COIT13146 - System and Network Administration Week 08 - Intrusion Detection System This week we look at ways to detect intrusion attempts on our system. Note: You will be asked to do full network scans in the assessment items - do not do this on a network you do not have permission to do it on. Author: "I recently reconfigured my home ADSL router and server to allow me to make an SSH connection (tunnel) into my home network from anywhere on the Internet. Initially I configured a port forward through my ADSL router to my Ubuntu server using the standard SSH port 22. Almost immediately there were attempts to 'hack' into my system. Continuous login attempts were occurring which showed up in the /var/log/auth.log file, with various combinations of names and dictionary words - it was interesting to watch. I grew bored of watching the logs and as the attacks were coming down my ADSL connection, they were using, though minimal, some of my quota. I moved the port forward to an unknown port number and configured my servers firewall rules to reject connections from IP addresses if more than a couple of failed login attempts occurred - resetting after a couple of minutes in case I have a bad day and get my password wrong a few times. Since doing this I have had no login attempts. So simply moving to an unknown port has removed most of the problem. Rejecting IP addresses on failed login attempts should prevent any form of dictionary/brute force attack." From the above, it should be obvious that, if the author had not looked at the /var/log/auth.log file, in time, the system may have been 'hacked'. Summary Software we need to install * Snort (www.snort.org) - "An open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide." * tcpdump (www.tcpdump.org) - "a powerful command-line packet analyser". * OSSEC - (www.ossec.net) - "An open source host-based intrusion detection system. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response." Chapters we need to read * 22 - Security (Review if necessary) Tasks Readings Review the recommended chapter before beginning the installation or attempting the assessment items. We will need to research Snort and OSSEC ourselves this week. The main website links listed above provide a vast amount of documentation for both. Assessment 1. Snort and OSSEC: a) Write a short, concise description, of what Snort is/does. b) Write a short, concise description, of what OSSEC is/does. c) Describe the similarities and difference between Snort and OSSEC. Ensure to highlight where/how each should be used. 2. Install Snort using the provided "Installing Snort" document. Once Snort is installed and configured perform an nmap scan of your entire network. Ensure your gateway, userv1 and userv2 servers are running and working as they should. An example scan of the entire 192.168.12.0 network can be performed by running "nmap -v -sU 192.168.12.0/24" (make sure you have permission to do it on your network). Submit the details of the scan you used, the output from the scan, and the entries generated in the snort alert file. Describe the alerts generated - include other alerts that may be generated from other activity on your server. 3. Install OSSEC using the provided "Installing OSSEC" document. Once OSSEC is installed and configured attempt the same nmap scan as in 2 and submit the results. Review the OSSEC logs and summarise what it reports. 4. Attempt to login to the kellye account on userv1 using PuTTY a number of times, but deliberately enter an incorrect password. Using PuTTY attempt to login to 3 non-existent accounts on userv1 (e.g. krudd, jgillard, tabbott). Report the results - ensure you include what action the system has taken - is it permanent? [Hint: review the /var/ossec/logs/active-responses.log file.] 5. Edit and save some of the main system configuration files e.g. /etc/fstab, /etc/group, /etc/passwd (don't break your system). List the changes that you make and describe the resulting emails and events recorded by OSSEC - include other emails generated from other activity on your server. Submit the email text as part of your descriptions. Notes: * We want you to show that you can interpret the alerts being generated, so ensure you describe what the alerts mean as part of your answers above. * Submit all answers etc. as a single Word document zipped up as week08.zip.