Have added the external IP address to Gateway/ Intrusion Prevention System/ White List with no success.
Which file needs modification to allow outgoing ssh access to specific public ip address of ssh server.
Log File: snort/syslog
Can I use IPTABLES to allow outgoing? If so, where can I place the rule for permanent use once I have tested it from a command line?
Thank you!!!!
Which file needs modification to allow outgoing ssh access to specific public ip address of ssh server.
Log File: snort/syslog
Feb 25 12:52:02 spsstudentproxy snort[5158]: [1:2003068:6] ET SCAN Potential SSH Scan OUTBOUND
[Classification: Attempted Information Leak] [Priority: 2] [TCP] 10.0.0.3:47160 -> 139.232.191.247:22Can I use IPTABLES to allow outgoing? If so, where can I place the rule for permanent use once I have tested it from a command line?
Thank you!!!!
Share this post:
Accepted Answer
I did try to PM you that your thread was blocked so I could not answer earlier.
The whitelisting rule is created automatically and put into /etc/snort.conf and you can't easily override this. The normal place to put rules like that is the custom firewall, but in thin case, it won't work as the IDS rules fire after the custom firewall.
You need to put the rules into a separate file in /etc/clearos/firewall.d/. Its name needs to begin with a number greater than 10 so it fires after 10-snortsam. Use a copy of "local" as your template and put the rules in the ipv4 section, changing "iptables" to "$IPTABLES".
Also note your rules are open to all tcp traffic and you may want something like:
The whitelisting rule is created automatically and put into /etc/snort.conf and you can't easily override this. The normal place to put rules like that is the custom firewall, but in thin case, it won't work as the IDS rules fire after the custom firewall.
You need to put the rules into a separate file in /etc/clearos/firewall.d/. Its name needs to begin with a number greater than 10 so it fires after 10-snortsam. Use a copy of "local" as your template and put the rules in the ipv4 section, changing "iptables" to "$IPTABLES".
Also note your rules are open to all tcp traffic and you may want something like:
$IPTABLES -I INPUT -p tcp --dport 22 -s XXX.XXX.XXX.XXX -j ACCEPT
$IPTABLES -I OUTPUT -p tcp --sport 22 -d XXX.XXX.XXX.XXX -j ACCEPT
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »