This is all for my fw machine (MDK 8.1 running Bastille scripts).
Fair enough, I am worrying needlessly about promiscuous mode once I
shut it off. According to nmap I'm in pretty good shape in terms of
overall exposure. One thing I am not happy with (though I don't know
if it can be improved) is the reporting on intrusion attempts. Pretty
much all that I get from the log is a timestamp, the alleged source IP
and port info on what is being probed. Looking at prelude, it doesn't
seem like much of an improvement if reverse DNS is blocked. I am
running chkrootkit regularly to hopefully catch a successful
intrusion, but wish there were something I could give sysops that
would better assist those inclined to nail the miscreant customer (or
find the errant machine to harden up). Is snort any better? Any
other packages well reputed, or is it time to read all the hits on
freshmeat and sourceforge?
I am loathe to poke holes in the firewall for ssh, Apache, etc. until
I am comfortable with the reporting, I guess. Even being as diligent
in applying security patches as possible, one is by definition behind
the cracker curve.
<sigh> Now to read the chroot docs. Are there recipes out there for
postfix, qpopper, Apache, VNC server and OpenSSH? Never mind, I'll
browse the how-to lists.
> Sometimes ntop won't release the promisc mode which can be a problem, but Hal
> is right. Taking your network card off promisc mode won't stop probes, it
> will only stop your network card from processing and passing up packets which
> are not destined for your machine.