UNAUTHENTICATED ACCESS DENIAL &

DETERRENCE TECHNIQUE IN

NETWORK SECURITY

Submitted By

T.M.ANAND BABU

R.B.NAVEEN

Pre-Final yr - IT

KLN College of Engineering

 Madurai.

ABSTRACT

Computer security is the process of preventing and detecting unauthorized use of

our computer. Prevention measures help us to stop unauthorized users (also known as

"intruders") from accessing any part of our computer system. Detection helps us to

determine whether or not someone attempted to break into our system, if they were

successful, and what they may have done.

In this paper, we proposed the technique called Deterrence technique which is

the process of monitoring the events occurring in a computer system or network and

analyzing them for signs of intrusions, defined as attempts to compromise the

confidentiality, integrity, availability or to bypass the security mechanisms of a computer

or network. Deterrence system is also classified based on the types of systems they

monitor. The two main systems monitored for intrusions are host-based systems and

network based systems. Host-based IDPS attempt to detect against attacks on a particular

machine. This is typically done through analysis of a computers log files. We typically

monitor system, event, and security logs on Windows NT and syslog in UNIX

environments. When any of these files change, the system compares the new log entry

with attack signatures to see if there is a match. If so, the system responds with

administrator alerts and other calls to action. Finally, some products listen to port activity
and alert administrators when specific ports are accessed. Host-based system monitor

user and file access activity, changes to file permissions, attempts to install new

executables and/or attempts to access privileged services. This paper includes Password

attack, Scanning attack, Sniffing attack and Spoofing attack. This paper is developed

using C and Shell scripting in Linux environment.

INTRODUCTION

Intrusion detection and prevention system (IDPS) is mainly employed to

secure company networks ideally; an IDPS has the capacity to detect in real time all

intrusions, and to execute work to stop the attack. The IDPS system uses a concurrent

monitoring strategy for simultaneously detecting the various attacks and also determining

the path taken by the attacker of the allies of the attacker.

TYPES OF INTRUSION DETECTION

1. Network based.

2. Host Based.

NETWORK BASED IDPS

Network IDPS is a program that require one installation. The application scans all

transmissions on a subnet to determine real time network activity. This type of

application acts both as a manager and as an agent. The network acts passively, and the

host, the IDPS is installed on does all the work.

DISADVANTAGES OF NETWORK BASED IDPS

● Network Based IDPS may have difficulty in processing all packets in large or

busy networks.

● Many of the advantages of network based IDPS do not apply to more modern

switch based network.

 ● Network based IDPS cannot analyze encrypted information. This problem is

increasing as more organizations (and Attackers) use virtual private networks.

● Most network based IDPS have problems in dealing with network based attacks

that involve fragmenting packets. These malformed packets cause the IDPS to

become unstable and crash.

HOST BASED IDPS

PASSWD ATTACK
SCANNING ATTACK
SNIFFING ATTACK
SPOOFING ATTACK
INVALID PWD
H

R
IP ADDRESS
IP ADDRESS
IP ADDRESS
IDPS
MAIL
IP ADDRESS
ALERT MSG

Host based IDPS operate on information collected from with in an individual computer

system. This point allows host based IDPS to analyze activities with great reliability and

precision, determining exactly which process and users are involved in a particular attack

and operating system. Host based IDPS directly access and monitor the data file and

system process usually targeted by attacks. Host based IDPS normally utilize
information sources of two types, operating system audit trails, and system logs.

Operating System Audit trails are usually generated at the Kernel level of the operating

system and are therefore more detailed and better protected than system logs.

ADVANTAGES

● Host based IDPS with their ability to monitor events locate to a host, can detect

attacks that cannot be seen by network based IDPS.

● Host based IDPS can operate in an environment in which network traffic is

encrypted, when the host based information sources are generated before data is

encrypted and / or after the data is decrypted at the destination host.

● Host based IDPS are unaffected by switched networks.

● When host based IDPS operate on Operating system audit trails, they can help

detect Trojan horses or attacks that involves software integrity breaches.

PASSWORD ATTACK

HACKER
CHECKS LOGIN FAILURES
HACKER, USER, ADMINISTRATION
LOGIN, PASSWD
ALERT MSG
CHECKS SU VIOLATION
LOGIN NAME
HACKER, USER, ADMINISTRATION
ALERT MSG
CHECKS PASSWD TYPES
CHECKS WEAK, EMPTY,SHADOW PASSWD
HACKER, USER, ADMINISTRATION
ALERT MSG
MAIL

CHECK SU (SWITCH USER) VIOLATIONS

In this check Su violations, when the end user is trying to login as another end user and if

the password is wrong then mail is send to root and saying that this user is trying to login

as another user and he gets message in the terminal as “if you use SU command your

login will be aborted so don’t use Su command”. If end user logged as another end user

and he gets warning message that “your login has blocked, contact Admin“and his login

will be closed and his username is blocked temporarily so he cannot login with his

username and mail will be send to root this user has switched to this user. So account of

the particular user is blocked. This is the case of the end user. While root is using the Su

command he can enter in to any end user login and he will get only warning message

only. But root user will not be blocked and his settings will not be affected. So this

clearly states that root has permission to login as end user at any circumstances. So by

using this module the security constraints of SU command is highly restricted to end-

user. So they cannot easily logged as another user so switching to root has been also

restricted so end user cannot gain root access.

