UNAUTHENTICATED ACCESS DENIAL AND DETERRENCE TECHNIQUE IN NETWORK SECURITY ABSTRACT Computer security is the process of preventing and detecting unauthorized use of our computer. Prevention measures help us to stop unauthorized users (also known as "intruders") from accessing any part of our computer system. Detection helps us to determine whether or not someone attempted to break into our system, if they were successful, and what they may have done. In this paper, we proposed the technique called Deterrence technique which is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability or to bypass the security mechanisms of a computer or network. Deterrence system is also classified based on the types of systems they monitor. The two main systems monitored for intrusions are host-based systems and network based systems. Host-based IDPS attempt to detect against attacks on a particular machine. This is typically done through analysis of a computers log files. We typically monitor system, event, and security logs on Windows NT and syslog in UNIX environments. When any of these files change, the system compares the new log entry with attack signatures to see if there is a match. If so, the system responds with administrator alerts and other calls to action. Finally, some products listen to port activity and alert administrators when specific ports are accessed. Host-based system monitor user and file access activity, changes to file permissions, attempts to install new executables and/or attempts to access privileged services. This paper includes Password attack, Scanning attack, Sniffing attack and Spoofing attack. This paper is developed using C and Shell scripting in Linux environment. INTRODUCTION Intrusion detection and prevention system (IDPS) is mainly employed to secure company networks ideally; an IDPS has the capacity to detect in real time all intrusions, and to execute work to stop the attack. The IDPS system uses a concurrent monitoring strategy for simultaneously detecting the various attacks and also determining the path taken by the attacker of the allies of the attacker. TYPES OF INTRUSION DETECTION 1. Network based. 2. Host Based. NETWORK BASED IDPS Network IDPS is a program that require one installation. The application scans all transmissions on a subnet to determine real time network activity. This type of application acts both as a manager and as an agent. The network acts passively, and the host, the IDPS is installed on does all the work. DISADVANTAGES OF NETWORK BASED IDPS Network Based IDPS may have difficulty in processing all packets in large or busy networks. Many of the advantages of network based IDPS do not apply to more modern switch based network. Network based IDPS cannot analyze encrypted information. This problem is increasing as more organizations (and Attackers) use virtual private networks. Most network based IDPS have problems in dealing with network based attacks that involve fragmenting packets. These malformed packets cause the IDPS to become unstable and crash. HOST BASED IDPS H INVALID PWD PASSWD ATTACK A SCANNING ATTACK IP ADDRESS C IP ADDRESS IDPS ALERT MSG MAIL SNIFFING ATTACK IP ADDRESS K E SPOOFING ATTACK IP ADDRESS R Host based IDPS operate on information collected from with in an individual computer system. This point allows host based IDPS to analyze activities with great reliability and precision, determining exactly which process and users are involved in a particular attack and operating system. Host based IDPS directly access and monitor the data file and system process usually targeted by attacks. Host based IDPS normally utilize information sources of two types, operating system audit trails, and system logs. Operating System Audit trails are usually generated at the Kernel level of the operating system and are therefore more detailed and better protected than system logs. ADVANTAGES Host based IDPS with their ability to monitor events locate to a host, can detect attacks that cannot be seen by network based IDPS. Host based IDPS can operate in an environment in which network traffic is encrypted, when the host based information sources are generated before data is encrypted and / or after the data is decrypted at the destination host. Host based IDPS are unaffected by switched networks. When host based IDPS operate on Operating system audit trails, they can help detect Trojan horses or attacks that involves software integrity breaches. PASSWORD ATTACK CHECKS LOGIN HACKER LOGIN, PASSWD FAILURES ALERT MSG HACKER, USER, ADMINISTRATION LOGIN NAME CHECKS SU VIOLATION ALERT MSG HACKER, USER, ADMINISTRATION MAIL CHECKS PASSWD TYPES CHECKS WEAK, EMPTY,SHADOW PASSWD ALERT MSG HACKER, USER, ADMINISTRATION CHECK SU (SWITCH USER) VIOLATIONS In this check Su violations, when the end user is trying to login as another end user and if the password is wrong then mail is send to root and saying that this user is trying to login as another user and he gets message in the terminal as “if you use SU command your login will be aborted so don’t use Su command”. If end user logged as another end user and he gets warning message that “your login has blocked, contact Admin“and his login will be closed and his username is blocked temporarily so he cannot login with his username and mail will be send to root this user has switched to this user. So account of the particular user is blocked. This is the case of the end user. While root is using the Su command he can enter in to any end user login and he will get only warning message only. But root user will not be blocked and his settings will not be