Wednesday, September 30, 2015

Some Major Attacks That You Need To Be Prepared For



Criminal perpetrators target sites and services hosted on many web servers like banks, credit card payment gateways etc, for the purpose of taking revenge, blackmail or activism. No doubt we need to be prepared for these attacks and take preventive measures.

In some of my previous articles, I mentioned few such attacks. In this article, I will write about some more major attacks that are most common in recent times and against which we need to be protected, if we want to run our business successfully.


I think we all have heard about Denial of Service attack or DoS. What is it actually?

DoS is an attack for the purpose of making a target machine or network resource unavailable for its intended users. This attack mainly temporarily indefinitely suspend a service of a host connected to internet. As a result, you may see:

- Unusually slow network performance.
- Unavailability of a particular website.
- Dramatic increase of number of spam emails received.
- Disconnection of internet connection.

The effects can be sometimes long term or even for indefinite time.


Is this DoS attack from a single source?

Not necessarily. Sometimes, the attack may even come from multiple sources having different IP addresses. Using IP address spoofing, the attackers may even hide their own IP addresses, making it extremely hard to catch the attacker. This type of attacks from multiple sources are sometimes called Distribiuted Denial of Service Attack or DDoS.


There can be various ways a DoS can be done. Each attack is implemented in a different way.


Internet Control Message Protocol Flood or ICMP Flood : Smurf attacks, Ping Flood or Ping of Death are this sort of attacks. In this sort of attacks, the attacker may send ICMP broadcast packets forging the source address of the victim. As a result, all the computers in the network send overwhelming number of replies to the victim computer, consuming its network bandwidth. Sometimes, the attacker even send enormous number of ICMP ping messages or a malformed ping packet to the victim computer. As a result, the victim computer ends up consuming all its banwidth in sending replies, or for a malformed ping packet, it ends up crashing.

As I discussed earlier, the preventive measures of this sort of attacks is configuring firewalls properly to stop responding to ping messages or broadcast messages.


SYN Flood : In a SYN Flood, the attacker often forges his IP address and sends an enormous number of connection request to the victim server. As a result, the victim server ends up spawning lots of half open connections, sending back a TCP/SYN-ACK packets and waiting for the response. But as the attacker has forged his IP address, the sent packets end up going to wrong IP addresses and the server never gets a reply. But, these half-open connections saturate the maximum number of open connections the server can have and the server can no more respond to legitimate requests.

Other Application Level Flood : In this sort of attacks, the attacker exploits few conditions like buffer overflow, and fills up the diskspace of the victim machine or consume all its memory and CPU cycles. The attacker can even redirect outgoing message from the victim machine back to the machine itself, preventing the victim machine from outside network access. This particular type of attacks are also called 'Banana Attacks'.


Teardrop Attacks : In this attack, the attacker sends a mangled IP packet, with oversized and overlapping payloads, to the victim. If the Operating System of the victim's machine cannot handle it properly, the machine will end up crashing.


Peer-to-Peer Attacks : In this attack, the attacker gets control over the clients of a peer-to-peer file sharing hub, instructs the clients to disconnect from their peer-to-peer network and connect to the victim's website instead. This results in hundreds of thousands of connection request to the victim machine. As a result, the victim machine ends up exhausting all its computational resources, resulting in a DoS attack.


HTTP Post DDoS Attack : In this attack, the attacker sends a legitimate HTTP Post header to the victim machine, but then keeps sending the actual message body at an extremely slow rate. The entire message is correct, so the victim machine keeps waiting for the entire message to arrive, slowing down the whole system. The main problem with this sort of attacks is, it is very difficult to differentiate the attacking connection from a legitimate one and it manages to bypasses the security mechanisms easily.


Slow Read Attack : A Slow Read Attack sends a legitimate application layer request to the victim machine, but it reads the responses from the machine very slowly. The attacker advertises a very small number for the TCP Receive Window size and empties the victim machine's receive buffer slowly.


Reflected Attack : It is a DDoS attack, where the attacker forges the IP address of the victim machine and sends lots of request message to large number of other computers. All the machines start responding to the requests received, but all the responses reach to the victim machine, eating up all its bandwidth.


SSL Flood : When a server provides a secure connection to a client, normally it involves a large amount of processing cycles from the server's side. This type of attacks exploits that scenario. The attacker requests lots of secure connection to the server, and the server loses its processing cycles to respond to the illegitimate connections, not being able to respond to the legitimate ones.


Fraggle Attack : This type of attack is similar to Smurf Attack, but instead of ICMP traffic, the attacker sends large number of forged UDP traffic to the victim machine.



