[Bro] Is there a quickstart method?

Jean-Philippe Luiggi jp.luiggi at free.fr
Wed Nov 29 16:27:07 PST 2006


On Wed, Nov 29, 2006 at 02:10:03PM -0600, David Caldwell wrote:
> > be outside the firewall. I will have to ssh to it from wherever. If I  
> am thinking correctly it really does not matter what ip address I  
> assign to the bro listening interface because in promiscuous mode the  
> interface will not really have an ip address anyway.....it just

  There is no relation between the fact to have or not an IP address and the
  fact to run in promiscuous mode.
  You can listen (promiscuous or not) the traffic on an interface, with an
  IP ou without one.
> listens on this interface (please correct me if I am wrong). the  
> second interface I can set up a quick iptables ruleset to deny all  
> and allow only internal (to the box) requests.
  Yes, it's a possible workaround.

> So while I am not too terribly concerned about this box being used to  
> circumvent my security inside the firewall, I am concerned about the  
> box being taken over. Any of you have a suggestion as to how to keep  
> this from happening, or is my logic sound on my thinking here?

  As i said before Bro does'nt run as network service.
  And the some ideas : 
  - use firewall (iptables) to block offending traffic.
  - use ssh on a different port than 22.
  - use complex password, disable direct root login (example of conf
  Port 22101
  Protocol 2
  ListenAddress x.y.z.t
  LoginGraceTime 30s
  PermitRootLogin no
  StrictModes yes
  MaxAuthTries 2
  - You may too want to use HIDS as "ossec"
  Best regards.

More information about the Bro mailing list