Scribd Logo
Upload

Welcome to Scribd!

  • 23 views

    COIT13146 - System and Network Administration

    Uploaded by

    ritadhikarycse
    This document discusses intrusion detection systems and provides instructions for installing and configuring Snort and OSSEC on a network. It includes: 1) A story about how an insecure SSH configuration led to hacking attempts and how securing the port and IP blocking reduced attacks. 2) Software recommended for intrusion detection: Snort, tcpdump, and OSSEC. 3) Assessment tasks involving installing Snort and OSSEC, scanning the network to generate alerts, analyzing the alerts, attempting unauthorized access, and monitoring the response. 4) Instructions to submit the results and answers in a Word document for grading.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    COIT13146 - System and Network Administration

    Uploaded by

    ritadhikarycse
    23 views4 pages
    This document discusses intrusion detection systems and provides instructions for installing and configuring Snort and OSSEC on a network. It includes: 1) A story about how an insecure SSH configuration led to hacking attempts and how securing the port and IP blocking reduced attacks. 2) Software recommended for intrusion detection: Snort, tcpdump, and OSSEC. 3) Assessment tasks involving installing Snort and OSSEC, scanning the network to generate alerts, analyzing the alerts, attempting unauthorized access, and monitoring the response. 4) Instructions to submit the results and answers in a Word document for grading.

    Original Description:

    Technical document 12

    Original Title

    1477803_193588834_Week08

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses intrusion detection systems and provides instructions for installing and configuring Snort and OSSEC on a network. It includes: 1) A story about how an insecure SSH configuration led to hacking attempts and how securing the port and IP blocking reduced attacks. 2) Software recommended for intrusion detection: Snort, tcpdump, and OSSEC. 3) Assessment tasks involving installing Snort and OSSEC, scanning the network to generate alerts, analyzing the alerts, attempting unauthorized access, and monitoring the response. 4) Instructions to submit the results and answers in a Word document for grading.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    23 views4 pages

    COIT13146 - System and Network Administration

    Uploaded by

    ritadhikarycse
    This document discusses intrusion detection systems and provides instructions for installing and configuring Snort and OSSEC on a network. It includes: 1) A story about how an insecure SSH configuration led to hacking attempts and how securing the port and IP blocking reduced attacks. 2) Software recommended for intrusion detection: Snort, tcpdump, and OSSEC. 3) Assessment tasks involving installing Snort and OSSEC, scanning the network to generate alerts, analyzing the alerts, attempting unauthorized access, and monitoring the response. 4) Instructions to submit the results and answers in a Word document for grading.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    COIT13146 System and Network Administration

    COIT13146 - System and Network Administration

    Week 08 - Intrusion Detection Systems

    This week we look at ways to detect intrusion attempts on our


    system.

    Note: You will be asked to do full network scans in the


    assessment items - do this only on a network you have permission
    to do it on or one you own, such as the internal network you have
    set up so far in this Unit in VirtualBox. You do not have
    automatic permission to scan cqu.edu.au or any other
    organisational network e.g. perhaps your employers.

    As an introduction to this week, read the following true story


    from an IT staff member:

    "I recently reconfigured my home ADSL router and server to allow


    me to make an SSH connection (tunnel) into my home network from
    anywhere on the Internet.

    Initially I configured a port forward through my ADSL router to my


    Ubuntu server using the standard SSH port 22. Almost immediately
    there were attempts to 'hack' into my system. Continuous login
    attempts were occurring which showed up in the /var/log/auth.log
    file, with various combinations of names and dictionary words - it
    was interesting to watch.

    I grew bored of watching the logs and as the attacks were coming
    down my ADSL connection, they were using, though minimal, some of
    my quota. I moved the port forward to an unknown port number and
    configured my servers firewall rules to reject connections from IP
    addresses if more than a couple of failed login attempts occurred
    - resetting after a couple of minutes in case I have a bad day and
    get my password wrong a few times.

    Since doing this I have had no login attempts. So simply moving


    to an unknown port has removed most of the problem. Rejecting IP
    addresses on failed login attempts should prevent any form of
    dictionary/brute force attack."

    Week 08 vt117 [1]


    COIT13146 System and Network Administration

    From this story, it is obvious that if the author had not checked
    the /var/log/auth.log file and taken action, the system may have
    gotten 'hacked' sooner or later. A good lesson in security!

    Summary

    Software to install

    * Snort (www.snort.org) - "An open source network intrusion


    prevention and detection system (IDS/IPS). Combining the benefits
    of signature, protocol, and anomaly-based inspection, Snort is the
    most widely deployed IDS/IPS technology worldwide."

    * tcpdump (www.tcpdump.org) - "a powerful command-line packet


    analyser".

    * OSSEC - (www.ossec.net) - "An open source host-based intrusion


    detection system. It performs log analysis, file integrity
    checking, policy monitoring, rootkit detection, real-time alerting
    and active response."

    Chapters to read

    * 22 - Security (Review if necessary)

    Tasks

    Readings

    Review the recommended chapter before beginning the installation


    or attempting the assessment items.

    We will need to research Snort and OSSEC ourselves this week. The
    main website links listed above provide a vast amount of
    documentation for both.

    Assessment

    1. Snort and OSSEC:

    Week 08 vt117 [2]


    COIT13146 System and Network Administration

    Read the descriptions available of what Snort and Ossec are and
    what they do, then summarise the similarities and differences
    between them. Ensure to mention where and how each should be
    used.

    2. Install Snort using the "Installing Snort" document. Once Snort


    is installed and configured perform an nmap scan of your entire
    network. Ensure your gateway, userv1 and userv2 servers are
    running and working as they should. An example scan of your entire
    192.168.12.0 internal network can be performed by running "nmap -v
    -sU 192.168.12.0/24".

    Submit the details of the scan you used, the output from the scan,
    and the entries generated in the snort alert file. Describe the
    alerts generated - include other alerts that may be generated from
    other activity on your server. You need to show that you can
    interpret the alerts being generated, so ensure you describe what
    the alerts mean as part of your answers.

    3. Install OSSEC using the Installing OSSEC" document. Once


    OSSEC is installed and configured attempt the same nmap scan as in
    question 2 and submit the results. Review the OSSEC logs and
    summarise what it reports.

    4. Attempt to login to the kellye account on userv1 using PuTTY a


    number of times, but deliberately enter an incorrect password.
    Also attempt to login to 3 non-existent accounts on userv1 (e.g.
    krudd, jgillard, tabbott) using PuTTY. Report the results -
    ensure you include what action the system has taken - is it
    permanent? [Hint: review the /var/ossec/logs/active-responses.log
    file.]

    5. Edit and save some of the main system configuration files e.g.
    /etc/fstab, /etc/group, /etc/passwd (remember about using clones
    as safety?).

    List the changes that you make and describe the resulting emails
    and events recorded by OSSEC - include other emails generated from
    other activity on your server. Submit the email text as part of
    your descriptions.

    How to submit:

    Include all answers etc. in a single Word document no need to


    zip it up. Submit the Word doc un-zipped. It is due in Week 10.

    Week 08 vt117 [3]


    COIT13146 System and Network Administration

    --- end doc ---

    Week 08 vt117 [4]

    You might also like