There isn't an easy and automated way to monitor open ports in Red Hat Enterprise Linux 5 (RHEL 5), says the author of Hardening Linux, James Turnbull. However, you can scan with some handy open source tools. Turnbull recommends using hardscan, a Netstat-based tool, if you think you have been compromised.
In this tip, SearchEnterpriseLinux.com's security expert describes how to configure Nagios with BMC Patrol, non-platform-specific tips for using Secure Shell (SSH) and more.
How can you secure a Linux proxy, Fedora Core 5, from hackers, viruses and attackers?
Turnbull: Generally speaking, a proxy is a little more vulnerable than some other kinds of hosts, and they are often targets of internal users trying to bypass corporate policies and controls. I recommend the following general steps:
More specifically for proxying, I recommend ensuring you scan incoming and outgoing content for viruses and malicious code. There are a number of open source or commercial virus scanners that can work in conjunction with Squid. If you use Squid you can also make use of blacklisting with a tool like SquidGuard and you can find a number of other Squid-related tools.
Lastly, make sure you use some kind of authentication for your proxy users. You will want to make certain that appropriate access control lists (ACLs) are configured in Squid to ensure that only your users can make use of your proxy and, preferably, that users must authenticate against a directory such as LDAP with a username and password.
When using Red Hat Enterprise Linux 5 (RHEL 5), how can you monitor which ports are open on different servers to make sure someone hasn't compromised ports for other uses?
Turnbull: There isn't an easy and automated way to do this from a monitoring environment. Perhaps the best method is regular Nmap or Nessus scans of your hosts (though this has some risks and you will have to ensure that you set up bot
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseLinux.com
h to scan in a non-intrusive manner) with the output compared a pre-defined baseline. Both tools will also generate a lot of network 'chatter' and if you have an IDS/IPS installed, then this will potentially look like an attack and generate false positives.
If in the event your host may have been compromised there is also hardscan, a netstat replacement for scanning local ports, attempting a handshake and outputting the results. This can often help in identifying a host infected with a rootkit that has ompromised ports open.
In a past question, "Is it possible to integrate Nagios with BMC Patrol," you mentioned that you could do such a thing. What is the process for configuring Nagios to send the information that Nagios gathers from our Linux servers, and have it reported to BMC Patrol?
Turnbull: Here are the instructions:
What is the difference between the "log" log and the alert logs that show up in the /var/log/snort directory that you refer to in your article, "Improving Snort with Barnyard"?
Turnbull: This is an interesting question. The difference between alert and log comes down to how you write your rules. Rules can have actions associated with them when they trigger. The possible actions are, to quote the Snort manual:
If a rule is configured to alert, then an alert will be generated and outputted to whatever alert method you have configured, like a file in /var/log/snort. The packet is then logged to your log output method; for example, the snort*.log files. So by processing the log files, you will get all of the entries. The best and clearest answer to this question, however, comes from Marty Roesch himself in this 2002 mailing list post.
Can you offer some tips for setting up an SSH service for secure, remote access to servers?
Turnbull: It would help to know on what platform you'd like to set up SSH on, but I can provide some general tips.
I hope that helps.
