Can you provide a little more information on this in case it comes up again in the future? What's it called, how do you set it, where can I find it in the NSA RHEL hardening guide? Thank in advance!
On Fri, Apr 13, 2012 at 11:54 AM, Alisha Kloc <[email protected]> wrote: > All right, we *finally* found the problem - not OSSEC, but a new > system hardening step. > > The NSA security guidelines recommend setting Linux systems to > validate the source IP address of received packets. With eth3 up, this > validation fails because the IP stack sees packets sourced from the > network on eth3 coming in on eth0, which is a violation, and the > packets are dropped. > > So it's not that OSSEC is listening on the wrong port, local_ip option > or not; it's that the IP stack is dropping the packets before they get > to OSSEC. > > Thanks so much for all your help!