LAND Attack : It is a Local Area Network Denial attack. In this attack, the attacker sends a TCP SYN packet to initiate a TCP connection with the victim machine. But the attacker uses the victim machine's IP address as both source and destination address. As a result, the victim machine ends up replying to itself continuously, consuming all its processing power.



DNS Amplification Attack : In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP. As a result, the DNS server ends up sending all the responses to the victim machine. As DNS responses are much larger in size, the responses end up flooding the victim machine with responses and consuming its bandwidth.


TCP Null Attack : In this attack the attacker sends lots of IP packets to the victim machine with the IPv4 headers filled with NULL. The firewalls configured for TCP, UDP and ICMP packets may allow these packets. As a result, the enormous amout of these packets flood the victim machine, consuming its bandwidth.


If I continue, perhaps the list will be never ending, and that will only flood the article with information. I wanted to keep it short and so, mentioned only the most common attacks.

Knowing about the possible attacks is the very first step towards protection against it. So, if you think this article has helped you anywhere there or you want to add valuable information to this article, please feel free to share your feedback/comments/opinions.

Tuesday, September 29, 2015

Set the Firewalls of Guests from Host in Virtual Machine Or Execute command remotely from Host to Guest VM



So, we have already discussed about

What is Firewalls?
and

Now, the question is, if we are in guests and want the provision of setting firewalls from host, will it be possible?

We can give a try for a setup where both guests and host are Linux systems.

The basic idea is, if we run a server script in host and a client script in guest, so that, from host we will send a command to guest and guest will execute the command and return host its output, then we can make use of that to set firewalls in guest from host.

Of course, we would also need to run a shell script in guest, which will make our life of input and output redirection easier.

Does it look confusing?

Let me explain the code in details then.

Let's assume, we have a shell script running in guest:

#!/bin/bash
while :
do
      ./client HOSTIP > inputfile
       ret=`echo $?`
       if [ $ret -eq 0 ]
       then
             var=`cat inputfile`
             echo "command to execute: $var"
             `echo $var`
              `echo $var` &> outputfile
              ./client 192.168.1.116 outputfile
               var=`cat outputfile`
              echo "Output file contained $var"
              `rm outputfile`
      else
              echo "Could not connect"
              `rm inputfile`
               exit
       fi
       `rm inputfile`
done

This script will execute a code 'client' which will connect with the server. The server will send a command to client using sockets. The client will simply print the sent command in stdout. The shell script then redirect the content of stdout in a variable and execute it. The shell script will also redirect the stderr and stdout of the executed command to a file. And finally, the shell script will again invoke the client program, but this time with one more argument – the name of the file which contains the output. The client program, now, will open the file and send each line to the server. And the only job left to server is, print the output.

So, how does the server code looks like?
See below:

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
int main(void)
{
int i;
int listenfd = 0, connfd = 0;
pid_t wpid, pid;
struct sockaddr_in *ipv4Addr;
socklen_t size;
char command[1025];
struct sockaddr_in serv_addr;
char sendBuff[1025];
char readbuff[1025];
int readlen;
int numrv;
struct sockaddr client_sockaddr;
int ipAddr;
char ipAddr_string[INET_ADDRSTRLEN];

         listenfd = socket(AF_INET, SOCK_STREAM, 0);
         printf("socket retrieve success\n");
         memset(&serv_addr, '0', sizeof(serv_addr));
         memset(sendBuff, '0', sizeof(sendBuff));
         serv_addr.sin_family = AF_INET;
         serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
         serv_addr.sin_port = htons(5000);

         bind(listenfd, (struct sockaddr*)&serv_addr,sizeof(serv_addr));
         if(listen(listenfd, 10) == -1){
                  printf("Failed to listen\n");
                  return -1;
         }
        while(1)
        {
                  size = sizeof(client_sockaddr);
                  connfd = accept(listenfd, &client_sockaddr, &size); // accept awaiting request
                  if (connfd != -1) {
                             pid = fork();
                             if (pid > 0) {
                                        close(connfd);
                             } else {//child process
                             command[0]='\0';
                             readbuff[0]='\0';
                             ipv4Addr = (struct sockaddr_in *)&client_sockaddr;
                             ipAddr = ipv4Addr->sin_addr.s_addr;
                              strcpy(ipAddr_string, inet_ntop(AF_INET, &ipAddr, ipAddr_string, INET_ADDRSTRLEN));
                             readbuff[0]='\0';
                             readlen = read(connfd, readbuff, 1025);
                             readbuff[readlen]='\0';
                             if (strcmp(readbuff, "input") == 0) {
                                              printf("Command to execute for client %s: ", ipAddr_string);
                                              gets(command);
                                              printf("Now client will execute: ");
                                              printf("%s\n", command);
                                              write(connfd, command, strlen(command));
                                               command[0]='\0';
                                               readbuff[0]='\0';
                                               close(connfd);
                             } else {
                                              printf("Command Output from client %s:\n\n", ipAddr_string);
                                              while(1) {
                                                              readbuff[0]='\0';
                                                              readlen = read(connfd, readbuff, 1025);
                                                              readbuff[readlen]='\0';
                                                              if (readlen > 0) {
                                                                             if (strcmp(readbuff, "done") == 0) {
                                                                                            readbuff[0]='\0';
                                                                                            break;
                                                                             }
                                                                            fflush(stdin);
                                                                            puts(readbuff);
                                                                          
