On Wed, Jan 16, 2002 at 05:46:19PM -0800, Ben Barrett wrote: > I > agree in that it helps to bring "more advanced" network security tools > to common users. However, for anyone really having a handle on network > security OR trying to (!), I think it does impede understanding.
Then it only creates confusion, and opens ports and makes people feel safe ??? Of course, knowing how to shut down services that there's no need for is really the first step in security. REALLY. You should also learn how to bind services to specific IPs (ESPECIALLY if you're running services on a NAT box, which can be bad idea to begin with). This is also good for, say, a database/webserver box: bind the database to localhost. (You can bind mysql with 'safe_mysqld --bind-address=127.0.0.1'.) The next step should be packet filtering and tcpwrappers. These are basic tools. The added benefit is that now logs become interesting, and you will want to investigate them (or find out what's stopping something from working :) Then, if you haven't already, you should learn basic network reporting tools: netstat, lsof (or fstat on *BSD), tcpdump; and user access/usage tools: ps, w, who, last, ac. I think then, and only then, will things like snort and portsentry really be useful. If you know the above well, you may actually find little use for "more advanced" network security tools. As far as dumping info into a database, why not just write a script to parse logfiles and insert the important info? -- <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
