Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Published byLeon Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge."— Presentation transcript:

1 Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge

2 Overview ●The construction of GRID will require an efective system of security. ●To avoid that GRID is used by an unauthorized person and to prevent that the system is used to realize attacks against other systems. ●In this context, the Intrusion Detection System acquires special importance.

3 Aims ●Our aim has been the study, evalutation and implementation of a Host Intrusion Detection System based on Open Source software. ●A system based on technologies such as Nagios, SNMP, Tripwire and Chkrootkit has been implanted in the CIEMAT, in the University of Barcelona and the University Autonoma of Madrid.

4 Nagios Characteristics ●Nagios is a system designed for the monitoring of computers, detection of failures in services and sending notifications out to administrative contacts. ●Nagios is not specifically an IDS. ●Nagios has a modular design with a web interface, a set of plugins, support for consultations on the SNMP protocol, and ability to execute scripts on remote hosts using SSH protocol.

5 Nagios: Threats ●As soon as an intruder gains access to a system across a vulnerability, he frequently tries to conceal his presence and to create a privileged access, with actions like: – create a superuser account (uid=0), – create a user with empty password, – capture information using a sniffer, – hide used files in /dev directory.

6 Nagios: Use of scripts ●Four scripts have been created for monitoring: – how many users there are with uid=0, – users without password, – interface in promiscuous mode, – regular files hidden in the directory /dev.

7 What does not cover? ●A knowledgeable malicious user will try to modify certain system binaries to conceal his presence. ●Some of those binaries will be: ifconfig, netstat, ps, ls, top... ●In this case our scripts are not useful. Why?

8 A knowledgeable malicious user ●The modified ps will conceal the execution of the sniffer installed by intruder. ●In the case of ifconfig, it will hide the promiscuous mode of the NIC. ●The altered ls will not show the directory where the intruder has installed his files.

9 Tripwire. What is it? ●Tripwire is an intrusion detection tool able to detect and pinpoint changes, such as: – File additions, deletes and modifications. – File permissions and properties. – Inode number and number of links – User id and group id of owner. – Inode and file creation and modification timestamp. – Hash checking: RSA, MD5, MD4, MD2,... – Device number to which an inode points.

10 DB/reports. How Tripwire works? ●Tripwire establishes a ciphered database of monitored files, to detect these changes. ●Periodically the consistency is checked against the reference database. ●A report is created with the most relevant information.

11 Integrity of Tripwire database ●A checksum is executed and the hash is inserted in the MIB tree to test the integrity of Tripwire database in the remote nodes ●A SNMP request is used to check the hash of the database against resident information in the central platform.

12 Use of Tripwire ●Our aim: analyze the consistency of a set of system binaries. ●These binaries have been chosen because they are the principal targets of intruders. ●The chosen binaries are: ls, mkdir, ps, top, login, mount, netstat, su, ifconfig, syslogd, find, killall, passwd, rpc.mountd, rpc.nfsd, tcpd, xinetd.

13 What does not cover? ●With the popularization of the automated tools of assaults, gaining privileged accesses and concealing them has become an extremely simple task. ●After the phase of exploration and obtaining a privileged access, the intruder centres on the installation of a rootkit to conceal his presence.

14 Chkrootkit. What is it? ●Chkrootkit is a command line tool that detects the presence of rootkits. – Checking the promiscuous mode ni NIC. – Differences between ps and /proc information. – Elimination of entries in the wtmp file. – Checking the fingerprints of known rootkits.

15 Use of Chkrootkit ●In the integration of Chkrootkit with Nagios, a script has been created, and is executed by snmpd. ●Information is inserted in MIB tree. ●A SNMP request is used to gather the information.

16 Conclusions ●The implantation of a HIDS formed by several GNU technologies is possible. ●In the implemented facilities at Ciemat, University of Barcelona and University Autonoma of Madrid we monitor to detail the computing nodes, being capable of detecting the presence of an intruder from his initial steps.

17 Nagios snapshot I

18 Nagios snapshot II

Download ppt "Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Operating system Part four Introduction to computer, 2nd semester, 2010/2011 Mr.Nael Aburas Faculty of Information.

Operating system Part four Introduction to computer, 2nd semester, 2010/2011 Mr.Nael Aburas Faculty of Information.
Understand Database Security Concepts

Understand Database Security Concepts
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Host-Based Intrusion Detection software TRIPWIRE & MD5.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Host-Based Intrusion Detection software TRIPWIRE & MD5.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.

Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

Similar presentations

Ads by Google