                                                                            readbuff[0] = '\0';
                                                            }
                                              }
                                              close(connfd);
                          }
                          exit(1);
                  }
        }
         close(connfd);
          sleep(1);
    }
return 0;
}


This server code simply accepts the connection from the guest, takes the input command from the user and sends it to the guest. And when the guest connects again, it receives the output from the guest and prints it.


And the client code looks like :


#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <arpa/inet.h>
int main(int argc, char *argv[])
{
FILE *fp;
int sockfd = 0, n = 0;
char recvBuff[1024];
struct sockaddr_in serv_addr;
char command[1024];
char buf[1025];
int len;
memset(recvBuff, '0',sizeof(recvBuff));
              if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
              {
                          printf("\n Error : Could not create socket \n");
                          return 1;
              }
              memset(&serv_addr, '0', sizeof(serv_addr));
              serv_addr.sin_family = AF_INET;
              serv_addr.sin_port = htons(5000);
              if(inet_pton(AF_INET, argv[1], &serv_addr.sin_addr)<=0)
              {
                         printf("\n inet_pton error occured\n");
                         return 1;
              }
              if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
             {
                         printf("\n Error : Connect Failed \n");
                         return 1;
             }
             if (argc == 3) {
                          write(sockfd, "output", sizeof("output"));
                          fp = fopen(argv[2], "r");
                          while(!feof(fp)) {
                                      fgets(buf, 1024, fp);
                                     //puts(buf);
                                      write(sockfd, buf, i);
                                      buf[0]='\0';
                           }
                           write(sockfd, "done", sizeof("done"));
                           fclose(fp);
                           close(sockfd);
      } else {
                  write(sockfd, "input", sizeof("input"));
                  n = read(sockfd, recvBuff, sizeof(recvBuff)-1);
                  recvBuff[n]='\0';
                  puts(recvBuff);
     }
     close(sockfd);
     return 0;
}

The client code, as I said before, will make a connection with the host and wait for input commands. When it gets the input command it will print it to stdout, so that the command can be executed by the shell script. The shell script again invokes this program with three arguments, the third being the name of the file which contains the output of the command. The client then simply takes the output text from the file and sends it to the server.


Last but not the least, the client shell script needs to be executed using 'sudo' otherwise there will be permission problem.


So, this was basically a simple concept, to execute firewalls related commands remotely, or rather to execute any command remotely. Hope you enjoyed the basic idea, and if you have any feedback or comments, please feel free to share.



Heartbeat – Know from Host when the Guest is Down in Virtual Machine



So, we already learnt about, how to know the ip address of host from guest and the ip address of guest from host. The next thing interesting to us is, how to know from the host when any of the guest machines is down. You might say, this is simple, we can always write a small shell script and ping the guest machines after certain time intervals. If we do not get any response of ping, that would mean that particular guest machine is down.

But, we already have discussed about few attacks like, ping flood and as a remedy we said, it is better to disable ping in servers. In fact, it is always a good practice to disable ping message in servers. And if we do that, the said method is unlikely to work.

So, what is the alternative method?

Socket programming! Yes, we can run the server script from the host and client scripts from the guests. Each guest will make connection with the host and send message after certain time interval. If the message stops arriving or the connection closes, we will know the guest is down.


So, let me give a sample code, which can make things clearer.