LOGIN FAILURES

USER LOG ON TO SYSTEM

8-BIT PASSWORD
56- BIT KEYWORD
64-BIT TEXT
PADDING 2-ZERO BITS
66-BIT TEXT
STORED DB VALUE
AUTHENTICATION
11-SIX BIT VALUE
CHECKS
 This sub module is for login failures normally the hacker will try to break

passwords or guess passwords from dictionary and guessing the phone numbers etc. So

commonly while we are finding the Passwords means the login failures occurs. So our

paper finds the login failures when there are three continues login failures our paper finds

the username and block the username so if he gives the exact password also he cannot

enter because we are using more securities like Pluggable Authentication Module and Ip

Tables so it cannot be breaked easily only Admin has rights to unblock the particular user

so this is the case of the login failures.

BLANK PASSWORD:

In the Blank password sub-module, checking the settings of the /etc/passwd file

and getting details of the user and checking for the password. If the password field

contains the password then no problem otherwise if the password field is empty then it

display the user details and it contains no password so any one can use this login because

it doesn’t contain any password so hacker can easily extract the data through this login.

/etc/passwd file

This file has various files like login name, encrypted password, UID, username,

home and shell. Password in this file is world viewable. So it is necessary that the

password file have to be shadowed.

IDPS checks whether the file is shadowed or not, if the file is not shadowed it

insists the user to shadow the password file.

SHADOW PASSWORD:

In the shadow field also check for the shadow files that is/etc/shadow if the fields

are encrypted then there is no problem if not then there is possibility of no password is

required for that login. So there is Empty shadow field and the file permission of some

files like /etc/shadow, /etc/group and so on and these files should be changed to read only

for the root user only. So no end-user can read this file so security is high and hacker

cannot get from the end-user because these files cannot read by end-user so he cannot add

any statement to gain as end user. By reading this file, he cannot get enough information

to hack the system. So this Shadow password will change the file permission of the some

files which can be viewed only by root and set the characteristics some sticky bit also.

Some of the shadows features include

1. Encoded passwords are only accessible by the root.

2. Account information can be aged. Those users are automatically prompted to

change password from time to time.

3. Requirements for users to create good password.

/etc/shadow file might look like

User: H7e9JL:10063:0:30:7:1:

The shadow file has various fields, they are username, password, and day since

password was changed, may be changed, and must be changed, warning days, disable

days.

WEAK PASSWORD:

In the Weak password normally the Linux Operating System will give some

information while end-user is giving password tells that this same as username, it doesn’t

contains enough letters, the characteristics are not different and it is based on the
dictionary and so on. But some times the weak passwords are accepted when u give from

the root shell then it will warn u but it accepts the password. When the weak passwords

are easily breakable so there are so many tools, which will break the weak passwords at

that time hacker, can also misuse these tools and he will break the password of the end-

user and root. If the passwords are breakable then these passwords are weak passwords so

then it will get the details of the username and password which is breaked and it has six

rules to get the good password. When we follow the six rules then no one can break our

password. The rules are as follows

● Use Uppercase letters and Lowercase letters and mingle these lower and

Uppercase letters.

● Make use of the alphanumeric value and special characters.

● Don’t use dictionary words and well known words.

● Don’t use r telephone numbers, addresses and vehicle no so on.

If password is breaked and breaked password details are stored in file and after breaking

the passwords the program will mail to the particular user by warning your password is

weak password and it can be easily breakable and it will mail the details that this your

password so when you are making the password follows these rules and it will contain

the rules as mentioned above

BLOCKED USER DETAILS

This Blocked user details contains the two sub-modules

1. Blocked User details.

2. UN Blocking.

BLOCKED USER DETAILS

 The Blocked user contains the details of the blocked user and the name of the

blocked user will be present in this list. If the user gives the exact password also

cannot login in to the system.

UNBLOCKING

In the Unblocking the admin has the right to unblock the particular user. This

program will run in the server system so Admin wishes to unblock the particular user he

can unblock the user by this module

SCANNING ATTACK

CHECKS FOR SERVICES & SCAN FOR PORT NO.

HACKER
IP ADDR
ALERT MSG
HACKER, USER,ADMINISTRATION
ALERT
MAIL

Before a cracker can attempt to break in to our network in anyway, the cracker needs to

know one or more of the following things.

What services do you have running?

Which programs are providing those services?

