On 14 Nov 2001, Tim Haynes wrote: > Personally, I go for > a) DROP-by-default firewall with stateful filtering in iptables; > b) such ports that are wide open (22, 80, 53/udp... whatever) are still > behind the protection of `INVALID'; > c) such services that listen on the open ports are as secured as possible - > latest versions, no extra apache modules, the whole 9 yards of BIND > security, libsafe, etc; > d) fwlogwatch to mail me firewall alerts every night; > e) snort to keep an eye on what tricks people are playing with those few > services that are open; > f) AIDE to mail me filesystem changes every night. > > It's pretty rarely that I see any abuse that gets as far down the chain as > to deserve human intervention.
that looks pretty practical. have you considered looking at something like 'guardian' http://www.chaotic.org/guardian/ to do automated response to selected snort rules? it's clever enough to maintain a rolling window of blocking, so you don't end up with a huge packetfilter and stale dynamic addresses over time... anyway, i believe we are on close to the same page. -thomas > > ~Tim > -- Do what thou wilt shall be the whole of the Law. -- Aleister Crowley gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
