[Bro] Is there a quickstart method?
Jean-Philippe Luiggi
jp.luiggi at free.fr
Wed Nov 29 16:27:07 PST 2006
Hello,
On Wed, Nov 29, 2006 at 02:10:03PM -0600, David Caldwell wrote:
> > be outside the firewall. I will have to ssh to it from wherever. If I
> am thinking correctly it really does not matter what ip address I
> assign to the bro listening interface because in promiscuous mode the
> interface will not really have an ip address anyway.....it just
There is no relation between the fact to have or not an IP address and the
fact to run in promiscuous mode.
You can listen (promiscuous or not) the traffic on an interface, with an
IP ou without one.
> listens on this interface (please correct me if I am wrong). the
> second interface I can set up a quick iptables ruleset to deny all
> and allow only internal (to the box) requests.
Yes, it's a possible workaround.
> So while I am not too terribly concerned about this box being used to
> circumvent my security inside the firewall, I am concerned about the
> box being taken over. Any of you have a suggestion as to how to keep
> this from happening, or is my logic sound on my thinking here?
As i said before Bro does'nt run as network service.
And the some ideas :
- use firewall (iptables) to block offending traffic.
- use ssh on a different port than 22.
- use complex password, disable direct root login (example of conf
following):
====
Port 22101
Protocol 2
ListenAddress x.y.z.t
LoginGraceTime 30s
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
====
- You may too want to use HIDS as "ossec"
Best regards.
More information about the Bro
mailing list