monitoring systems for attempts to break-in

17
QUESTIONS ????? MONITORING SYSTEMS FOR ATTEMPTS TO BREAK IN Project Presentation by Hari Balakrishnan MSc. Computer Security University of Essex [email protected]

Upload: hari-balakrishnan

Post on 04-Apr-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 1/17

QUESTIONS ?????

MONITORING SYSTEMS FOR

ATTEMPTS TO BREAK IN

Project Presentation by

Hari Balakrishnan MSc. Computer Security

University of Essex [email protected]

Page 2: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 2/17

Acknowledgements

• Dr Adrian Clark, University of Essex

Project guidance and mentoring

Ms Lynley Barker, University of EssexGuidance with Project proposal

Page 3: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 3/17

SUBSTANTIAL STEPS TAKEN BY MOST IT SECTORS

Page 4: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 4/17

Importance of monitoring

• Espionage

• Cyber warfare

Data Retention• Scanning

• IT Sectors

Page 5: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 5/17

Project Objectives

• To gain insight on logs

• Real time implementation

• Code compatibility

• Super user access

• Nessus Vulnerability tool

• Extensions to

network monitoring

commands

Page 6: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 6/17

Testing

• External scanning by

Nmap and Nessus

SSH Remote session• Wrong entries

• Running Applications

• SYN Flood sample code• ICMP attack by ping

Page 7: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 7/17

Observation

• Identifying the attack

• Displaying all entries

• Updating new entries

• Showing specific

keywords

• Less computation time

• Low overheads• Netstat entries logged in both SYN flood and

ICMP attack are trivial.

Page 8: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 8/17

Conclusion

• Easy for administrators

• Potential error logs in Httpd

• Work extensions for httpd logs

• /proc/net/ network extensions

• Mitigating using /proc

Usage of tcpdump for DDoS• Tcpdump can avoid usage of IPTraf, Wireshark

Page 9: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 9/17

Page 10: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 10/17

APPENDIX

• Included screenshots of the outcome,

tcpdump, /proc and httpd logs.

• Reference for the statistics:Countries vulnerability: 

http://www.technologyreview.com/news/424538/breaches-and-security-by-the-

numbers/ 

Chart illustrations:

http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safety-

tips/ 

Secure ICMP:

http://securityreliks.securegossip.com/2010/10/security-via-procsysnet-secure-icmp/  

Page 11: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 11/17

Page 12: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 12/17

The Project

Page 13: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 13/17

ICMP ATTACK IDENTIFIED BY TCPDUMP

Page 14: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 14/17

SECURE ICMP

Page 15: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 15/17

PREVENTING LOG FLOODS

Page 16: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 16/17

Vulnerability Attack

• Nessus attackum_linux_manager and then Boot ‘.tar’ 

IN Client,

Enter the login name as root

Password letmein

Client:~# /etc/init.d/nessusd start

Another terminal

ssh –X [email protected] 

Pass: letmein

Client:~#nessus

Use scan assistant:

Target: 155.245.21.49

Username:rootpassword:letmein

Lot of attacks are established… 

Substantial evidences can be found in Httpd logs such as access_log and error_log.

Page 17: Monitoring Systems for attempts to break-in

7/29/2019 Monitoring Systems for attempts to break-in

http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 17/17

DoS Attacks

• ICMP attack:Use terminal

Enter: ping 155.245.21.49 –t –l 0 to 65500

See tcpdump and netstat

• SYN Flood:Remote login by

Ssh –X [email protected] 

Password:---------------

gcc synflood.c

sudo ./a.out

Netstat identifies SYN Flood with TIME_WAIT but tcpdump can be more helpful when compared to netstat.

Using nmap –sS IP Address can help to find out open ports and can be a potential threat for others.