Here is the server side code:

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
int main(void)
{
    int listenfd = 0,connfd = 0;
    pid_t wpid, pid;
    struct sockaddr_in *ipv4Addr;
    socklen_t size;
    struct sockaddr_in serv_addr;
    char sendBuff[1025];
    char readbuff[1025];
    int readlen;
    int numrv;
    struct sockaddr client_sockaddr;
    int ipAddr;
    char ipAddr_string[INET_ADDRSTRLEN];

    listenfd = socket(AF_INET, SOCK_STREAM, 0);
    printf("socket retrieve success\n");
    memset(&serv_addr, '0', sizeof(serv_addr));
    memset(sendBuff, '0', sizeof(sendBuff));

    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(5000);

    bind(listenfd, (struct sockaddr*)&serv_addr,sizeof(serv_addr));

    if(listen(listenfd, 10) == -1){
        printf("Failed to listen\n");
        return -1;
    }
    while(1)
    {

        size = sizeof(client_sockaddr);
        connfd = accept(listenfd, &client_sockaddr, &size); // accept awaiting request

        if (connfd != -1) {
            pid = fork();
            if (pid > 0) {
                 close(connfd);
            } else {//child process
                ipv4Addr = (struct sockaddr_in *)&client_sockaddr;
                ipAddr = ipv4Addr->sin_addr.s_addr;
                strcpy(ipAddr_string, inet_ntop(AF_INET, &ipAddr, ipAddr_string, INET_ADDRSTRLEN));
                printf("Client IP Address: %s\n", ipAddr_string);
                while(1) {
                     strcpy(sendBuff, "Hi from server");
                     write(connfd, sendBuff, strlen(sendBuff));
                     readlen = read(connfd, readbuff, 1025);
                     readbuff[readlen]='\0';
                     printf("Received from client %s: %s\n", ipAddr_string, readbuff);
                     if (strcmp(readbuff, "alive") == 0) {
                          sleep(2);
                     } else {
                          printf("Client %s is down!\n", ipAddr_string);
                          close(connfd);
                          exit(1);
                     }
               }
          }
    }
    sleep(1);
 }
 return 0;
}



And here is the client side code:


#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <arpa/inet.h>
int main(int argc, char *argv[])
{
    int sockfd = 0, n = 0;
    char recvBuff[1024];
    struct sockaddr_in serv_addr;
    if(argc != 2)
    {
        printf("\n Usage: %s <ip of server> \n",argv[0]);
        return 1;
    }

    memset(recvBuff, '0',sizeof(recvBuff));

    if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
        printf("\n Error : Could not create socket \n");
        return 1;
    }

    memset(&serv_addr, '0', sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(5000);

    if(inet_pton(AF_INET, argv[1], &serv_addr.sin_addr)<=0)
    {
        printf("\n inet_pton error occured\n");
        return 1;
    }

    if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
    {
        printf("\n Error : Connect Failed \n");
        return 1;
    }

    n = read(sockfd, recvBuff, sizeof(recvBuff)-1);
    if(n < 0)
    {
        printf("\n Read error \n");
    }

    recvBuff[n] = '\0';
    printf("Message from Server: %s\n", recvBuff);
    while (1) {
        write(sockfd, "alive", sizeof("alive"));
        sleep(2);
    }
    return 0;
}


Here, the client makes a connection with the server and sends a particular message “alive” after certain interval. When the server stops getting the “alive” message, it knows the client is down.

So, this was a very basic concept. You can always borrow this idea and write your own code and share your valuable inputs!

Monday, September 28, 2015

Find Guest IP from Host and Host IP from Guest in Virtual Machine



There are only couple of ways to communicate between guest and host. And if we want a hypervisor independent way of communication, using socket is the most feasible option. But to do that, the minimum thing we need is knowing the ip address of guests and host.

After a bit research, I found out an easy way of doing that. We can use utilities like arp-scan and arp, and that will make our life a lot easier. I will explain the details in a short while.

Before that, we need to install arp-scan in both guest and host.

# sudo apt-get install arp-scan

My host as well as guest is Ubuntu system. So, I will be using simple shell scripts to solve the purpose.

Write this shell script in Host:


#!/bin/bash
GUEST1="vm1-virtual-machine.local"
GUEST2="vm2-virtual-machine.local"
echo -e "Which VM?\n1.$GUEST1\n$GUEST2\n[1/2] \c"
read answer
if [ $answer -eq 1 ]
then
GUEST=$GUEST1
else
GUEST=$GUEST2
fi
echo "You want ip for $GUEST"

ip=`arp -a | grep $GUEST | awk '{print $2}'`

arr1=$(echo $ip | tr "(" "\n")
arr2=$(echo $arr1 | tr ")" "\n")
ip=$arr2

echo "Guest IP is:$ip”


Here, I am using arp -a in the host machine. If the arp table is populated properly, 'arp -a' will give hostname and ip of machines in local network. Irrespective of whether the guest VMs are having independent ip address (e.g. through bridge network), it will list the guest VMs and their ip addresses. We can filter out the ip address of the guest from its hostname. Yes, you need to know the hostname of the guests in advance.


