There are several ways to secure access to the sensor. This page will discuss 2 of the possibilities.
The first method is configuring the hosts.allow file. This way we can restrict access to our sensor by setting up IP addresses in the hosts.allow file. To enable your sensor to use this method, some steps have to be taken when remastering your knoppix image for the sensor.
The first step is setting up the hosts.allow file and make it so that we can change the data in this file without it's changes being lost after a reboot of the sensor.
rm /etc/hosts.allow ln -s /cdrom/scripts/hosts.allow /etc/hosts.allow
Now we have made a symbolic link to the /etc/hosts.allow file and placed the actual hosts.allow file in the /cdrom/scripts/ directory (just like we did with the wgetrc file).
Now we are ready to setup the allowed hosts that can use the SSH service on the sensor. Open up the /cdrom/scripts/hosts.allow file with your favorite editor.
We will add the following lines:
ALL : 127.0.0.1 LOCAL : ALLOW ssh sshd : 192.168.10.10 : ALLOW ALL : ALL@ALL : DENY
Replace the 192.168.10.10 address with the address you want to allow to have access to the sensors. It might be a good idea to use the server IP address here so that you always have access to the sensor via the server.
Thanks to Mr. Hiroshi Suzuki of NTT-CERT for pointing this method out.
Another way of setting up the SSH access for your sensors is through the use of iptables. This can be done by adding a few iptables lines at the start of the startclient script.
iptables -I INPUT -p tcp --dport 22 --source 192.168.10.10 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP
Just make sure the last iptables line is always the DROP line in the above example.