affected. So this clearly states that root has permission to login as end user at any circumstances. So by using this module the security constraints of SU command is highly restricted to enduser. So they cannot easily logged as another user so switching to root has been also restricted so end user cannot gain root access. LOGIN FAILURES USER LOG ON TO SYSTEM 8-BIT PASSWORD 64-BIT TEXT 56- BIT KEYWORD PADDING 2-ZERO BITS 66-BIT TEXT 11-SIX BIT VALUE CHECKS STORED DB VALUE AUTHENTICATION This sub module is for login failures normally the hacker will try to break passwords or guess passwords from dictionary and guessing the phone numbers etc. So commonly while we are finding the Passwords means the login failures occurs. So our paper finds the login failures when there are three continues login failures our paper finds the username and block the username so if he gives the exact password also he cannot enter because we are using more securities like Pluggable Authentication Module and Ip Tables so it cannot be breaked easily only Admin has rights to unblock the particular user so this is the case of the login failures. BLANK PASSWORD: In the Blank password sub-module, checking the settings of the /etc/passwd file and getting details of the user and checking for the password. If the password field contains the password then no problem otherwise if the password field is empty then it display the user details and it contains no password so any one can use this login because it doesn’t contain any password so hacker can easily extract the data through this login. /etc/passwd file This file has various files like login name, encrypted password, UID, username, home and shell. Password in this file is world viewable. So it is necessary that the password file have to be shadowed. IDPS checks whether the file is shadowed or not, if the file is not shadowed it insists the user to shadow the password file. SHADOW PASSWORD: In the shadow field also check for the shadow files that is/etc/shadow if the fields are encrypted then there is no problem if not then there is possibility of no password is required for that login. So there is Empty shadow field and the file permission of some files like /etc/shadow, /etc/group and so on and these files should be changed to read only for the root user only. So no end-user can read this file so security is high and hacker cannot get from the end-user because these files cannot read by end-user so he cannot add any statement to gain as end user. By reading this file, he cannot get enough information to hack the system. So this Shadow password will change the file permission of the some files which can be viewed only by root and set the characteristics some sticky bit also. Some of the shadows features include 1. Encoded passwords are only accessible by the root. 2. Account information can be aged. Those users are automatically prompted to change password from time to time. 3. Requirements for users to create good password. /etc/shadow file might look like User: H7e9JL:10063:0:30:7:1: The shadow file has various fields, they are username, password, and day since password was changed, may be changed, and must be changed, warning days, disable days. WEAK PASSWORD: In the Weak password normally the Linux Operating System will give some information while end-user is giving password tells that this same as username, it doesn’t contains enough letters, the characteristics are not different and it is based on the dictionary and so on. But some times the weak passwords are accepted when u give from the root shell then it will warn u but it accepts the password. When the weak passwords are easily breakable so there are so many tools, which will break the weak passwords at that time hacker, can also misuse these tools and he will break the password of the enduser and root. If the passwords are breakable then these passwords are weak passwords so then it will get the details of the username and password which is breaked and it has six rules to get the good password. When we follow the six rules then no one can break our password. The rules are as follows Use Uppercase letters and Lowercase letters and mingle these lower and Uppercase letters. Make use of the alphanumeric value and special characters. Don’t use dictionary words and well known words. Don’t use r telephone numbers, addresses and vehicle no so on. If password is breaked and breaked password details are stored in file and after breaking the passwords the program will mail to the particular user by warning your password is weak password and it can be easily breakable and it will mail the details that this your password so when you are making the password follows these rules and it will contain the rules as mentioned above BLOCKED USER DETAILS This Blocked user details contains the two sub-modules 1. Blocked User details. 