monitoring systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 1/17

QUESTIONS ?????

MONITORING SYSTEMS FOR

ATTEMPTS TO BREAK IN

Project Presentation by

Hari Balakrishnan MSc. Computer Security

University of Essex [email protected]



Acknowledgements

• Dr Adrian Clark, University of Essex

Project guidance and mentoring

•

Ms Lynley Barker, University of EssexGuidance with Project proposal



SUBSTANTIAL STEPS TAKEN BY MOST IT SECTORS



Importance of monitoring

• Espionage

• Cyber warfare

•

Data Retention• Scanning

• IT Sectors



Project Objectives

• To gain insight on logs

• Real time implementation

• Code compatibility

• Super user access

• Nessus Vulnerability tool

• Extensions to

network monitoring

commands



Testing

• External scanning by

Nmap and Nessus

•

SSH Remote session• Wrong entries

• Running Applications

• SYN Flood sample code• ICMP attack by ping



Observation

• Identifying the attack

• Displaying all entries

• Updating new entries

• Showing specific

keywords

• Less computation time

• Low overheads• Netstat entries logged in both SYN flood and

ICMP attack are trivial.



Conclusion

• Easy for administrators

• Potential error logs in Httpd

• Work extensions for httpd logs

• /proc/net/ network extensions

• Mitigating using /proc

•

Usage of tcpdump for DDoS• Tcpdump can avoid usage of IPTraf, Wireshark



APPENDIX

• Included screenshots of the outcome,

tcpdump, /proc and httpd logs.

• Reference for the statistics:Countries vulnerability:

http://www.technologyreview.com/news/424538/breaches-and-security-by-the-

numbers/

Chart illustrations:

http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safety-

tips/

Secure ICMP:

http://securityreliks.securegossip.com/2010/10/security-via-procsysnet-secure-icmp/

http://www.technologyreview.com/news/424538/breaches-and-security-by-the-numbers/



http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safety-tips/
















































The Project



ICMP ATTACK IDENTIFIED BY TCPDUMP



SECURE ICMP



PREVENTING LOG FLOODS



Vulnerability Attack

• Nessus attackum_linux_manager and then Boot ‘.tar’

IN Client,

Enter the login name as root

Password letmein

Client:~# /etc/init.d/nessusd start

Another terminal

ssh –X [email protected]

Pass: letmein

Client:~#nessus

Use scan assistant:

Target: 155.245.21.49

Username:rootpassword:letmein

Lot of attacks are established…

Substantial evidences can be found in Httpd logs such as access_log and error_log.

mailto:[email protected]




DoS Attacks

• ICMP attack:Use terminal

Enter: ping 155.245.21.49 –t –l 0 to 65500

See tcpdump and netstat

• SYN Flood:Remote login by

Ssh –X [email protected]

Password:---------------

gcc synflood.c

sudo ./a.out

Netstat identifies SYN Flood with TIME_WAIT but tcpdump can be more helpful when compared to netstat.

Using nmap –sS IP Address can help to find out open ports and can be a potential threat for others.



monitoring systems for attempts to break-in

Documents