Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It depends
Snort is a signature based IDS (Intrusion Detection System), while IPTables is a Firewall.
An IDS alerts you in case there is an attack (it has some limited blocking like tcp reset or so). And a firewall is used to permit or block the access to some ip's, ports, protocls etc.
As a rule of thunmb you need a cascaded security solution with a firewall as the first layer of defence succeeded by an IDS (IDP).
Also see the following link for more information: http://www.juniper.net/solutions/lit.../fw_idp_wp.pdf
snort is only a IDS (intrusion DETECTION system)
opposed by iptables which are a firewall - meant to keep out people
I personally would install iptables as I am a very mistrusting person
and also use iptables to add a second layer of security on my applications
On client installations I often use 2 net tabs before and behind the firewall to have snort show me how well the firewall is and what has been stopped.
Actually, snort is not just an IDS. It also does tcpdump-style packet logging, packet sniffing, IDS, and iptables-inline packet checking. My understanding is that it doesn't interfere with a firewall, if one is running on the system, though not all modes may be friendly with a firewall.. I don't know for certain on that point.
Dogit:
If you want to use inline mode , you'll need iptables setup and running, also ip_queue, which is how iptables passes packets on to snort. I think the most common way to use it is IDS mode, which doesn't require iptables or any other firewall.
are you putting iptables on the same machine as snort or are you planning on using snort behind a firewall to view attacks that made it through the firewall???
Also just to point it out you can use snort to create firewall rules dynamically when being attacked via iptables, however this can lead to a DOS attack if the attacker knows whats going on and uses it to his advantage, also care must be used becuase false positives could lead you to blocking legit traffic
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.