Slide 1
Most trusted JOB oriented professional program
DevOps Certified Professional (DCP)

Take your first step into the world of DevOps with this course, which will help you to learn about the methodologies and tools used to develop, deploy, and operate high-quality software.

Slide 2
DevOps to DevSecOps – Learn the evolution
DevSecOps Certified Professional (DSOCP)

Learn to automate security into a fast-paced DevOps environment using various open-source tools and scripts.

Slide 2
Get certified in the new tech skill to rule the industry
Site Reliability Engineering (SRE) Certified Professional

A method of measuring and achieving reliability through engineering and operations work – developed by Google to manage services.

Slide 2
Master the art of DevOps
Master in DevOps Engineering (MDE)

Get enrolled for the most advanced and only course in the WORLD which can make you an expert and proficient Architect in DevOps, DevSecOps and Site Reliability Engineering (SRE) principles together.

Slide 2
Gain expertise and certified yourself
Azure DevOps Solutions Expert

Learn about the DevOps services available on Azure and how you can use them to make your workflow more efficient.

Slide 3
Learn and get certified
AWS Certified DevOps Professional

Learn about the DevOps services offered by AWS and how you can use them to make your workflow more efficient.

previous arrow
next arrow

How to Detecting and Stopping Attacks in Linux

Spread the Knowledge
  • System Auditing
  • System Logging
  • Network Intrusion Detection with Snort
  • Host File Integrity with Tripwire

System Auditing

  • Auditing can track system activities to warn sysadmin of suspicious activity
  • Allows sysadmin to understand the types of access that took place
  • Can identify a security breach, and aid in the research of the breach
  • More than simply logging or system accounting but they are component parts of auditing
  • Other parts are intrusion detection and file verification, resource access, and privilege use
  • Successful & unuccessful events both important
  • Also involves analysis of dts and correlation of related events
  • Some systems(i.e RHEL3 and SuSE Enterprise Linux) have special auditing software included
  • Other distros can use ‘snare’ or ‘auditd’ for auditing functions
  • Ensure audit data files can only be read by security auditors group
  • Ensure the auditing software can record the following for each audit event:
  • Date and time of the event
  • Userid that initiated the event
  • Type of event
  • Success or failure of the event
  • Origin of the request(IP or MAC address, host name ,etc)
  • Retain audit data for at least one year(minimum)
  • Ensure audit fles are backed up at least weekly onto a different system tha the one being audited or backup media

System Logging

  • System logging is used to track events and when they occurred
  • Used to identify system performance trends, keep a historical record of activities, and provide accountability for actions
  • Logging must be managed, not simply turned and forgotten
  • System log files refer to logs of system activities,such as the /var/log/syslog file, the /var/messages file, and others
  • System logging is done via the sylog facility(syslogd)
  • syslogd reas and forwards system messages to the log files and/or users
  • /etc/syslog.conf is used to configure syslogd
  • syslog can log bto local host or to centralized logging server
  • Advantage of log server is that it allows centralized logging management for monitoring of possible malicious activity on network
  • Many utilities log to syslogd by default or can be configured to do so
  • syslogd should be secured to prevent log compromise, destruction, or unauthorized access
  • Ensure reliable time source isused throghout network for accurate logging
  • System logging normally takes place over port 514; services to this port should be resticated to local hosts at the firewall or premise router
  • syslogd should be configured to accept messages only from designated hosts
  • Ensure logs are reviewed daily
  • Some messages need to be reviewed immediately by responsible sysadmin
  • Archive logs at least daily to ease space requirements and to reduce the time requirements and to resuce the time required or log searches and reviews

Intrusion Detection With Snort

  • Intrustion Detection Systems(IDS) monitor networks and hosts for unusual traffic patterns and behaviors to detect possible attacks
  • IDS consists of sensors, collectors, databases, and analysis consoles
  • Ability to detect attacks based upon knowns attack signatures or unusual activity (anomoly-based)
  • IDS are host-based or Network-based
  • Host-based(HIDS) detects attacks on a particular host
  • Network-based(NIDS) detects unusual network traffic that may be an attack
  • Snort is most popular open source IDS for Linux
  • Signature-based NIDS that detects a wide variety of attacks
  • Detected attacks include buffer overflows, Denial OF Service TCP/IP attacks Distributed DOS attacks, port scans and certain malware attacks
  • Real-time Logging and alerting
  • Highly configureable ruleset
  • Ported to almst allLinux distros
  • Configured through snot.conf file
  • Uses the libpcap library as its packet detection engine
  • Preprocesses packets before analysis to alert,filter,and modify potentailly harmfuyl traffic in advace
  • Many types of preprocessors available.depending upon needed functionality
  • After preprocessing, packets are delivered to the Rules Parsing and Detection Engine
  • Reads configured rules and passes to detection engine for applcation to packets
  • If packet matches a rule, Alerting an Logging engine logs details and fires and alert
  • Logging can be done to centralized logging server
  • Logs cn be text or binary format
  • Alerts can be messages or emails sent to sysadmin
  • Actions can be taken based upon packet type
  • Snort can send output to text and databaes
  • Works with MySQL, Oracle and others
  • Data can be stored for trend analysis

Host File Integrity with Tripwire

  • Host-baed IDS and file-integrity monitor
  • Works by identifying changes to key system files
  • Scans selected files and folders at regular intervals for changes
  • Changes to monitored files result in alerts
  • Alerts in the form of email to sysadmin
  • Logs for only single system, but logs from multiple systems can be centerally managed
  • Easy to use and configure
  • Is not CPU intensive
  • Configured from command line
  • Configuration files stored in /etcx/tripwire
  • Tripwire configuration file is twcfg
  • Policy configurtion file is twpol
  • Enable initail configuration of tripwire, then replaced by encrypted files
  • Configured usung twadmin and tripwire commands
  • Common files and directories to confirue for monitoring include:
  • /root/, /boot, /etdc, and /usr/sbin
  • hosts.allow and host.deny
  • /etc/password and shadow password files
  • /etc/fstab and inittab
  • Initial run should baeline system
  • Re-baseline system after planned patches and upgrades
  • Monitor for unplanned or unauthorized changes to files

Rajesh Kumar
Latest posts by Rajesh Kumar (see all)