In the guest, run the following script:

#!/bin/bash
echo -e "Interface (e.g. eth0, eth1 etc): \c"
read interface
IN=`sudo arp-scan --interface=$interface 192.168.1.1/24 | awk '{print $1,$2}' | grep <host MAC address>`
arr=$(echo $IN | tr " " "\n")
flag=0
for x in $arr
do
if [ $flag -eq 0 ]
then
#echo $x
ip=$x
flag=1
fi
done
echo "Host ip is $ip"



Here, I am doing an 'arp-scan' to find out all the ip addresses and MAC addresses in the local network. Now, filter out the host with its MAC address. Yes, you need to know the MAC address of the host in advance.


The advantage of a simple shell script like this is, you can run it in host and guests and run socket programming thereafter. This will automate the process of communication. And if you are using sockets, it gives an opportunity to share myriads of information.

So, this was a very simple shell script. I am quite a novice in shell scripts, but what I can say is, this works.

So, you can always borrow this idea and write your own shell scripts. And when you do that, please share your feedback. Good day!

Friday, September 25, 2015

Security Concerns in Cloud Computing



Cloud computing is one of the most emerging technologies. There are following different types of Cloud.





Types of Cloud

As per Services Offered :

IaaS or Infrastructure as a Service : If the cloud offers the service of infrastructure like storage disks or virtual servers, it is called Infrastructure as a Service or IaaS. Examples include Rackspace, Flexiscale.


PaaS or Platform as a Service : If the cloud offers a development platform and it includes an Operating System and a programming language execution environment, database and web server, it is called Platform as a Service or PaaS. Examples include Google App Engine, Salesforce.


SaaS or Software as a Service : If the cloud offers access to software applications on per user basis, it is called Software as a Service or SaaS. Examples include GMail, Google Docs.


As per Deployment Models : 

On the other hand, as per deployment models there are mainly four types of clouds.

Private Cloud : Private clouds operate solely for a single organization. They can be managed internally or by a third party, hosted internally or externally.

Public Cloud : In a Public Cloud, services are rendered over a network that is open to public.

Community Cloud : Community Cloud shares infrastructure among several organizations from a specific community with similar concerns like security, compliance, jurisdiction etc. They can be managed internally or by third party, hosted internally or externally.

Hybrid Cloud : Hybrid cloud is a composition of two or more clouds, like private, public or community. It offers the benefits of multiple deployment models.


Security Concerns of Cloud

What are the security concerns that the cloud service providers and the clients need to take care of ?

If we look closely, we can see quite a number of security concerns, which we need to take care of while implementing or using the service of clouds.

Let's discuss a few of them.

  1. The first security issue that we can think of is data breaches. In a multi-tenant cloud service, if the cloud service database is not designed properly, a single flaw in a single client's application can give an attacker access to data of one or multiple client. Encrypting data can be a solution, but if you lose encryption key, you lose data. Again, keeping offline backups of data increase the possibility of data breaches.
  2. Secondly, we can think of the issue of data loss that the cloud service providers need to take care of. Data must be preserved from disasters like fire, flood or an earthquake.
  3. The next issue we can think of is account hijacking. If an attacker somehow hacks the account of the cloud service provider, he can eavesdrop all the transactions and manipulate data and redirect the clients to illegitimate sites and prepare for more attacks.
  4. Fourthly, the threat of insecure interfaces and APIs. Cloud service providers provide APIs and interfaces for usage, management, orchestration and monitoring of cloud services. Weak interfaces and APIs can expose the threats of issues related to data confidentiality, integrity, availability and accountability.
  5. The next threat is Denial of Service attack. Cloud service providers bill their client's based on computing cycles and disk space consumed. An attacker, even if he may not be able to stop the services completely, he may consume much process cycles to affect the services to a significant extent.
  6. The cloud service providers also have to keep safe from malicious insiders. They have to monitor properly all its employees, contractors or business partners who access the cloud, network, services and data. A malicious insider or irresponsible access to data can lead to serious threats.
  7. The seventh issue is the abuse of clouds. A malicious user should not use the processing power of clouds for the purpose of breaking encryption keys or hack a system. A cloud service provider needs to take care of the abuse of their clouds.
  8. A cloud service providers provide resources like CPUs, GPUs and caches to multiple clients. A cloud must be designed to offer strong isolation properties. If an integral component gets compromised, it exposes the entire environment to a potential of compromise and breach.


