Difference between revisions of "Cyber Security: Security Onion setelah Instalasi"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 53: | Line 53: | ||
If you want to automate and skip the menu, you can pass the desired options as command line arguments. | If you want to automate and skip the menu, you can pass the desired options as command line arguments. | ||
| − | EXAMPLES | + | ==EXAMPLES== |
To add 10.1.2.3 to the analyst role: | To add 10.1.2.3 to the analyst role: | ||
| Line 60: | Line 60: | ||
To add 10.1.2.0/24 to the osquery role: | To add 10.1.2.0/24 to the osquery role: | ||
so-allow -o -i 10.1.2.0/24 | so-allow -o -i 10.1.2.0/24 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==Referensi== | ==Referensi== | ||
Revision as of 11:15, 11 July 2023
Adjust firewall rules using so-allow
Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow.
Services
Verify services are running with the so-status command:
sudo so-status
Data Retention
Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings. Other Full-time analysts may want to connect using a dedicated Analyst VM. Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Tuning section. Configure the OS to use your preferred NTP server.
so-allow
Security Onion locks down the Firewall by default. Depending on what kind of installation you do, Setup may walk you through allowing your analyst IP address(es). If you need to add other analyst IP addresses or open firewall ports for agents or syslog devices, you can run sudo so-allow and it will walk you through this process.
This program allows you to add a firewall rule to allow connections from a new IP address. Choose the role for the IP or Range you would like to add [a] - Analyst - ports 80/tcp and 443/tcp [b] - Logstash Beat - port 5044/tcp [e] - Elasticsearch REST API - port 9200/tcp [f] - Strelka frontend - port 57314/tcp [o] - Osquery endpoint - port 8090/tcp [s] - Syslog device - 514/tcp/udp [w] - Wazuh agent - port 1514/tcp/udp [p] - Wazuh API - port 55000/tcp [r] - Wazuh registration service - 1515/tcp Please enter your selection:
Wazuh
If you choose the analyst option, so-allow will also add the analyst IP address to the Wazuh safe list. This will prevent Wazuh Active Response from blocking the analyst IP address.
Automation
In addition to the interactive menu shown above, you can pass desired options as command line arguments:
so-allow -h Usage: /usr/sbin/so-allow [-abefhoprsw] [ -i IP ]
This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range.
If you run this program with no arguments, it will present a menu for you to choose your options.
If you want to automate and skip the menu, you can pass the desired options as command line arguments.
EXAMPLES
To add 10.1.2.3 to the analyst role:
so-allow -a -i 10.1.2.3
To add 10.1.2.0/24 to the osquery role:
so-allow -o -i 10.1.2.0/24
Referensi
- https://docs.securityonion.net/en/2.3/post-installation.html#post-installation
- https://docs.securityonion.net/en/2.3/so-allow.html#so-allow