Difference between revisions of "Cyber Security: Security Onion setelah Instalasi"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
| − | After Installation | + | ==After Installation== |
| + | |||
SSH Key Change | SSH Key Change | ||
Depending on what kind of installation you did, you may have seen a warning at the end of Setup about SSH key changes. | Depending on what kind of installation you did, you may have seen a warning at the end of Setup about SSH key changes. | ||
| Line 6: | Line 7: | ||
For more information, see the SSH section. | For more information, see the SSH section. | ||
| − | Adjust firewall rules using so-allow | + | ==Adjust firewall rules using so-allow== |
| + | |||
Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow. | Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow. | ||
| − | Services | + | ==Services== |
Verify services are running with the so-status command: | Verify services are running with the so-status command: | ||
| − | sudo so-status | + | sudo so-status |
| − | Data Retention | + | |
| + | ==Data Retention== | ||
Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings. | Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings. | ||
Other | Other | ||
| Line 22: | Line 25: | ||
| − | so-allow | + | ==so-allow== |
Security Onion locks down the Firewall by default. Depending on what kind of installation you do, Setup may walk you through allowing your analyst IP address(es). If you need to add other analyst IP addresses or open firewall ports for agents or syslog devices, you can run sudo so-allow and it will walk you through this process. | Security Onion locks down the Firewall by default. Depending on what kind of installation you do, Setup may walk you through allowing your analyst IP address(es). If you need to add other analyst IP addresses or open firewall ports for agents or syslog devices, you can run sudo so-allow and it will walk you through this process. | ||
| − | This program allows you to add a firewall rule to allow connections from a new IP address. | + | This program allows you to add a firewall rule to allow connections from a new IP address. |
| − | + | ||
| − | Choose the role for the IP or Range you would like to add | + | Choose the role for the IP or Range you would like to add |
| + | |||
| + | [a] - Analyst - ports 80/tcp and 443/tcp | ||
| + | [b] - Logstash Beat - port 5044/tcp | ||
| + | [e] - Elasticsearch REST API - port 9200/tcp | ||
| + | [f] - Strelka frontend - port 57314/tcp | ||
| + | [o] - Osquery endpoint - port 8090/tcp | ||
| + | [s] - Syslog device - 514/tcp/udp | ||
| + | [w] - Wazuh agent - port 1514/tcp/udp | ||
| + | [p] - Wazuh API - port 55000/tcp | ||
| + | [r] - Wazuh registration service - 1515/tcp | ||
| + | |||
| + | Please enter your selection: | ||
| − | + | ==Wazuh== | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | Wazuh | ||
If you choose the analyst option, so-allow will also add the analyst IP address to the Wazuh safe list. This will prevent Wazuh Active Response from blocking the analyst IP address. | If you choose the analyst option, so-allow will also add the analyst IP address to the Wazuh safe list. This will prevent Wazuh Active Response from blocking the analyst IP address. | ||
| − | Automation | + | ==Automation== |
In addition to the interactive menu shown above, you can pass desired options as command line arguments: | In addition to the interactive menu shown above, you can pass desired options as command line arguments: | ||
| − | so-allow -h | + | so-allow -h |
| − | + | ||
| − | Usage: /usr/sbin/so-allow [-abefhoprsw] [ -i IP ] | + | Usage: /usr/sbin/so-allow [-abefhoprsw] [ -i IP ] |
This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range. | This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range. | ||
| Line 59: | Line 63: | ||
To add 10.1.2.3 to the analyst role: | To add 10.1.2.3 to the analyst role: | ||
| − | so-allow -a -i 10.1.2.3 | + | so-allow -a -i 10.1.2.3 |
To add 10.1.2.0/24 to the osquery role: | To add 10.1.2.0/24 to the osquery role: | ||
| − | so-allow -o -i 10.1.2.0/24 | + | so-allow -o -i 10.1.2.0/24 |
Revision as of 17:20, 10 July 2023
After Installation
SSH Key Change Depending on what kind of installation you did, you may have seen a warning at the end of Setup about SSH key changes.
_images/so-ssh-harden.png For more information, see the SSH section.
Adjust firewall rules using so-allow
Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow.
Services
Verify services are running with the so-status command:
sudo so-status
Data Retention
Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings. Other Full-time analysts may want to connect using a dedicated Analyst VM. Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Tuning section. Configure the OS to use your preferred NTP server.
so-allow
Security Onion locks down the Firewall by default. Depending on what kind of installation you do, Setup may walk you through allowing your analyst IP address(es). If you need to add other analyst IP addresses or open firewall ports for agents or syslog devices, you can run sudo so-allow and it will walk you through this process.
This program allows you to add a firewall rule to allow connections from a new IP address. Choose the role for the IP or Range you would like to add [a] - Analyst - ports 80/tcp and 443/tcp [b] - Logstash Beat - port 5044/tcp [e] - Elasticsearch REST API - port 9200/tcp [f] - Strelka frontend - port 57314/tcp [o] - Osquery endpoint - port 8090/tcp [s] - Syslog device - 514/tcp/udp [w] - Wazuh agent - port 1514/tcp/udp [p] - Wazuh API - port 55000/tcp [r] - Wazuh registration service - 1515/tcp Please enter your selection:
Wazuh
If you choose the analyst option, so-allow will also add the analyst IP address to the Wazuh safe list. This will prevent Wazuh Active Response from blocking the analyst IP address.
Automation
In addition to the interactive menu shown above, you can pass desired options as command line arguments:
so-allow -h Usage: /usr/sbin/so-allow [-abefhoprsw] [ -i IP ]
This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range.
If you run this program with no arguments, it will present a menu for you to choose your options.
If you want to automate and skip the menu, you can pass the desired options as command line arguments.
EXAMPLES
To add 10.1.2.3 to the analyst role:
so-allow -a -i 10.1.2.3
To add 10.1.2.0/24 to the osquery role:
so-allow -o -i 10.1.2.0/24
Referensi
- https://docs.securityonion.net/en/2.3/post-installation.html#post-installation
- https://docs.securityonion.net/en/2.3/so-allow.html#so-allow