> OK. I plan to wipe/reinstall this weekend and will try and get SELinux > set up. Forgot to add something in my previous post, which was pretty obvious (at least to me anyway) - along with the SELinux kernel support, you need to have a functional SELinux policy installed - selinux-policy + selinux-policy-XXX where XXX is the name of the policy packages. I use (very-heavily modified) selinux-policy-targeted, but for your needs you should be OK with the standard targeted policy supplied by your distro. > My main concern though is an unforeseen threat. This time it's port > 3333, but next time it might be 2738, or God knows what, so I can't > manually target anything. Tom recommends fwlogwatch, but the 'current' > version in Debian Testing is non-functional, and I haven't had time to > figure out how to set up and troubleshoot the latest source. Point is > I need some kind of IDS or alarm monitor, which can either alert me > real-time, or if there's a high degree of reliability to take > automated measures. I've tried to set up Prelude, but do not have the > days to figure out and troubleshoot all the things that are wrong with it. Having properly installed and functional selinux policy, auditd daemon and Shorewall will be perfect fro that. If you wish to make your life a bit easier, then add selinux-tools package to that as well.
You don't need anything else, provided these are all configured properly. From top of my head, allow all DROP targets in shorewall.conf to be A_DROP to activate the audit logging. Also, if SELinux is in Enforce mode (check with "getenforce"), then monitor your audit logs, because SElinux will not log only dropped packets or connection attempts, but also applications/rogue code misbehaving (web browser requesting SSH access for example) and you will be able to catch these instantly. If you are running a GUI (i.e. you have a proper desktop) at least in Fedora's distro there is SELinux GUI tool (the name of which escapes me right now), which runs together with X and alerts you as soon as something misbehaves and you get an audit log. This is usually shown in the status line of the screen where you can just click on an icon and see what has been going on. That is, of course, in addition to all the other stuff you have at your disposal. > I just can't believe there aren't more 'canned' or more refined > solutions by now. We all still have to do everything ad hoc. Define "refined". The system I described in this and my previous posts is pretty oiled-up and functional even if you don't make any changes to it - i.e. install it out of the box. For your individual needs, you have to get your hands dirty a bit and do a bit of tweaking. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
