Monitoring Systems using Logs

406 views

Published on

The main problem one faces today is the breach of security in computers. Most of the computers used in many organisations are under grave threats by attackers and hackers. Nowadays the employees of a firm themselves could resort to attack or hack on their own company assets. A serious cat and mouse game is going on between the security experts and hackers. It is absolutely vital to stop the hackers in their tracks. In this project, I have developed a soft-ware that monitors the system and warns the user (administrator) in times of crisis. In this case, crisis refers to break-in attempts by any attacker on an organisation. The main reason for addressing this problem is to save the company from jeopardy and prevent the loss of its essential data. These break-in attempts need to be tackled from time to time and should not be left to accumulate over a long period of time. I went about solving this problem by looking for critical logs which would have alerts warning about illegal entries. This project is designed to look for appropriate vulnerable logs in syslog. These logs should be read out using a program which can identify the critical alert lines found in the logs and will alert the user by printing out the details correspondingly. It effectively alerts the user about the attack and the duration of that attempt. Then, there is a sleep time for a minute and it restarts to monitor after a minute to find updated logs. This is achieved by using the Python code’s regular expression features in this project. It is in the form of a console application which fulfills my objectives fairly well.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
406
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Monitoring Systems using Logs

  1. 1. MONITORING SYSTEMS FORATTEMPTS TO BREAK INQUESTIONS ????? Project Presentation by Hari Balakrishnan MSc. Computer Security University of Essex hbalaka@essex.ac.uk
  2. 2. Acknowledgements• Dr Adrian Clark, University of Essex Project guidance and mentoring• Ms Lynley Barker, University of Essex Guidance with Project proposal
  3. 3. SUBSTANTIAL STEPS TAKEN BY MOST IT SECTORS
  4. 4. Importance of monitoring• Espionage• Cyber warfare• Data Retention• Scanning• IT Sectors
  5. 5. Project Objectives• To gain insight on logs• Real time implementation• Code compatibility• Super user access• Nessus Vulnerability tool• Extensions tonetwork monitoringcommands
  6. 6. Testing• External scanning byNmap and Nessus• SSH Remote session• Wrong entries• Running Applications• SYN Flood sample code• ICMP attack by ping
  7. 7. Observation• Identifying the attack• Displaying all entries• Updating new entries• Showing specific keywords• Less computation time• Low overheads• Netstat entries logged in both SYN flood and ICMP attack are trivial.
  8. 8. Conclusion• Easy for administrators• Potential error logs in Httpd• Work extensions for httpd logs• /proc/net/ network extensions• Mitigating using /proc• Usage of tcpdump for DDoS• Tcpdump can avoid usage of IPTraf, Wireshark
  9. 9. APPENDIX• Included screenshots of the outcome, tcpdump, /proc and httpd logs.• Reference for the statistics:Countries vulnerability:http://www.technologyreview.com/news/424538/breaches-and-security-by-the-numbers/Chart illustrations:http://blogs.avg.com/view-from-the-top/looking-beyond-the-statistics-internet-safety-tips/Secure ICMP:http://securityreliks.securegossip.com/2010/10/security-via-procsysnet-secure-icmp/
  10. 10. The Project
  11. 11. ICMP ATTACK IDENTIFIED BY TCPDUMP
  12. 12. SECURE ICMP
  13. 13. PREVENTING LOG FLOODS
  14. 14. Vulnerability Attack• Nessus attackum_linux_manager and then Boot ‘.tar’IN Client,Enter the login name as rootPassword letmeinClient:~# /etc/init.d/nessusd startAnother terminalssh –X root@192.168.0.253Pass: letmeinClient:~#nessusUse scan assistant:Target: 155.245.21.49Username:rootpassword:letmeinLot of attacks are established…Substantial evidences can be found in Httpd logs such as access_log and error_log.
  15. 15. DoS Attacks• ICMP attack:Use terminalEnter: ping 155.245.21.49 –t –l 0 to 65500See tcpdump and netstat• SYN Flood:Remote login bySsh –X hbalaka@155.245.21.49Password:---------------gcc synflood.csudo ./a.outNetstat identifies SYN Flood with TIME_WAIT but tcpdump can be more helpful when compared to netstat.Using nmap –sS IP Address can help to find out open ports and can be a potential threat for others.

×