You are on page 1of 17

MONITORING SYSTEMS FOR ATTEMPTS TO BREAK IN

QUESTIONS ?????

Project Presentation by Hari Balakrishnan MSc. Computer Security University of Essex hbalaka@essex.ac.uk

Acknowledgements
Dr Adrian Clark, University of Essex Project guidance and mentoring Ms Lynley Barker, University of Essex Guidance with Project proposal

SUBSTANTIAL STEPS TAKEN BY MOST IT SECTORS

Importance of monitoring
Espionage Cyber warfare Data Retention Scanning IT Sectors

Project Objectives
To gain insight on logs Real time implementation Code compatibility Super user access Nessus Vulnerability tool Extensions to network monitoring commands

Testing
External scanning by Nmap and Nessus SSH Remote session Wrong entries Running Applications SYN Flood sample code ICMP attack by ping

Observation
Identifying the attack Displaying all entries Updating new entries Showing specific keywords Less computation time Low overheads Netstat entries logged in both SYN flood and ICMP attack are trivial.

Conclusion
Easy for administrators Potential error logs in Httpd Work extensions for httpd logs /proc/net/ network extensions Mitigating using /proc Usage of tcpdump for DDoS Tcpdump can avoid usage of IPTraf, Wireshark

APPENDIX
Included screenshots of the outcome, tcpdump, /proc and httpd logs. Reference for the statistics:
Countries vulnerability: http://www.technologyreview.com/news/424538/breaches-and-security-by-thenumbers/ Chart illustrations: http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safetytips/ Secure ICMP: http://securityreliks.securegossip.com/2010/10/security-via-procsysnet-secure-icmp/

The Project

ICMP ATTACK IDENTIFIED BY TCPDUMP

SECURE ICMP

PREVENTING LOG FLOODS

Vulnerability Attack
Nessus attack
um_linux_manager and then Boot .tar IN Client, Enter the login name as root Password letmein Client:~# /etc/init.d/nessusd start
Another terminal ssh X root@192.168.0.253 Pass: letmein Client:~#nessus Use scan assistant: Target: 155.245.21.49 Username:root password:letmein Lot of attacks are established Substantial evidences can be found in Httpd logs such as access_log and error_log.

DoS Attacks
ICMP attack:
Use terminal Enter: ping 155.245.21.49 t l 0 to 65500
See tcpdump and netstat

SYN Flood:
Remote login by Ssh X hbalaka@155.245.21.49 Password:--------------gcc synflood.c sudo ./a.out Netstat identifies SYN Flood with TIME_WAIT but tcpdump can be more helpful when compared to netstat. Using nmap sS IP Address can help to find out open ports and can be a potential threat for others.