monitoring systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 1/17

QUESTIONS ?????

MONITORING SYSTEMS FOR

ATTEMPTS TO BREAK IN

Project Presentation by

Hari Balakrishnan MSc. Computer Security

University of Essex hbalaka@essex.ac.uk

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 2/17

Acknowledgements

• Dr Adrian Clark, University of Essex

Project guidance and mentoring

•

Ms Lynley Barker, University of EssexGuidance with Project proposal

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 3/17

SUBSTANTIAL STEPS TAKEN BY MOST IT SECTORS

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 4/17

Importance of monitoring

• Espionage

• Cyber warfare

•

Data Retention• Scanning

• IT Sectors

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 5/17

Project Objectives

• To gain insight on logs

• Real time implementation

• Code compatibility

• Super user access

• Nessus Vulnerability tool

• Extensions to

network monitoring

commands

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 6/17

Testing

• External scanning by

Nmap and Nessus

•

SSH Remote session• Wrong entries

• Running Applications

• SYN Flood sample code• ICMP attack by ping

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 7/17

Observation

• Identifying the attack

• Displaying all entries

• Updating new entries

• Showing specific

keywords

• Less computation time

• Low overheads• Netstat entries logged in both SYN flood and

ICMP attack are trivial.

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 8/17

Conclusion

• Easy for administrators

• Potential error logs in Httpd

• Work extensions for httpd logs

• /proc/net/ network extensions

• Mitigating using /proc

•

Usage of tcpdump for DDoS• Tcpdump can avoid usage of IPTraf, Wireshark

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 9/17

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 10/17

APPENDIX

• Included screenshots of the outcome,

tcpdump, /proc and httpd logs.

• Reference for the statistics:Countries vulnerability: 

http://www.technologyreview.com/news/424538/breaches-and-security-by-the-

numbers/ 

Chart illustrations:

http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safety-

tips/ 

Secure ICMP:

http://securityreliks.securegossip.com/2010/10/security-via-procsysnet-secure-icmp/  

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 11/17

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 12/17

The Project

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 13/17

ICMP ATTACK IDENTIFIED BY TCPDUMP

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 14/17

SECURE ICMP

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 15/17

PREVENTING LOG FLOODS

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 16/17

Vulnerability Attack

• Nessus attackum_linux_manager and then Boot ‘.tar’ 

IN Client,

Enter the login name as root

Password letmein

Client:~# /etc/init.d/nessusd start

Another terminal

ssh –X root@192.168.0.253 

Pass: letmein

Client:~#nessus

Use scan assistant:

Target: 155.245.21.49

Username:rootpassword:letmein

Lot of attacks are established… 

Substantial evidences can be found in Httpd logs such as access_log and error_log.

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 17/17

DoS Attacks

• ICMP attack:Use terminal

Enter: ping 155.245.21.49 –t –l 0 to 65500

See tcpdump and netstat

• SYN Flood:Remote login by

Ssh –X hbalaka@155.245.21.49 

Password:---------------

gcc synflood.c

sudo ./a.out

Netstat identifies SYN Flood with TIME_WAIT but tcpdump can be more helpful when compared to netstat.

Using nmap –sS IP Address can help to find out open ports and can be a potential threat for others.