So, if you are a cloud service provider or a user, it is better to keep these concerns in mind and design it properly.

So, stay safe, stay protected!




Thursday, September 24, 2015

Installing Snort Intrusion Detection System in Linux



In the last articles, I explained:

What is a Firewall?
What is Intrusion Detection System?
How to configure Firewalls in Linux?

I also explained few attacks like:

What is ARP Spoofing?
And
How to detect ARP Spoofing attack in your system?

In this article, I will explain how to install an Intrusion Detection System in your system.
I am using a Linux system here. The advantage of Linux is, it is open source and it gives lots of opportunities for experiments.


An Intrusion Detection System inspects all inbound and outbound traffic in your system and detects suspected attacks. In this article, I will show how to install Snort Intrusion Detection System in your Linux machine.

So, let's start.








1. Install LAMP Server :

LAMP suite is Linux-Apache-Mysql-PHP. We would need to install this for our Snort IDS. To do that, first install tasksel and then lamp server.

# sudo apt-get install tasksel
# sudo tasksel install lamp-server


You will be prompted for mysql root password during the installation process. Give a password and remember it. You will again need it later.



2. Create Snort Database :


Follow the steps mentioned below to create snort database :


# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 42
Server version: 5.5.44-0ubuntu0.12.04.1 (Ubuntu)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database snort;
Query OK, 1 row affected (0.05 sec)
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON snort.* TO 'snort'@'localhost' IDENTIFIED BY 'password';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
#



3. Install Snort :


Now, install snort by typing:
 


# sudo apt-get -y install snort-mysql


During installation, provide IP address for your local network. Select to configure snort database manually to connect with the previously created database.



4. Configure Snort :


Update the database with snort table structure.


# pushd /usr/share/doc/snort-mysql
# /usr/share/doc/snort-mysql$ sudo zcat create_mysql.gz | mysql -u snort -p snort
password:
# popd
#

Modify the snort configuration file to include mysql specific information.


# sudo sed -i "s/output\ log_tcpdump:\ tcpdump.log/#output\ log_tcpdump:\ tcpdump.log\noutput\ database:\ log,\ mysql, user=snort password=<password> dbname=snort host=localhost/" /etc/snort/snort.conf


Remove pending configuration file:

# sudo rm -rf /etc/snort/db-pending-config

For Debian or Ubuntu, you might have to check /etc/snort/database.conf for proper value of database, user, password and host.

You might also have to change 'ipvar HOME_NET any' to your home subnet like:

ipvar HOME_NET 192.168.1.1/24 in /etc/snort/snort.conf



5. Start Snort service :


# sudo /etc/init.d/snort start
# sudo /etc/init.d/snort status
# tail /var/log/syslog


Snort should successfully start.
If it fails, however, try to execute the following command and detect the actual reason of error:


# sudo /usr/sbin/snort -c /etc/snort/snort.conf -i eth0

You may have to select proper interface for your system instead of eth0.



6. Install ACID :


We need to install web front end to monitor snort's output. ACID solves the purpose.
Follow the following steps to install ACID.


# sudo apt-get -y install acidbase

During installation, select mysql database and mysql administrator password.


7. Configure ACID :


We need to configure ACID now.

# sudo sed -i "s#allow\ from\ 127.0.0.0/255.0.0.0#allow\ from\ 127.0.0.0/255.0.0.0\ 10.10.1.10/255.255.255.0#" /etc/acidbase/apache.conf


You would need to give your IP instead of 10.10.1.10.
This step will allow access to acidbase from your desktop.

Restart Apache server for the changes to take effect.

# sudo /etc/init.d/apache2 restart


8. Final Touch :


Finally, you would need to access acidbase web front-end and configure it.
Open your browser and type:

http://localhost/acidbase/base_db_setup.php

Select the button which says, “Create BASE AG” and return to main page.


9. Some Testing :

You can now do some basic testing.
Open your terminal and type:

# sudo nmap -p1-65535 -sV -sS -O 127.0.0.1


Now, refresh the acidbase. You should see the results of the port scan in your acidbase front-end.


Well, you may want to install and configure Oinkmaster to automate the rule update process and receive updated rules for Snort. Visit the Snort Website to do that.


So, that was all about installation of Snort Intrusion Detection System in your Linux machine.
These are some simple steps to perform, but good enough for your system to stay protected!

So, stay safe, stay protected!