2. UN Blocking. BLOCKED USER DETAILS The Blocked user contains the details of the blocked user and the name of the blocked user will be present in this list. If the user gives the exact password also cannot login in to the system. UNBLOCKING In the Unblocking the admin has the right to unblock the particular user. This program will run in the server system so Admin wishes to unblock the particular user he can unblock the user by this module SCANNING ATTACK HACKER IP ADDR CHECKS FOR SERVICES & SCAN FOR PORT NO. ALERT MSG HACKER, USER,ADMINISTRAT ION A L E R T MAIL Before a cracker can attempt to break in to our network in anyway, the cracker needs to know one or more of the following things. What services do you have running? Which programs are providing those services? What kinds of product are protecting your network? A cracker would launch attacks on our network at random, trying to connect to various networking services to exploit the vulnerabilities, if any vulnerability exists. Port scanners check accessible hosts for open networking ports to see which services are listening for connections. Another reason cracker scan for particular ports is to find Trojan Horses that may already be installed on the target machine. For example the remote control Trojan horses back orifice, listening for connections by default on port 31337. Crackers will often can whole ranges of TCP/IP host addresses sequentially, looking for ports that match known Trojan horses that may be listening for a connection. The crackers use the tools like N map. SATAN (system administration tools for analyzing networks) SNIFFING ATTACK HACKER IP ADDR CHECK FOR NIC IN DEFAULT OR PROMISCUOUS MODE ALERT MSG HACKER, USER, ADMINISTRATION A L E R T MAIL Packets sniffers are utilities that can monitor and log network traffic by retrieving or displaying packet information passing through their host computer. These programs may be helpful in diagnosing errors and monitoring traffic on a network. However, these utilities may also be used to eavesdrop on network communications and therefore, may present a potential security risk. Packets sniffing program read packet intended for other systems by putting the listening computers hardware in to promiscuous mode. This typically requires administrative privileges to reconfigure hardware, but physical access is always a trump card that allows a knowledgeable individual to gain administrative control over the local system. This again highlights the need for policy, user awareness, and levels of trust for local users. Even if local administrators have tight physical controls over workstation, one person with a laptop may find an open network port, or disconnect a running machine in order to sniff packets on a local network segment. While in promiscuous mode, the listening system is able to read the packets broad cast over its network segment. An Ethernet card in promiscuous mode will not only receive broad cast traffic on a local segment, but will also display traffic that would normally be ignored by all network cards except the one with the MAC address referenced in the TCP header. This may be a cause for concern if sensitive data is not properly encrypted. For example, some listening on a network in promiscuous mode could easily obtain plain text pass word. IP SPOOFING HACKER IP ADDR CHECK FOR IP ADDRESS IN NETWORK IP ADDR BLOCKING THE PARTICULAR MACHINE I P CHECK FOR FIREWALL STATUS SERVER IP ADDR ADDR IP spoofing refers to sending a packet to a host that appears to come from some place other than its actual source. The attacking client sends a SYN message that contains a false source address and port. The host then replies with the SYN – ACK message and waits for a half open connection for the expected final reply. The host will be waiting for the false connection without replying to the genuine connection. Smurf attack is Dos attack that uses IP spoofing. Smurf attacks directing ping floods with spoofed IPS to IP broadcast address are used for sending the same information to a large number of machines If the information is sent to the broad cast addresses it not only to be sent once to reach all machines with the broadcast address. Thus by spoofing the victims IP at an entire network will, at once ping a victims computer. IDPS Keep Track of the Log Messages, If Check Two Files. 1. /var/log/messages In the /var/log directory, there is a file called messages. Inside is a long list of events (In chronological order), with each line representing an individual log entry. The /var/log/messages file is some what of a catch all for many of the log messages passed by the kernel and programs that generate loggable events. Most errors and system messages can be found in this file. 2. /var/log/secure Another log file is the /var/log/secure file, which contains information specific to the user who is accessing the system, how the user accessed the system, and possible breaches of the security. Much of this information is also mirrored in /var/log/messages. By default all root logins get logged to this file. CONCLUSION Today’s interrelated computer network is a realm filled with people that have millions of man hours ready to employ against our strongest security strategy. The only way to beat them is to know that they are attempting an attack and counter their attempts. IDPS is mainly employed to secure computer networks ideally; an IDPS has the capacity to detect in real time all intrusions, and to execute work to stop the attack. The IDPS system uses a concurrent monitoring strategy for simultaneously detecting the various attacks and also determining the path taken by the attacker of the allies of the attacker. Strategy is the key for selecting the right IDS strategy will be instrumental in ensuring that the enterprise network remains secure. (THIS PAPER IS SUPPORTED WITH IMPLEMENTATION PROCESS) REFERENCES Suresh N. Chari & Pau - Chen Cheng, “ACM TRANSACTIONS ON INFORMATION & SYSTEM SECURITY “, (May/June 2003). “IEEE SECURITY AND PRIVACY JOURNAL “, (Jan/Feb 2003). Peter Norton,” COMPLETE GUIDE TO LINUX”, First Edition, Tec media Publications, 2000. Yashwant Kanetkar, “SHELL PROGRAMMING “, BPB Publications, Second Edition, 2000. Peter Norton, “NETWORK SECURITY FUNDAMENTALS “, First Edition, Tec media Publications.
Pages to are hidden for
"Paper 1"Please download to view full document