LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Security Logging Thoughts (https://www.linuxquestions.org/questions/linux-security-4/security-logging-thoughts-351364/)

Matir 08-08-2005 10:52 PM
Security Logging Thoughts
 
I have a rather unusual network setup, that is unfortunately not easy to change. I have a LAN behind a Debian firewalling box, which is unfortunately behind a Linksys VOIP router. The Linksys VOIP router has the Debian box in a DMZ (for port forwarding reasons).

I run snort and acid on there (though acid generates LOTS of php warnings) and don't see much of interest except "Double Decoding Attack"s and similar. So, what can I do to step up logging and give me more to feel assured by? :)

gd2shoe 08-09-2005 04:49 PM
Re: Security Logging Thoughts
 
Quote:
Originally posted by Matir
The Linksys VOIP router has the Debian box in a DMZ (for port forwarding reasons).

So, what can I do to step up logging and give me more to feel assured by? :)
I really would change that DMZ setting if you can at all help it. If you need individual ports open, you can almost always forward individual ports. There are very few routers that cannot do this, and very few protocols that need special concideration when doing so (some ftp, usually this is also handled fine by the router).

I realize that I may be preaching to the choir on this, but it would be almost esential to my sanity if it were my box. (tried to look up your situation, but there are 6 linksys voip products, and the site anoyed me too much to continue)

gd2shoe 08-09-2005 04:52 PM
P.S. I threw in my two cents, not because I wanted to ignore your original question, but because I wanted to make a recommendation (and because I don't have good knowledge to contribute on that angle). Security logging will only go so far. Once a hacker gets in, he will undoubtedly mess with the log files. Detection is important, but prevention is key.

archtoad6 08-09-2005 05:47 PM
What is the "Debian firewalling box"? Totally hand rolled, or built from a script?

I take it from your thread title that this about changing your security through through more useful logging, rather than by changing the basic firewalling packet decisions.

Matir 08-09-2005 05:51 PM
I feel my firewall is pretty strong (and yes, hand rolled), I just want to know how I can more effectively analyze WHAT I'm getting hit with.

As far as switching off the DMZ: I'll consider it, I'm just not sure how well I can portforward a VPN service through the Linksys router. I also use another half-dozen or so open ports. It's just easier to DMZ the Debian box and then portforward from it.

The Debian box used to be the only NAT until we got VoIP, so it was exposed directly to the internet for quite a while. :)

Capt_Caveman 08-09-2005 11:12 PM
So are you more concerned about seeing all traffic going to the Linksys VoIP router or maximizing logging of what is currently being forwarded to the Debian box in the DMZ?

Matir 08-09-2005 11:28 PM
Well, there's not much I can do about what's going to the VOIP router, but I'd like to see more about what gets to the debian box. I wish I could make the router act like an ethernet bridge so the 192.168.1.1 (linksys router) IP doesn't appear everywhere. But that's later.

archtoad6 08-10-2005 09:21 AM
How about the Linksys VOIP router mod.#, w/ link if poss.?

What is your bb connection? Esp. your IP addr. status?

Matir 08-10-2005 10:47 AM
I have PPPoE FTTH DSL (FTTH=fiber to the home, for those who aren't aware) from BellSouth. I'm not sure what the VoIP router's model is, I'll check it when I go home tonight. I'm sitting at work right now, and am unable to check. I *THINK* it's an RT41P2, but I'm not sure.

metallica1973 09-17-2005 10:28 AM
Yes Matir it is I, the true pain in your behind. My network is the same as yours somewhat. Listen, I just purchsed lingo VOIP modem and I setup my network at follows:

Cable modem
#
#
#
(eth0 - 192.168.1.0)
|
|
Linux-Firewall-Router-DMZ-(eth2-192.168.3.0)----(192.168.3.110-VOIPModem)
|
|
(eth1- 192.168.2.0)
|
|
Dlink wireless router
|
|
Windows 2k wireless clients

Please help sinsay!

Question:

I am having trouble once again with my firewall rules. What rules do I need in my IPTABLES to properly setup my VOIP modem on it won DMZ. I already added a third NIC (DMZ) and gave it 192.168.3.1. Lingo said to put it on its own DMZ and have no restriction to the VOIP modem to and from. Can you please direct me in the right direction. I am truly stumped. I want unrestricted traffic to my VOIP modem and from and I want to be able to analyze traffic like you. I do have on suggestion for better tracking check this link out for H323 tracking:

http://max.kellermann.name/projects/netfilter/h323.html

Hangdog42 09-17-2005 11:40 AM
Re: Security Logging Thoughts
 
Quote:
Originally posted by Matir

I run snort and acid on there (though acid generates LOTS of php warnings)
Not to sidetrack the main discussion, but BASE is based on the Acid code and is actually maintained as opposed to Acid, which I believe hasn't been maintained for a few years now.

Matir 09-17-2005 08:43 PM
Re: Re: Security Logging Thoughts
 
Quote:
Originally posted by Hangdog42
Not to sidetrack the main discussion, but BASE is based on the Acid code and is actually maintained as opposed to Acid, which I believe hasn't been maintained for a few years now.
I appreciate the remark. I just wish Debian would get themselves a nice Base package. I could go from source, but do like packages. :)

Hangdog42 09-18-2005 08:47 AM
I know packages are nice, but Base is PHP, so all that you really need to do is untar the archive into somewhere your web server can access, and you're good to go. No compiling required and no files scattered around the hard drive.


All times are GMT -5. The time now is 12:09 AM.