Firewall old
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Firewall-old.
This page contains legacy information for versions of Setup older than securityonion-setup - 20120912-0ubuntu0securityonion201.
If you're running securityonion-setup - 20120912-0ubuntu0securityonion201 or newer, please see the current firewall documentation.
The default firewall configuration tool for Ubuntu is ufw. ufw is enabled by default on Security Onion.
sudo ufw enable
sudo ufw disable
example: allow port 9876 for Xplico
sudo ufw allow 9876/tcp
example: allow irc port range 6667 - 7000
sudo ufw allow 6667:7000
example: deny https
sudo ufw deny 443
example
sudo ufw status
example output
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
7734/tcp ALLOW Anywhere
7736/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
For more info you can visit the UFW documentation site
Note: Gufw is a GUI front end for the ufw.
By default, older versions of Setup configure a master server to allow connections to the following ports from any IP address:
- 22 - SSH
- 443 - Squert/ELSA/CapMe
- 514 - Syslog
- 1514/udp - OSSEC
- 7734 - Sguil client
- 7736 - sensor connection to sguild
You may want to restrict those ports to only accepting connections from a subset of IP addresses.
NOTE! Before attempting any firewall changes, you should always ensure you have a backup plan should you accidentally block your own connection. So make sure that you have DRAC/KVM/physical or some other form of access.
First, add a rule like the following for each of your sensors (replacing a.b.c.d with the actual IP address of the sensor) to connect to ports 22 (SSH) and 7736 (sguild):
sudo ufw allow proto tcp from a.b.c.d to any port 22,7736
-OR-
If you're running Salt, then sensors need to connect to ports 4505/tcp and 4506/tcp:
sudo ufw allow proto tcp from a.b.c.d to any port 22,4505,4506,7736
Next add a rule like the following for the IP addresses that will be sending syslog (port 514 tcp and udp):
sudo ufw allow from a.b.c.d to any port 514
Next add a rule like the following for the IP addresses that will be running the OSSEC agent (port 1514 udp):
sudo ufw allow proto udp from a.b.c.d to any port 1514
Then add a rule like the following for the IP addresses or subnet that you'll be using to connect to the master as an analyst/administrator to ports 22 (SSH), 443 (Squert/ELSA/CapMe), 7734 (Sguil client):
sudo ufw allow proto tcp from a.b.c.d to any port 22,443,7734
Once you've added these new rules, then you can remove the default "allow from Anywhere" rules.
sudo ufw delete allow 22/tcp
sudo ufw delete allow 443/tcp
sudo ufw delete allow 444/tcp
sudo ufw delete allow 514
sudo ufw delete allow 1514/udp
sudo ufw delete allow 3154/tcp
sudo ufw delete allow 7734/tcp
sudo ufw delete allow 7736/tcp
By default, a sensor allows connections to the following ports from any IP address:
- 22 - SSH
- 514 - Syslog
- 1514/udp - OSSEC
You may want to restrict those ports to only accepting connections from a subset of IP addresses.
NOTE! Before attempting any firewall changes, you should always ensure you have a backup plan should you accidentally block your own connection. So make sure that you have DRAC/KVM/physical or some other form of access.
First, add a rule like the following for the IP addresses that will be sending syslog (port 514 tcp and udp):
sudo ufw allow from a.b.c.d to any port 514
Next add a rule like the following for the IP addresses that will be running the OSSEC agent (port 1514 udp):
sudo ufw allow proto udp from a.b.c.d to any port 1514
Then add a rule like the following for the IP addresses or subnet that you'll be using to connect to the sensor as an analyst/administrator to ports 22:
sudo ufw allow proto tcp from a.b.c.d to any port 22
Once you've added these new rules, then you can remove the default "allow from Anywhere" rules.
sudo ufw delete allow 22/tcp
sudo ufw delete allow 514
sudo ufw delete allow 1514/udp
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs