Vuln ossec-hids whitelist-critical

From Atomicorp Wiki
Revision as of 15:23, 7 May 2021 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This vulnerability is designed to alert you is you have a large number of IP addresses whitelisted. Whitelisting tells ASL to absolutely trust a host and to never block any attacks from the host, nor to alert you about attacks from the host. In short it extends the security boundary to those hosts, and makes them "invisible" to ASL. Because ASL has no visibility into those hosts, it doesnt know if it can trust them and is alerting you to this fact.

A large number of whitelisted hosts, such as whitelisting a large network, means that a large number of systems need to be trusted. The is a fairly risky condition for the system to be in, as a large number of hosts are very difficult to secure and the probability of one of them being compromised is much higher when there is a large number of hosts on the whitelist, as opposed to a small number of or no whitelisted systems.

You should not whitelist CDNs, such as Cloudflare for example. If you use a CDN, you should configure your system to treat them as proxies, and not as whitelisted hosts. This which will prevent ASL from blocking them, but will still stop attacks coming through the CDN. Otherwise, any attack that comes through the CDN will be allowed and not logged.

Its important to remember that CDNs may still allow attacks to reach your system, which ASL would not stop or alert you to if you whitelist them.

Please see the proxy article for information about how to configure your webserver to work properly with CDNs and other proxies.

We recommend you only whitelist hosts that you know are extremely secure and that will not allow attacks against your system. If ASL is blocking a host due to a false positive, please report it to us, we would be happy to fix it for you.

Personal tools