes get compromised, I want to make sure the IDS database server doesn't so that my internal network is safe.

I figured the Bastille Linux Scripts would work, however, it seems not to support SuSE 10.

Any ideas?

Thanks,
Nathan
 
Old 01-19-2006, 06:49 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608
My existing configuration (...)
...if you could draw a network diagram that will be less prone to misunderstanding.


If the Snort/Honeypot boxes get compromised, I want to make sure the IDS database server doesn't so that my internal network is safe.
First of all if you have one Snort box (you really need two?) as a bridge chances of it getting cracked would be distinctly lower. The Honeypot is an accident waiting to happen, but then deliberately. IMHO it should be in a separate subnet, as much isolated from the rest of your setup as you can. BTW I saw an article on SF's RSS about the new Honeypot/Sebek-3/Roo stuff, check it out.


I figured the Bastille Linux Scripts would work, however, it seems not to support SuSE 10.
Two choices: either rip the goodies from Bastille Linux and apply manually, or send patches to get it working on SuSE 10. While it's an investment of knowledge and time it'll help a lot of people.
 
Old 01-20-2006, 12:51 PM   #3
nitro001
LQ Newbie
 
Registered: Mar 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Network Logon

Here is a link to the network diagram I am building.

http //www registrars kent edu/home/Network.jpg
Replace spaces with . Would not let me post link to other site since I haven't posted 5 messages yet .

I have it hosted at work, but building network at home.

the Honeypot is in the DMZ on the outer network, but plugged into the Hub.
Therefore any traffic that is going to the Honeypot will be broadcast on the hub to all PC's on the hub. Then the snort box sits on there listening to all traffic.

I see that Bastille has support for Fedora Core 4, but fedora doesn't have a nice Text/GUI configuration tool like YaST as far as I know. If it did I would switch to that especially since I am using ext3 file system anyway.

I am trying to secure the Database system first since it is directly connected to the internal 192.168.2.x network, which is where all my internal/home use PC's are behind the built-in firewall on the Linksys router. The firewall is turned off on the 192.168.1.x Linksys Router.
 
Old 01-23-2006, 06:43 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608Reputation: 3608
Only thing I could come up with is using virtualization: if the main host isn't visible (you better not be running VMWare then) then hiding snort and eth1 from the vhost and using eth1 as main host connection to the database adds one layer more to penetrate. Still I think that if database security must be maintained at all times you'll have to sever the link between honeypot and database by confining the honeypot to a DMZ segment, putting snort on a bridge in front of the DMZ and using a 3rd eth on the bridge to feed the database.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing Public Machines - New to Linux jpapa Linux - Security 3 10-20-2004 09:48 PM
Setting up and securing a linux server my-unix-dream Linux - Security 7 06-22-2004 08:19 PM
Securing a Linux Box KingofBLASH Linux - Security 2 12-26-2003 03:25 PM
Securing linux - How? Par4n0iA Linux - Security 3 07-20-2003 09:55 AM
Securing SuSE 8.2 C8H10N4O2 Linux - Security 3 06-21-2003 02:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration