A Project of



A Project of

Network Intrusion Detection

by

Sam Tran

CSCI 5233 – Computer Security and Integrity

Instructor: Dr. A. Yang

Dec 7, 2004

Abstract

This project shows how to protect a system. It includes four parts: attack techniques, recognize an attack, detect weaknesses of the system, and how to save important files when a hacker gets the root privilege.

Techniques to attack a system

Before a hacker attacks a system, he inspects to find vulnerabilities on that system. A port scanning enables the hacker to identify the OS of the system as well as the network services that might provide access through.

How a port scanning works

A port scan typically sends packets with the ICMP, UDP, or TCP with special flags to the system. Base on the reactions, the hacker gains information about the system. For example, if a client sends an ACK packet before establishing a connection, each version of OS will reacts differently. The attacker identifies the OS of the host. [1]

Install and configure a port scanning tool

The most widely used port-scanning is namp. We can download free version at the website: nmap . To install, just type:

$cd ../nmap_folder

$./configure

$make

$make install

To run: nmap –[nmap option] host

Results in this project

Nmap –sS –O 192.168.5.2 (figure 1)

[pic]

Figure 1: Nmap result

Another technique that hackers usually use to get secret information (such as password, credit card number, or etc) is packet sniffing. In this technique, the hacker grabs and examines all of the traffic passing through a network cable or wireless space.

How a packet sniffing does

Everyone floats their packet on the network cable. The tool makes a copy of every packet and then analyzes them.

Install and configure packet sniffing tools

This project shows three packet sniffing tools: tcpdump, IPTraf, and Ethereal. Tcpdump can be downloaded at , IPTraf at , and Ethereal at . To install, with tcpdump and IPTraf, just type:

$cd ../folder

$./configure

$make

$make install

To run: Type tcpdump or iptraf from the terminal. Iptraf has menu interface. Read “man tcpdump” to get options of tcpdump.

With Ethereal, we need to install some dependency services like ucd-snmp, kde, or gnome, and then type as above.

Results in this project

Tcpdump (Figure 2)

[pic]

Figure 2: tcpdump result

IPTraf: $iptraf (Figure 3, 4, 5)

[pic]

Figure 3: IPtraf in monitor mode

[pic]

Figure 4: IPTraf in statistics mode

[pic]

Figure 5: IPTraf in configure menu

Ethereal

This project is fail in installing Ethereal on the Linux because it cannot find out some libraries of KDE or GNOME. Here are results of Ethereal on a WinXP machine.

[pic]

Figure 6: Ethereal set configuration

[pic]

Figure 7: Ethereal in capture mode

[pic]

Figure 8: Ethereal in packet examining (it got the password)

How to prepare for an attack

The preparation should recognize popular ways for crackers to examine the system as well as detect immediately any problems about the services on the system. PortSentry is used to alert a port scanner. Big Brother is used to keep a constant eye on the providing services.

Install and configure the tools

PortSentry can be downloaded at . To install, follow these steps: [2]

- Open the portsentry_config.h, modify value of SYSLOG_FACILITY to LOG_LOCAL0 so that we can log PortSentry entries to its own file.

- Open the /etc/syslog.conf, add local0.* var/log/portsentry.log line to the end of the file.

- Execute /etc/rc.d/init.d/syslog restart to restart the syslog daemon with the changes that have been made.

- Open portsentry.conf, modify value of these variables:

o TCP_PORTS and UDP_PORTS: These ports that PortSentry listens on and reports connections and scan of. Change the value from “aware” to “anal”.

o ADVANCED_PORTS_TCP and ADVACED_PORT_UDP: This tells the system which ports to watch for stealth scans. Change this value from 1024 to 65535 (we keep track on all ports).

o SCAN_TRIGGER: This sets the threshold at which we start blocking scans. Set to “2”.

- Compile the application: Type “make linux” and then “make install” from command line.

- Run: /usr/local/psionic/portsentry/portsentry –atcp and then /usr/local/psionic/portsentry/portsentry –audp.

