Professional Documents
Culture Documents
Projet Network Security
Projet Network Security
NOM :
ETUDE THEORIQUE
1 - Introduction:
IT security is an umbrella term that applies to networks, the Internet, endpoints,
APIs, the cloud, applications, container security and more. It is about establishing
a set of security policies that work together to help you protect your digital data.
Not so long ago, IT security was only checked at the end of a development cycle.
The process was slow. Now companies are looking for ways to create an
integrated security program that they can adapt more easily and quickly. So
safety is built in at the design stage instead of being added later.
Security Service: a service that increases the security of the processing and
exchanges of data in a system. A security service uses one or more security
mechanisms.
7 - Aims of the attacks:
Diagram of network:
VirtualBox:
Setting IP address:
Task 2: Attacker VM
Setting IP address:
Setting IP address:
Introduction:
Goldeneye is a free and Open-source tool available on GitHub. We can perform a denial-of-
service attack using this tool. This tool allows a single machine to take down another machine’s
web server it uses perfectly legitimate HTTP traffic. It makes a full TCP connection and then
requires only a few hundred requests at long-term and regular intervals. As a result, the tool
doesn’t need to use a lot of traffic to exhaust the available connections on a server.
Uses of Goldeneye:
Options:
Scenario:
1. tail -f /var/log/apache2/access.log
as we can see in screenshot below, the attacker is sending GET requests to our
webserver targeting random paths and using random agents
Client Side:
the connection is bit slow, but the client can access the webserver
The screenshot below shows the delay increase until we can’t reach anymore the
webserver
Part 3: Wireshark
Installing Wireshark and appending User to Group Wireshark:
7. # Block port http 80 on attacker – we used redirection to NFLOW (ulogd3) for logging
8. iptables -A INPUT -s 192.168.1.53 -p tcp --dport 80 -j NFLOG --nflog-prefix 'HTTP Block'
9. # Dropping the http traffic
10. iptables -A INPUT -s 192.168.1.53 -p tcp --destination-port 80 -j DROP
11. # Block port ssh 22 on attacker – we used redirection to NFLOW (ulogd3) for logging
12. iptables -A INPUT -s 192.168.1.53 -p tcp --destination-port 22 -j NFLOG --nflog-prefix 'SSH Block'
13. # Dropping the SSH traffic
14. iptables -A INPUT -s 192.168.1.53 -p tcp --destination-port 22 -j DROP
Creating Rules:
Now we will trigger these rules from attacker side
FTP Logs:
HTTP Logs:
SSH Logs:
Attacker Side:
we can’t connect anymore via SSH, FTP and HTTP ( DDOS tool crashes )
Part 5: IDS
1. # Install snort
2. sudo apt-get install -y snort
3.
4. #optional to set network which will be using
5. cat "ipvar HOME_NET 192.168.1.0/24" >> /etc/snort/snort.conf
# rule_action proto src_addr src_port -> dst_addr dst_port (key:value) sid: snort rule id
rev:revision number
alert icmp any any -> 192.168.1.2 any ( msg:"ICMP Detected"; priority:1; sid:100001; )
EOF
3. /sbin/route -n
Setting IP address of the network:
the attack will ping the website, which will trigger this ICMP alert
Bonus:
Use Snorpy which a great tool to create rules for Snort: http://www.cyb3rs3c.net/
Advanced analysis:
if you want to conduct advanced analysis, Snort save the tcp traffic and log file in
/var/log/snort