Tuesday, September 22, 2015

How To Detect ARP Spoofing Attack In Your System



In one of my last articles, I discussed about ARP Spoofing. It is an attack in which an attacker send falsified ARP messages over a local area network and link the victim's IP address with his MAC address. As a result, all the traffic that is meant for the victim, will reach the attacker first. The attacker can afterwards steal sensitive information or prepare for more attacks.


In this article I am going to describe how to detect if your system has got an ARP Spoofing attack.






Preparing with tools

Firstly, you need a few software to install in your system. For Linux, you would need tcpdump, wireshark and arp-scan.



tcpdump is used to analyze network packets in a Linux system. You can install the utility using:


# sudo apt-get install tcpdump



You would need arp-scan to find out all the IP addresses and corresponding MAC address in your local network. You can install it using :


# sudo apt-get install arp-scan



Wireshark is another tool for analyzing IP packets. The advantage of this tool is, it is GUI based. You can install it using:


# sudo apt-get install wireshark



Detecting ARP Spoofing Attack







Let's first do the analysis of network packets of the system using wireshark.

Type the following command in the command prompt to open wireshark :

# sudo wireshark



A wireshark window will appear.

Select proper interface for your system. In my system it is eth1. It may be different for your system.


On clicking on start, a window will appear where you will see source IP address, destination IP address of each packet along with few other information.

Select any tcp or udp packet. You will see a window like the one already shown above.




Here, I have selected a packet, whose source IP is 74.125.200.189 and destination is my IP.


Now, click on Ethernet II field below.


If you see carefully, source IP 74,125.200.189 is mapped with MAC address 00.1f.3a.bc.7b.58.


Now, open a terminal and type

# sudo arp-scan --interface=eth1 –localnet


It will show a list of IP addresses like below :

# sudo arp-scan --interface=eth1 --localnet
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.133 00:1f:3a:bc:7b:58 Pr_bc Ind.Co., Ltd.
192.168.1.138 *** (Unknown)
192.168.1.1 *** (Unknown)



So, you can see, the packet that I had selected, has actually come from MAC address 00,1f.3a.bc.7b.58, which mapped to IP 192.168.1.133 and not from IP address 74.125.200.189. And, IP address 192.168.1.133 is an IP address in the local network.

This means, someone has sent falsified ARP message to link your IP with his MAC address, which is an ARP Spoofing attack.



You can confirm the same with tcpdump also.

Open terminal and type:

# sudo tcpdump -vXXn -e -i eth1 dst 192.168.1.116


This means, you want to analyze packets to your IP address 192.168.1.116.


I have picked up a part of the output :

14:57:51.521068 00:1f:3a:bc:7b:58 > ****, ethertype IPv4 (0x0800), length 86: (tos 0x8, ttl 44, id 35883, offset 0, flags [none], proto UDP (17), length 72)

74.125.200.189.443 > 192.168.1.116.41334: UDP, length 44

0x0000: **** 001f 3abc 7b58 0800 4508 .H..6=..:.{V..E.
0x0010: 0048 8c2b 0000 2c11 2d1b 4a7d c8bd c0a8 .H.+..,.-.J}....
0x0020: 0174 01bb a176 0034 54a9 0087 e6d9 30be .t...v.4T.....0.
0x0030: ba35 de94 672a 603e 3fc8 5fa1 d8eb 3721 .5..g*`>?._...7!
0x0040: de39 f952 1bbf 722a 3afb 1812 2e04 6c9c .9.R..r*:.....l.
0x0050: 8a72 7d5e af95 .r}^..



Here also you can see, 74.125.200.189 is mapped to MAC address 00.1f.3a.bc.7b.58, which is MAC of a system which is in the local network (as per arp-scan output).


# sudo arp-scan --interface=eth1 --localnet
Interface: eth1, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.133 00:1f:3a:bc:7b:58 Pr_bc Ind.Co., Ltd.
192.168.1.138 *** (Unknown)

192.168.1.1 *** (Unknown)

So, the system is undergoing an ARP Spoofing Attack.


I think, now we are quite clear about ARP Spoofing attack and how to detect it. Hope it helped.

Monday, September 21, 2015

ARP Spoofing




ARP Spoofing is an attack in which an attacker can send falsified ARP messages over a local area network and link the victim's IP address with his MAC address. As a result, all the traffic that is meant for the victim, will reach the attacker first. The attacker can afterwards steal sensitive information or prepare for more attacks.





How is ARP Spoofing perpetrated ?

