Cyber Security: Security Onion setelah Instalasi

From OnnoWiki
Revision as of 17:20, 10 July 2023 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

After Installation

SSH Key Change Depending on what kind of installation you did, you may have seen a warning at the end of Setup about SSH key changes.

_images/so-ssh-harden.png For more information, see the SSH section.

Adjust firewall rules using so-allow

Depending on what kind of installation you did, the Setup wizard may have already walked you through adding firewall rules to allow your analyst IP address(es). If you need to allow other IP addresses, you can manually run so-allow.

Services

Verify services are running with the so-status command:

sudo so-status

Data Retention

Review the Curator and Elasticsearch sections to see if you need to change any of the default index retention settings. Other Full-time analysts may want to connect using a dedicated Analyst VM. Any IDS/NSM system needs to be tuned for the network it’s monitoring. Please see the Tuning section. Configure the OS to use your preferred NTP server.



so-allow

Security Onion locks down the Firewall by default. Depending on what kind of installation you do, Setup may walk you through allowing your analyst IP address(es). If you need to add other analyst IP addresses or open firewall ports for agents or syslog devices, you can run sudo so-allow and it will walk you through this process.

This program allows you to add a firewall rule to allow connections from a new IP address.

Choose the role for the IP or Range you would like to add

[a] - Analyst - ports 80/tcp and 443/tcp
[b] - Logstash Beat - port 5044/tcp
[e] - Elasticsearch REST API - port 9200/tcp
[f] - Strelka frontend - port 57314/tcp
[o] - Osquery endpoint - port 8090/tcp
[s] - Syslog device - 514/tcp/udp
[w] - Wazuh agent - port 1514/tcp/udp
[p] - Wazuh API - port 55000/tcp
[r] - Wazuh registration service - 1515/tcp

Please enter your selection:

Wazuh

If you choose the analyst option, so-allow will also add the analyst IP address to the Wazuh safe list. This will prevent Wazuh Active Response from blocking the analyst IP address.

Automation

In addition to the interactive menu shown above, you can pass desired options as command line arguments:

so-allow -h

Usage: /usr/sbin/so-allow [-abefhoprsw] [ -i IP ]

This program allows you to add a firewall rule to allow connections from a new IP address or CIDR range.

If you run this program with no arguments, it will present a menu for you to choose your options.

If you want to automate and skip the menu, you can pass the desired options as command line arguments.

EXAMPLES

To add 10.1.2.3 to the analyst role:

so-allow -a -i 10.1.2.3

To add 10.1.2.0/24 to the osquery role:

so-allow -o -i 10.1.2.0/24




Referensi


Pranala Menarik