A Project of Network Intrusion Detection by Sam Tran CSCI 5233 – Computer Security and Integrity Instructor: Dr. A. Yang Dec 7, 2004
Abstract This project shows how to protect a system. It includes four parts: attack techniques, recognize an attack, detect weaknesses of the system, and how to save important files when a hacker gets the root privilege. Techniques to attack a system Before a hacker attacks a system, he inspects to find vulnerabilities on that system. A port scanning enables the hacker to identify the OS of the system as well as the network services that might provide access through. How a port scanning works A port scan typically sends packets with the ICMP, UDP, or TCP with special flags to the system. Base on the reactions, the hacker gains information about the system. For example, if a client sends an ACK packet before establishing a connection, each version of OS will reacts differently. The attacker identifies the OS of the host. [1] Install and configure a port scanning tool The most widely used port-scanning is namp. We can download free version at the website: www.insecure.org/nmap . To install, just type: $cd ../nmap_folder $./configure
$make $make install To run: nmap –[nmap option] host Results in this project Nmap –sS –O 192.168.5.2 (figure 1)
Figure 1: Nmap result Another technique that hackers usually use to get secret information (such as password, credit card number, or etc) is packet sniffing. In this technique, the hacker grabs and examines all of the traffic passing through a network cable or wireless space.
How a packet sniffing does Everyone floats their packet on the network cable. The tool makes a copy of every packet and then analyzes them. Install and configure packet sniffing tools This project shows three packet sniffing tools: tcpdump, IPTraf, and Ethereal. Tcpdump can be downloaded at http://www.tcpdump.org/, IPTraf at http://cebu.mozcom.com/riker/iptraf, and Ethereal at www.ethreal.com. To install, with tcpdump and IPTraf, just type: $cd ../folder $./configure $make $make install
To run: Type tcpdump or iptraf from the terminal. Iptraf has menu interface. Read “man tcpdump” to get options of tcpdump. With Ethereal, we need to install some dependency services like ucdsnmp, kde, or gnome, and then type as above. Results in this project Tcpdump (Figure 2)
Figure 2: tcpdump result IPTraf: $iptraf (Figure 3, 4, 5)
Figure 3: IPtraf in monitor mode
Figure 4: IPTraf in statistics mode
Figure 5: IPTraf in configure menu
Ethereal This project is fail in installing Ethereal on the Linux because it cannot find out some libraries of KDE or GNOME. Here are results of Ethereal on a WinXP machine.
Figure 6: Ethereal set configuration
Figure 7: Ethereal in capture mode
Figure 8: Ethereal in packet examining (it got the password) How to prepare for an attack The preparation should recognize popular ways for crackers to examine the system as well as detect immediately any problems about the services on the system. PortSentry is used to alert a port scanner. Big Brother is used to keep a constant eye on the providing services. Install and configure the tools PortSentry can be downloaded at http://sourceforge.net/projects/sentrytools. To install, follow these steps: [2]
-
Open the portsentry_config.h, modify value of SYSLOG_FACILITY to LOG_LOCAL0 so that we can log PortSentry entries to its own file.
-
Open the /etc/syslog.conf, add local0.* var/log/portsentry.log line to the end of the file.
-
Execute /etc/rc.d/init.d/syslog restart to restart the syslog daemon with the changes that have been made.
-
Open portsentry.conf, modify value of these variables: o TCP_PORTS and UDP_PORTS: These ports that PortSentry listens on and reports connections and scan of. Change the value from “aware” to “anal”. o ADVANCED_PORTS_TCP and ADVACED_PORT_UDP: This tells the system which ports to watch for stealth scans. Change this value from 1024 to 65535 (we keep track on all ports). o SCAN_TRIGGER: This sets the threshold at which we start blocking scans. Set to “2”.
-
Compile the application: Type “make linux” and then “make install” from command line.
-
Run: /usr/local/psionic/portsentry/portsentry –atcp and then /usr/local/psionic/portsentry/portsentry –audp.
-
View result: type tail –f /var/log/portsentry.log
Results in this project
Figure 9: Log file shows portsentry starting
Figure 10: Log file shows that 192.168.5.2 is scanning the host
Big Brother can be downloaded at www.bb4.com. To install, follow the README.INSTALL instruction. Note that, we have to create a user to run the software and after the installation, we modify the bb_host to identify hosts that we want the Big Brother to monitor (add: xxx.xxx.xxx hostname).
