monitoring systems for attempts to break-in
TRANSCRIPT
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 1/17
QUESTIONS ?????
MONITORING SYSTEMS FOR
ATTEMPTS TO BREAK IN
Project Presentation by
Hari Balakrishnan MSc. Computer Security
University of Essex [email protected]
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 2/17
Acknowledgements
• Dr Adrian Clark, University of Essex
Project guidance and mentoring
•
Ms Lynley Barker, University of EssexGuidance with Project proposal
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 3/17
SUBSTANTIAL STEPS TAKEN BY MOST IT SECTORS
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 4/17
Importance of monitoring
• Espionage
• Cyber warfare
•
Data Retention• Scanning
• IT Sectors
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 5/17
Project Objectives
• To gain insight on logs
• Real time implementation
• Code compatibility
• Super user access
• Nessus Vulnerability tool
• Extensions to
network monitoring
commands
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 6/17
Testing
• External scanning by
Nmap and Nessus
•
SSH Remote session• Wrong entries
• Running Applications
• SYN Flood sample code• ICMP attack by ping
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 7/17
Observation
• Identifying the attack
• Displaying all entries
• Updating new entries
• Showing specific
keywords
• Less computation time
• Low overheads• Netstat entries logged in both SYN flood and
ICMP attack are trivial.
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 8/17
Conclusion
• Easy for administrators
• Potential error logs in Httpd
• Work extensions for httpd logs
• /proc/net/ network extensions
• Mitigating using /proc
•
Usage of tcpdump for DDoS• Tcpdump can avoid usage of IPTraf, Wireshark
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 9/17
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 10/17
APPENDIX
• Included screenshots of the outcome,
tcpdump, /proc and httpd logs.
• Reference for the statistics:Countries vulnerability:
http://www.technologyreview.com/news/424538/breaches-and-security-by-the-
numbers/
Chart illustrations:
http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safety-
tips/
Secure ICMP:
http://securityreliks.securegossip.com/2010/10/security-via-procsysnet-secure-icmp/
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 11/17
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 12/17
The Project
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 13/17
ICMP ATTACK IDENTIFIED BY TCPDUMP
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 14/17
SECURE ICMP
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 15/17
PREVENTING LOG FLOODS
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 16/17
Vulnerability Attack
• Nessus attackum_linux_manager and then Boot ‘.tar’
IN Client,
Enter the login name as root
Password letmein
Client:~# /etc/init.d/nessusd start
Another terminal
ssh –X [email protected]
Pass: letmein
Client:~#nessus
Use scan assistant:
Target: 155.245.21.49
Username:rootpassword:letmein
Lot of attacks are established…
Substantial evidences can be found in Httpd logs such as access_log and error_log.
7/29/2019 Monitoring Systems for attempts to break-in
http://slidepdf.com/reader/full/monitoring-systems-for-attempts-to-break-in 17/17
DoS Attacks
• ICMP attack:Use terminal
Enter: ping 155.245.21.49 –t –l 0 to 65500
See tcpdump and netstat
• SYN Flood:Remote login by
Ssh –X [email protected]
Password:---------------
gcc synflood.c
sudo ./a.out
Netstat identifies SYN Flood with TIME_WAIT but tcpdump can be more helpful when compared to netstat.
Using nmap –sS IP Address can help to find out open ports and can be a potential threat for others.