What kinds of product are protecting your network?

A cracker would launch attacks on our network at random, trying to connect to

various networking services to exploit the vulnerabilities, if any vulnerability exists. Port

scanners check accessible hosts for open networking ports to see which services are

listening for connections. Another reason cracker scan for particular ports is to find
Trojan Horses that may already be installed on the target machine. For example the

remote control Trojan horses back orifice, listening for connections by default on port

31337. Crackers will often can whole ranges of TCP/IP host addresses sequentially,

looking for ports that match known Trojan horses that may be listening for a connection.

The crackers use the tools like

N map.

SATAN (system administration tools for analyzing networks)

SNIFFING ATTACK

HACKER
CHECK FOR NIC IN DEFAULT OR PROMISCUOUS MODE
HACKER, USER, ADMINISTRATION
IP ADDR
ALERT MSG
ALERT
MAIL

Packets sniffers are utilities that can monitor and log network traffic by retrieving or

displaying packet information passing through their host computer. These programs may

be helpful in diagnosing errors and monitoring traffic on a network. However, these

utilities may also be used to eavesdrop on network communications and therefore, may

present a potential security risk.

Packets sniffing program read packet intended for other systems by putting the

listening computers hardware in to promiscuous mode. This typically requires

administrative privileges to reconfigure hardware, but physical access is always a trump

card that allows a knowledgeable individual to gain administrative control over the local

system. This again highlights the need for policy, user awareness, and levels of trust for
local users. Even if local administrators have tight physical controls over workstation,

one person with a laptop may find an open network port, or disconnect a running machine

in order to sniff packets on a local network segment.

While in promiscuous mode, the listening system is able to read the packets broad

cast over its network segment. An Ethernet card in promiscuous mode will not only

receive broad cast traffic on a local segment, but will also display traffic that would

normally be ignored by all network cards except the one with the MAC address

referenced in the TCP header. This may be a cause for concern if sensitive data is not

properly encrypted. For example, some listening on a network in promiscuous mode

could easily obtain plain text pass word.

IP SPOOFING
HACKER
IP ADDR
CHECK FOR IP ADDRESS IN NETWORK
IP ADDR
BLOCKING THE PARTICULAR MACHINE
CHECK FOR FIREWALL STATUS
IP
IP ADDR
ADDR
SERVER

IP spoofing refers to sending a packet to a host that appears to come from some place

other than its actual source. The attacking client sends a SYN message that contains a

false source address and port. The host then replies with the SYN – ACK message and

waits for a half open connection for the expected final reply. The host will be waiting for

the false connection without replying to the genuine connection.

 Smurf attack is Dos attack that uses IP spoofing. Smurf attacks directing ping

floods with spoofed IPS to IP broadcast address are used for sending the same

information to a large number of machines

If the information is sent to the broad cast addresses it not only to be sent once to

reach all machines with the broadcast address. Thus by spoofing the victims IP at an

entire network will, at once ping a victims computer.

IDPS Keep Track of the Log Messages, If Check Two Files.

1. /var/log/messages

In the /var/log directory, there is a file called messages. Inside is a long list of

events (In chronological order), with each line representing an individual log

entry. The /var/log/messages file is some what of a catch all for many of the

log messages passed by the kernel and programs that generate loggable

events. Most errors and system messages can be found in this file.

2. /var/log/secure

Another log file is the /var/log/secure file, which contains information specific

to the user who is accessing the system, how the user accessed the system, and

possible breaches of the security. Much of this information is also mirrored

in /var/log/messages. By default all root logins get logged to this file.

CONCLUSION

Today’s interrelated computer network is a realm filled with people that have

millions of man hours ready to employ against our strongest security strategy. The only

way to beat them is to know that they are attempting an attack and counter their attempts.
IDPS is mainly employed to secure computer networks ideally; an IDPS has the capacity

to detect in real time all intrusions, and to execute work to stop the attack. The IDPS

system uses a concurrent monitoring strategy for simultaneously detecting the various

attacks and also determining the path taken by the attacker of the allies of the attacker.

Strategy is the key for selecting the right IDS strategy will be instrumental in ensuring

that the enterprise network remains secure.

(THIS PAPER IS SUPPORTED WITH IMPLEMENTATION PROCESS)

REFERENCES

● Suresh N. Chari & Pau - Chen Cheng, “ACM TRANSACTIONS ON

INFORMATION & SYSTEM SECURITY “, (May/June 2003).

● “IEEE SECURITY AND PRIVACY JOURNAL “, (Jan/Feb 2003).

● Peter Norton,” COMPLETE GUIDE TO LINUX”, First Edition, Tec media

Publications, 2000.

● Yashwant Kanetkar, “SHELL PROGRAMMING “, BPB Publications, Second

Edition, 2000.

● Peter Norton, “NETWORK SECURITY FUNDAMENTALS “, First Edition, Tec

media Publications.