On 11/15/2015 12:16 PM, 70tas wrote:
>
> I’ve been running a 13.2 system with the OSS Firewall as my router. I
> am very satisfied, by I see that someone is trying to connect as ‘root’
> from different IP addresses. So I thought an IDPS would be the perfect
> solution. Unfortunately, I’ve looked at both Snort and Suricata; I
> think I prefer Suricata, but there is no official package.
Before doing that, run nmap on your machines IP and check the ports it
shows. If there are any services that are running on their default port
but can still work if you change them, change them! (ssh for example)
Also, while not a full IDS/IPS, iptables is very flexible and you can
use it to do a lot of fancy traffic management. This includes “port
knocking” as well as dropping packets from IPs after a certain amount of
bad traffic. Look into some fancy ssh iptables config files people have
posted online, they should give you a good start.
> Reading further, I see references that Apparmour is a IPDS. But I can’t
> find any information on how to use Apparmour as such; I see profiles
> for programs on a server, but they appear to be all local. I need a
> network IPDS that will help prevent sneak attacks or attempts to login.
>
> I may be misunderstanding how Apparmour works, if it is indeed a network
> IPDS. Can someone help explain please?
Apparmor blocks or allows programs access to resources (not just files),
it is basically a very granular control over permissions. To create an
apparmor profile for a program you run “aa-genprof /path/to/program”,
then once you finish with the generator, try to run the program. It will
likely fail because apparmor is blocking a lot of things it needs. At
this point run “aa-logprof” and follow the prompts. Then try to run the
program again and if it fails, repeat logprof step.
The issue with making your own profiles is that its hard to know what a
program actually needs access to.
> Also, if you are using OSS as your firewall/router, how are you handling
> IPDS?
>
> Tas
>
>
As I mentioned above, iptables is pretty good
Another program I encourage you to use is wireshark. It will show you
just what type of traffic you are receiving on an interface so you can
see how people are trying to access.
–
openSUSE Leap (42.1) 64 bit
Plasma 5