Slide 1
Excellent Education Program
Innovative Methods of Teaching

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Cum sociis natoque penatibus et magnis dis parturient.

Slide 2
Learning Through Play
Devoted to the Early Education

Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim.

Slide 2
Learning Through Play
Devoted to the Early Education

Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim.

Slide 2
Learning Through Play
Devoted to the Early Education

Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim.

Slide 2
Learning Through Play
Devoted to the Early Education

Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem. Nulla consequat massa quis enim.

Slide 3
Learning Through Play
Find a Class for your Children

Aenean leo ligula, porttitor eu, consequat vitae, eleifend ac, enim. Aliquam lorem ante, dapibus in, viverra quis.

previous arrow
next arrow

How to Detecting and Stopping Attacks in Linux

Spread the Knowledge
  • System Auditing
  • System Logging
  • Network Intrusion Detection with Snort
  • Host File Integrity with Tripwire

System Auditing

  • Auditing can track system activities to warn sysadmin of suspicious activity
  • Allows sysadmin to understand the types of access that took place
  • Can identify a security breach, and aid in the research of the breach
  • More than simply logging or system accounting but they are component parts of auditing
  • Other parts are intrusion detection and file verification, resource access, and privilege use
  • Successful & unuccessful events both important
  • Also involves analysis of dts and correlation of related events
  • Some systems(i.e RHEL3 and SuSE Enterprise Linux) have special auditing software included
  • Other distros can use ‘snare’ or ‘auditd’ for auditing functions
  • Ensure audit data files can only be read by security auditors group
  • Ensure the auditing software can record the following for each audit event:
  • Date and time of the event
  • Userid that initiated the event
  • Type of event
  • Success or failure of the event
  • Origin of the request(IP or MAC address, host name ,etc)
  • Retain audit data for at least one year(minimum)
  • Ensure audit fles are backed up at least weekly onto a different system tha the one being audited or backup media

System Logging

  • System logging is used to track events and when they occurred
  • Used to identify system performance trends, keep a historical record of activities, and provide accountability for actions
  • Logging must be managed, not simply turned and forgotten
  • System log files refer to logs of system activities,such as the /var/log/syslog file, the /var/messages file, and others
  • System logging is done via the sylog facility(syslogd)
  • syslogd reas and forwards system messages to the log files and/or users
  • /etc/syslog.conf is used to configure syslogd
  • syslog can log bto local host or to centralized logging server
  • Advantage of log server is that it allows centralized logging management for monitoring of possible malicious activity on network
  • Many utilities log to syslogd by default or can be configured to do so
  • syslogd should be secured to prevent log compromise, destruction, or unauthorized access
  • Ensure reliable time source isused throghout network for accurate logging
  • System logging normally takes place over port 514; services to this port should be resticated to local hosts at the firewall or premise router
  • syslogd should be configured to accept messages only from designated hosts
  • Ensure logs are reviewed daily
  • Some messages need to be reviewed immediately by responsible sysadmin
  • Archive logs at least daily to ease space requirements and to reduce the time requirements and to resuce the time required or log searches and reviews

Intrusion Detection With Snort

  • Intrustion Detection Systems(IDS) monitor networks and hosts for unusual traffic patterns and behaviors to detect possible attacks
  • IDS consists of sensors, collectors, databases, and analysis consoles
  • Ability to detect attacks based upon knowns attack signatures or unusual activity (anomoly-based)
  • IDS are host-based or Network-based
  • Host-based(HIDS) detects attacks on a particular host
  • Network-based(NIDS) detects unusual network traffic that may be an attack
  • Snort is most popular open source IDS for Linux
  • Signature-based NIDS that detects a wide variety of attacks
  • Detected attacks include buffer overflows, Denial OF Service TCP/IP attacks Distributed DOS attacks, port scans and certain malware attacks
  • Real-time Logging and alerting
  • Highly configureable ruleset
  • Ported to almst allLinux distros
  • Configured through snot.conf file
  • Uses the libpcap library as its packet detection engine
  • Preprocesses packets before analysis to alert,filter,and modify potentailly harmfuyl traffic in advace
  • Many types of preprocessors available.depending upon needed functionality
  • After preprocessing, packets are delivered to the Rules Parsing and Detection Engine
  • Reads configured rules and passes to detection engine for applcation to packets
  • If packet matches a rule, Alerting an Logging engine logs details and fires and alert
  • Logging can be done to centralized logging server
  • Logs cn be text or binary format
  • Alerts can be messages or emails sent to sysadmin
  • Actions can be taken based upon packet type
  • Snort can send output to text and databaes
  • Works with MySQL, Oracle and others
  • Data can be stored for trend analysis

Host File Integrity with Tripwire

  • Host-baed IDS and file-integrity monitor
  • Works by identifying changes to key system files
  • Scans selected files and folders at regular intervals for changes
  • Changes to monitored files result in alerts
  • Alerts in the form of email to sysadmin
  • Logs for only single system, but logs from multiple systems can be centerally managed
  • Easy to use and configure
  • Is not CPU intensive
  • Configured from command line
  • Configuration files stored in /etcx/tripwire
  • Tripwire configuration file is twcfg
  • Policy configurtion file is twpol
  • Enable initail configuration of tripwire, then replaced by encrypted files
  • Configured usung twadmin and tripwire commands
  • Common files and directories to confirue for monitoring include:
  • /root/, /boot, /etdc, and /usr/sbin
  • hosts.allow and host.deny
  • /etc/password and shadow password files
  • /etc/fstab and inittab
  • Initial run should baeline system
  • Re-baseline system after planned patches and upgrades
  • Monitor for unplanned or unauthorized changes to files

Latest posts by Amardeep Dubey (see all)