In ARP Spoofing, an attacker typically follow the steps mentioned below :


  1. The attacker queries and finds out the ip addresses and corresponding MAC addresses of users connected to the target subnet. There are lots of ARP Spoofing tools like Arpspoof, Cain & Abel, Arpoison and Ettercap that are commonly used for ARP Spoofing.
  2. The attacker finds the victim's IP address, and then links his MAC address with the victim's IP address and sends out ARP messages across the LAN.
  3. - The other hosts in the LAN cache the falsified ARP message. As a result, traffic meant for the victim, reaches the attacker instead.

Implications of ARP Spoofing Attacks

There can be many serious implications. Like:

  • If the attacker links multiple IP address to the victim's MAC address, packets meant for several IP addresses will reach the victim alone, which can lead to Denial of Service attack.
  • The attacker can steal the victim's session Id and access private data.
  • The attacker can intercept and modify the traffic of the victim, which can lead to Man In The Middle attack.

Prevention

We can some steps to prevent ARP Spoofing Attacks.

  • Use packet filters and do not allow packets with conflicting source information. For an example, do not allow packets that come from outside the network but contains source IP of inside the network.
  • Organizations can avoid trust relationships. Do not allow any machine of any IP address to access internal data of the organization without authentications.
  • There are couple of software available for detection of ARP Spoofing. You can use those.
  • Try to use cryptographic network protocols like HTTPS, SSH, TLS etc. Secure communications prevent ARP Spoofing by encrypting data prior to transmission and authenticate it when it arrives.

So, do not give an attacker any chance, take some simple steps and stay protected!

Sunday, September 20, 2015

How To Configure Firewalls in Linux



Hope you all know what is a firewall. In this article, I am going to explain how to configure firewalls in Linux system. There are GUI available to configure firewalls, but in this article I prefer to explain how to configure firewalls using command line utility.






There is a command line utility called iptables, which can be used to configure firewalls in Linux. This utility mostly comes pre-installed with Linux distributions. If not, you can install the iptable package:


# sudo apt-get install iptables


iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several tables also can be maintained for different users. When an IP packet comes to the system or goes out of the system or gets forwarded, iptables checks a set of predefined rules takes action.

iptables use mainly three different chains:
INPUT – This chain is used for all the input packets. When a user attempts an ssh to your system, the input chain is checked for matching rules.OUTPUT – This chain is meant for output IP packets. When your system sends an IP packet to other IP address, this chain is checked for set of rules.FORWARD – This chain is mainly used for routers. In the case, when an IP packet is not locally delivered, but is destined for some other IP address, this chain is checked for set of rules.


In your system, before configuring firewalls, check the policy default behavior. By default, all the IP packets are accepted.


# sudo iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)


Rules are appended to the iptables using -A option. You can also use the option: iptables -I [chain] [number] to specify number in the list where it should be.

There can be three main types of connection specific responses – accept, drop and reject.
ACCEPT – It indicates allow the connection.DROP – It will drop the connection silently, without sending an error.REJECT – It will not accept the connection, and send out an error.

Specifying IP Address – You can specify rules to accept, allow or reject a connection from a specific IP address.


# iptables -A INPUT -s 10.10.10.10 -j DROP

It will drop connection from IP address 10.10.10.10


# iptables -A INPUT -s 10.10.10.10 -j ACCEPT

It will accept connection from the IP address 10.10.10.10


# iptables -A INPUT -s 10.10.10.10 -j REJECT

This will reject connections from IP address 10.10.10.10


#iptables -A INPUT -s 10.10.10.10/20 -j DROP

This will drop the connection from IP address range 10.10.10.10 to 10.10.10.20

Specifying Port – You can also specify port to accept, reject or drop connections to or from.

# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

This will drop all tcp connections from IP address 10.10.10.10 which are destined for ssh port of your system.


# iptables -A INPUT -p udp --dport ssh -j REJECT
This will reject all udp connections destined for udp port of your system.

Specifying Connection State – You can specify connection state in a rule.

# iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT


# iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state NEW -j REJECT


# iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT


These two commands specify that all new and already established tcp connections from IP address 10.10.10.10 destined to your ssh port are accepted. But ssh connections to 10.10.10.10 from source port 22 are not accepted. But, if an ssh connection is already established to 10.10.10.10 from your source port 22, your system is permitted to send back information.

Save your changes – iptables rules must be saved, so that next time the service restarts, rules are not lost.

# sudo /sbin/iptables-save


For saving rules in Ubuntu.

# /sbin/service iptables save


For RedHat/CentOS. Or

# /etc/init.d/iptables save

You can also use : iptables -F
to clear the currently configured rules.


So, this was some basic rules to configure firewalls in your Linux system. You can always refer the man page of iptables for more information!