[WBEL-users] Re: OT: best IDS / Securesystem with / for WBEL
Ed
ekg@tricity.wsu.edu
Wed, 21 Jul 2004 14:32:10 -0700
Jason Becker wrote:
> From: Stefan Sabolowitsch <Stefan.Sabolowitsch@feltengmbh.de>
> To: whitebox-users@beau.org
> Date: Wed, 21 Jul 2004 12:22:35 +0200
> Subject: [WBEL-users] OT: best IDS / Securesystem with / for WBEL
>
> Ask onto the experts : -) .
> How do I make my server(s) secure?
Don't install anything you don't use, especially servers.
Get rid of suid-root executables when possible.
Close ports you don't use with a firewall: iptables.
Install security patches: yum.
But first you must know your threat model: who are you trying to protect
against? Most of those IDS systems only tell you *after* you've been
broken into, and they can be defeated by a skilled adversary. If you're
really fighting people like that, you might be better served by a system
like OpenBSD which will take you less time to "harden". (On the other
hand, IDS are helpful to know that you *have* been broken into, so you
can respond.)
Ed
> What is the best combination?
> To example with samhain + snare + snort (possibly with central log server
> for that).
>
> ***
>
> I'm no security expert so take my comments with a grain of salt but...
> IDS are notorious for producing false positives and in general are
> difficult to use in practice.
>
> My suggestion would be to run Nessus against your server and follow the
> advice/suggestions it offers. Bastille Linux also provides a hardening
> "script" which may work with WBEL (Can anyone else confirm? I haven't
> tried it...)
>
> Cheers
>
> Jason
>
> P.S.
>
> Nessus will report a "Security Hole" on the version of openssh server
> used in WBEL but that is not the case. Red Hat backport security fixes.
> Check the mailing list archives for coverage of this concern.
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users