how to enable network censors to be activated

521 views
Skip to first unread message

pasi haverinen

unread,
Nov 1, 2013, 11:39:24 PM11/1/13
to securit...@googlegroups.com
Hi, I just installed fresh installation of Ubuntu security onion based on Ubuntu release 12.04 LTS as standalone version. Did the firewall ports hardening parts as depicted in https://code.google.com/p/security-onion/wiki/Firewall

Tightening the firewall on a master server
By default, a master server allows connections to the following ports from any IP address:

22 - SSH
443 - Squert/CapMe
444 - Snorby
514 - Syslog
1514/udp - OSSEC
3154 - ELSA
7734 - Sguil client
7736 - sensor connection to sguild
You may want to restrict those ports to only accepting connections from a subset of IP addresses.

NOTE! Before attempting any firewall changes, you should always ensure you have a backup plan should you accidentally block your own connection. So make sure that you have DRAC/KVM/physical or some other form of access.

Firewall rules to allow sensors to connect to master
First, add a rule like the following for each of your sensors (replacing a.b.c.d with the actual IP address of the sensor) to connect to ports 22 (SSH) and 7736 (sguild):

sudo ufw allow proto tcp from a.b.c.d to any port 22,7736
-OR-

If you're running Salt, then sensors need to connect to ports 4505/tcp and 4506/tcp:

sudo ufw allow proto tcp from a.b.c.d to any port 22,4505,4506,7736
Firewall rules to allow syslog devices
Next add a rule like the following for the IP addresses that will be sending syslog (port 514 tcp and udp):

sudo ufw allow from a.b.c.d to any port 514
Firewall rules to allow OSSEC agents
Next add a rule like the following for the IP addresses that will be running the OSSEC agent (port 1514 udp):

sudo ufw allow proto udp from a.b.c.d to any port 1514


After this upgraded security onion with the below given instructions


sudo soup, but why is my network sensors not monitored, as wireless lan censor and eth sensor just are
Kept in unmonitored status after I have logged-in Squil application and checked boths censors to be monitored and click start monitoring, but after I close Squil application and relogin I notice that these censors are still in unmonitored state,how to configure the censors monitoring be continuous without always activating them in squil application.

Appreciate help given in solving this issue


Doug Burks

unread,
Nov 2, 2013, 7:58:26 AM11/2/13
to securit...@googlegroups.com
Hi Pasi,

Sguil is asking you which sensors YOU would like to monitor within the Sguil client. Sensors that are not selected there are still generating alerts and storing them in the Sguil database. Even if the Sguil client is not running at all, your sensors are still generating alerts and storing them in the Sguil database. 
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.


--
Doug Burks
http://securityonion.blogspot.com

Reply all
Reply to author
Forward
0 new messages