- View result: type tail –f /var/log/portsentry.log

Results in this project

[pic]

Figure 9: Log file shows portsentry starting

[pic]

Figure 10: Log file shows that 192.168.5.2 is scanning the host

Big Brother can be downloaded at . To install, follow the README.INSTALL instruction. Note that, we have to create a user to run the software and after the installation, we modify the bb_host to identify hosts that we want the Big Brother to monitor (add: xxx.xxx.xxx hostname).

Results in this project

Make sure http service is initialized. Type: http//localhost/bb (Figure 11, 12)

[pic]

Figure 11: Big Brother in monitor mode

[pic]

Figure 12: Big Brother report

Prevent system break-ins

The prevention is based on an idea that we have to recognize vulnerabilities of our system before hackers do. SAINT (Security Administrator’s Integrated Network Tool) is used for this purpose.

How SAINT works

SAINT manages an “attack” on the system. It is similar to using a port scanner to locate potentially open networks ports. However, SAINT uses different methods and looks for different vulnerabilities than nmap tool. [1]

Install and configure the tool

Download SAINT at: .

After unzip the file and change the current directory to the saint folder, type: ./saint-install. Edit the config/saint.cf to adjust the SAINT.

Run SAINT by typing ./saint from the saint directory. A web interface will be opened. Choose Scan Setup. Enter the range of possible IP address as the primary target. Select a scan level. Be careful, some scan level could damage your system. After the scanning, choose Data Analysis to view the results. [3]

Results in this project

[pic]

Figure 13: SAINT starts

[pic]

Figure 14: SAINT interface

[pic]

Figure 15: SAINT scan setup

[pic] [pic]

Figure 16: SAINT is running and the result

How to protect system when cracker takes over the root privilege

The one of the weaknesses of the Linux as well as other systems is the root user is too powerful. If a hacker gets the root access, he can do anything on the system. LIDS (Linux Intrusion Detection System) is a tool that enables hide files completely or make them read-only, even to root.

How LIDS works

LIDS adds a module to the Linux kernel that block access to resources for all users, including root, except as configured by LIDS.[1]

Install and configure the tool

Download LIDS at: . Make sure that you download the right Linux kernel version.

After unzip the packet, path the kernel with the LIDS patch. Type: “patch –p1 ../LIDS_folder/LIDS-patch/lids-a.b.c-x.y.z.patch” (a,b,c: LIDS version - x,y,z: linux kernel version). This will generate some output on the screen. Read carefully. If some of the hunks fail then something wrong with the kernel source.

Make and compile the patched kernel. Do not install the kernel and reboot the machine at this step because this will not work. Go to the LIDS directory, run these commands:

$./configure

$make

$make install

Some pre-configuring LIDS should be done after the installation as follow:

- Generate a LIDS password: lidsconf –P

- Edit /etc/lids/lids.cap to enable or disable capabilities you want to use with LIDS system.

- Edit /etc/lids/ to define the network parameters.

- Modify the boot scripts to seal the kernel after booting with lidasm –I

Install the kernel. Note that, backup the old kernel so we can boot back into a non-LIDS kernel. Finally, if something goes wrong, we can boot kernel without LIDS by typing ‘lids = 0’ (In LILO, just type: linux –lids=0. In grub, select to edit the command having “kernel…” and then type lids=0 at the end of the command). [5]

Results in this project

Lidsconf protects a file: /test_lids.tst

[pic]

Figure 17: Use LIDS to protect test_lids.tst

[pic]

Figure 18: LIDS admin (does not work because the patch kernel did not compile)

(Reason: I don’t have the kernel source as well as I don’t dare to re compile the kernel because it could touch to others)

Conclusion

This project could help an administrator protect a system by using hacker techniques to simulate an attack. Through the attack, the administrator figures out vulnerabilities of the system before the hacker does. Also, the project points out tools that are used to recognize a port scanning, monitor the system services as well as protect important files in the case a hacker takes over the system.

References

[1] Nicholas Wells. Guide to Linux Networking and Security. Thomson publishing – ISBN 0-619-00094-5

[2] Jason Ormes (2004). Securing a Redhat Linux Workstation in an Open Network. Retrieve 12/7/2004 from:

[3] Saint Corp (2004). Getting Started. Retrieved 12/7/2004 from:

[5] Sander Klein (2004). Linux Intrusion Detection System FAQ. Retrieved 12/7/2004 from: .

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download