Re: [Bastille-linux-discuss] [Fwd: ** psad: firewall setup warning!]
This tool locks down Linux and UNIX systems.
Brought to you by:
jay
From: Albert E. W. C. <aewhale@ABS-CompTech.com> - 2003-04-24 13:45:47
|
Michael, The formatting on my previous Email was Horrible (to say the least). Here is the information in a Test File to eliminate the Formatting issue. Michael Rash wrote: >I have made the firewall parsing code in psad-1.1 much >more strict and complete. Can you send the output of >"iptables -nL" on your firewall (you can sanitize all >ip addresses with "xxx.xxx.xxx.xxx" if you like)? > >Thanks, > >--Mike >http://www.cipherdyne.com > > >--- "Albert E. Whale, CISSP" ><aewhale@ABS-CompTech.com> wrote: > > >> OK, I just got this in. After upgrading from >>psad-1.0 to psad-1.1. >> What do I need to do to the bastille-firewall >>script(s) to compensate >>for this warning? >> >>-------- Original Message -------- >>Subject: ** psad: firewall setup warning! >>Date: Wed, 23 Apr 2003 16:37:53 -0400 >> >> >> >> >> >> >> ** The INPUT chain in the iptables ruleset on >>ns.ABS-CompTech.com includes >> a default LOG rule for all protocols, but the >>rule does not have a log >> prefix of "DROP" psad will not be able to >>detect scans without adding >> --log-prefix "DROP" to the rule. >> >> ** The FORWARD chain in the iptables ruleset on >>ns.ABS-CompTech.com does >> not include default rules that will log and drop >>unwanted packets. You >> need to include two default rules; one that logs >>packets that have not >> been accepted by previous rules (this rule >>should have a logging prefix >> of "DROP"), and a final rule that drops any >>unwanted packets. >> >> FOR EXAMPLE: Assuming you have already setup >>iptables rules to accept >> traffic you want to accept, you can probably >>execute the following two >> commands to have iptables log and drop unwanted >>packets in the FORWARD >> chain by default. >> >> iptables -A FORWARD -j LOG >>--log-prefix " DROP" >> iptables -A FORWARD -j DROP >> >> ** Psad will not detect in the iptables FORWARD >>chain scans without an >> iptables ruleset that includes rules similar to >>the two rules above. >> >> >> .. NOTE: IPTables::Parse does not yet parse user >>defined chains and so it >> is possible your firewall config is compatible >>with psad anyway. >> >> >> >>-- >>Albert E. Whale, CISSP >>http://www.abs-comptech.com >> >> >> >---------------------------------------------------------------------- > > >>ABS Computer Technology, Inc. - ESM, Computer & >>Networking Specialists >>Sr. Security, Network, and Systems Consultant >>Founding Board of Directors of Pittsburgh FBI - >>InfraGard >> >> >> >> >> >> >> >> >------------------------------------------------------- > > >>This sf.net email is sponsored by:ThinkGeek >>Welcome to geek heaven. >>http://thinkgeek.com/sf >>_______________________________________________ >>bastille-linux-discuss mailing list >>bas...@li... >> >> >> >https://lists.sourceforge.net/lists/listinfo/bastille-linux-discuss > > >__________________________________________________ >Do you Yahoo!? >The New Yahoo! Search - Faster. Easier. Bingo >http://search.yahoo.com > > > -- Albert E. Whale, CISSP http://www.abs-comptech.com ---------------------------------------------------------------------- ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists Sr. Security, Network, and Systems Consultant Founding Board of Directors of Pittsburgh FBI - InfraGard |