On This Page
Dhound changes in operating system
Dhound-agent installation makes some changes in the system automatically. It does not affect servers security.
Iptables changes
Security event OUT tcp connection (sid: 10011) is based on the log information produced by Linux firewall (iptables). By default, iptables does not log information about any established output connections.
The first start of dhound-agent will add a new rule into iptables to log information about each established TCP Connection into sys logs:
Adding the rule in /etc/init.d/dhoundagent fileiptables -I OUTPUT -m state -p tcp --state NEW --syn -j LOG --log-prefix "OUT TCP: " --log-level 4 -m hashlimit --hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-mode dstip --hashlimit-name dhoundtcpout --hashlimit-htable-expire 3600000 --hashlimit-htable-size 1000 -m comment --comment "dhound: Log OUT Tcp Connections to syslog"
You can see this rule by running the following commands:
Check current iptables rulessudo iptables --list
See Also
- Install dhound-agent (on this resource)