Results in this project Make sure http service is initialized. Type: http//localhost/bb (Figure 11, 12)
Figure 11: Big Brother in monitor mode
Figure 12: Big Brother report Prevent system break-ins The prevention is based on an idea that we have to recognize vulnerabilities of our system before hackers do. SAINT (Security Administrator’s Integrated Network Tool) is used for this purpose. How SAINT works SAINT manages an “attack” on the system. It is similar to using a port scanner to locate potentially open networks ports. However, SAINT uses different methods and looks for different vulnerabilities than nmap tool. [1] Install and configure the tool
Download SAINT at: www.saintcorporation.com. After unzip the file and change the current directory to the saint folder, type: ./saint-install. Edit the config/saint.cf to adjust the SAINT. Run SAINT by typing ./saint from the saint directory. A web interface will be opened. Choose Scan Setup. Enter the range of possible IP address as the primary target. Select a scan level. Be careful, some scan level could damage your system. After the scanning, choose Data Analysis to view the results. [3] Results in this project
Figure 13: SAINT starts
Figure 14: SAINT interface
Figure 15: SAINT scan setup
Figure 16: SAINT is running and the result How to protect system when cracker takes over the root privilege The one of the weaknesses of the Linux as well as other systems is the root user is too powerful. If a hacker gets the root access, he can do anything on the system. LIDS (Linux Intrusion Detection System) is a tool that enables hide files completely or make them read-only, even to root. How LIDS works LIDS adds a module to the Linux kernel that block access to resources for all users, including root, except as configured by LIDS.[1] Install and configure the tool
Download LIDS at: http://www.lids.org/download.html . Make sure that you download the right Linux kernel version. After unzip the packet, path the kernel with the LIDS patch. Type: “patch –p1 ../LIDS_folder/LIDS-patch/lids-a.b.c-x.y.z.patch” (a,b,c: LIDS version - x,y,z: linux kernel version). This will generate some output on the screen. Read carefully. If some of the hunks fail then something wrong with the kernel source. Make and compile the patched kernel. Do not install the kernel and reboot the machine at this step because this will not work. Go to the LIDS directory, run these commands: $./configure $make $make install
Some pre-configuring LIDS should be done after the installation as follow: Generate a LIDS password: lidsconf –P Edit /etc/lids/lids.cap to enable or disable capabilities you want to use with LIDS system. Edit /etc/lids/lids.net to define the network parameters. Modify the boot scripts to seal the kernel after booting with lidasm –I
Install the kernel. Note that, backup the old kernel so we can boot back into a non-LIDS kernel. Finally, if something goes wrong, we can boot kernel without LIDS by typing ‘lids = 0’ (In LILO, just type: linux –lids=0. In grub, select to edit the command having “kernel…” and then type lids=0 at the end of the command). [5] Results in this project Lidsconf protects a file: /test_lids.tst
Figure 17: Use LIDS to protect test_lids.tst
Figure 18: LIDS admin (does not work because the patch kernel did not compile) (Reason: I don’t have the kernel source as well as I don’t dare to re compile the kernel because it could touch to others)
Conclusion This project could help an administrator protect a system by using hacker techniques to simulate an attack. Through the attack, the administrator figures out vulnerabilities of the system before the hacker does. Also, the project points out tools that are used to recognize a port scanning, monitor the system services as well as protect important files in the case a hacker takes over the system.
References [1] Nicholas Wells. Guide to Linux Networking and Security. Thomson publishing – ISBN 0-619-00094-5 [2] Jason Ormes (2004). Securing a Redhat Linux Workstation in an Open Network. Retrieve 12/7/2004 from: http://www.giac.org/practical/Jason_Ormes_GCUX.doc [3] Saint Corp (2004). Getting Started. Retrieved 12/7/2004 from: http://www.saintcorporation.com/cgi-bin/doc.pl? document=getting_started [5] Sander Klein (2004). Linux Intrusion Detection System FAQ. Retrieved 12/7/2004 from: http://www.lids.org/lids-faq/lidsfaq.html.