Beruflich Dokumente
Kultur Dokumente
DETERRENCE TECHNIQUE IN
NETWORK SECURITY
Submitted By
T.M.ANAND BABU
R.B.NAVEEN
Pre-Final yr - IT
ABSTRACT
our computer. Prevention measures help us to stop unauthorized users (also known as
"intruders") from accessing any part of our computer system. Detection helps us to
determine whether or not someone attempted to break into our system, if they were
the process of monitoring the events occurring in a computer system or network and
or network. Deterrence system is also classified based on the types of systems they
monitor. The two main systems monitored for intrusions are host-based systems and
network based systems. Host-based IDPS attempt to detect against attacks on a particular
machine. This is typically done through analysis of a computers log files. We typically
monitor system, event, and security logs on Windows NT and syslog in UNIX
environments. When any of these files change, the system compares the new log entry
with attack signatures to see if there is a match. If so, the system responds with
administrator alerts and other calls to action. Finally, some products listen to port activity
and alert administrators when specific ports are accessed. Host-based system monitor
user and file access activity, changes to file permissions, attempts to install new
executables and/or attempts to access privileged services. This paper includes Password
attack, Scanning attack, Sniffing attack and Spoofing attack. This paper is developed
INTRODUCTION
secure company networks ideally; an IDPS has the capacity to detect in real time all
intrusions, and to execute work to stop the attack. The IDPS system uses a concurrent
monitoring strategy for simultaneously detecting the various attacks and also determining
1. Network based.
2. Host Based.
Network IDPS is a program that require one installation. The application scans all
application acts both as a manager and as an agent. The network acts passively, and the
● Network Based IDPS may have difficulty in processing all packets in large or
busy networks.
● Many of the advantages of network based IDPS do not apply to more modern
● Most network based IDPS have problems in dealing with network based attacks
that involve fragmenting packets. These malformed packets cause the IDPS to
PASSWD ATTACK
SCANNING ATTACK
SNIFFING ATTACK
SPOOFING ATTACK
INVALID PWD
H
R
IP ADDRESS
IP ADDRESS
IP ADDRESS
IDPS
MAIL
IP ADDRESS
ALERT MSG
Host based IDPS operate on information collected from with in an individual computer
system. This point allows host based IDPS to analyze activities with great reliability and
precision, determining exactly which process and users are involved in a particular attack
and operating system. Host based IDPS directly access and monitor the data file and
system process usually targeted by attacks. Host based IDPS normally utilize
information sources of two types, operating system audit trails, and system logs.
Operating System Audit trails are usually generated at the Kernel level of the operating
system and are therefore more detailed and better protected than system logs.
ADVANTAGES
● Host based IDPS with their ability to monitor events locate to a host, can detect
encrypted, when the host based information sources are generated before data is
● When host based IDPS operate on Operating system audit trails, they can help
PASSWORD ATTACK
HACKER
CHECKS LOGIN FAILURES
HACKER, USER, ADMINISTRATION
LOGIN, PASSWD
ALERT MSG
CHECKS SU VIOLATION
LOGIN NAME
HACKER, USER, ADMINISTRATION
ALERT MSG
CHECKS PASSWD TYPES
CHECKS WEAK, EMPTY,SHADOW PASSWD
HACKER, USER, ADMINISTRATION
ALERT MSG
MAIL
the password is wrong then mail is send to root and saying that this user is trying to login
as another user and he gets message in the terminal as “if you use SU command your
login will be aborted so don’t use Su command”. If end user logged as another end user
and he gets warning message that “your login has blocked, contact Admin“and his login
will be closed and his username is blocked temporarily so he cannot login with his
username and mail will be send to root this user has switched to this user. So account of
the particular user is blocked. This is the case of the end user. While root is using the Su
command he can enter in to any end user login and he will get only warning message
only. But root user will not be blocked and his settings will not be affected. So this
clearly states that root has permission to login as end user at any circumstances. So by
using this module the security constraints of SU command is highly restricted to end-
user. So they cannot easily logged as another user so switching to root has been also
LOGIN FAILURES
passwords or guess passwords from dictionary and guessing the phone numbers etc. So
commonly while we are finding the Passwords means the login failures occurs. So our
paper finds the login failures when there are three continues login failures our paper finds
the username and block the username so if he gives the exact password also he cannot
enter because we are using more securities like Pluggable Authentication Module and Ip
Tables so it cannot be breaked easily only Admin has rights to unblock the particular user
BLANK PASSWORD:
In the Blank password sub-module, checking the settings of the /etc/passwd file
and getting details of the user and checking for the password. If the password field
contains the password then no problem otherwise if the password field is empty then it
display the user details and it contains no password so any one can use this login because
it doesn’t contain any password so hacker can easily extract the data through this login.
/etc/passwd file
This file has various files like login name, encrypted password, UID, username,
home and shell. Password in this file is world viewable. So it is necessary that the
IDPS checks whether the file is shadowed or not, if the file is not shadowed it
In the shadow field also check for the shadow files that is/etc/shadow if the fields
are encrypted then there is no problem if not then there is possibility of no password is
required for that login. So there is Empty shadow field and the file permission of some
files like /etc/shadow, /etc/group and so on and these files should be changed to read only
for the root user only. So no end-user can read this file so security is high and hacker
cannot get from the end-user because these files cannot read by end-user so he cannot add
any statement to gain as end user. By reading this file, he cannot get enough information
to hack the system. So this Shadow password will change the file permission of the some
files which can be viewed only by root and set the characteristics some sticky bit also.
User: H7e9JL:10063:0:30:7:1:
The shadow file has various fields, they are username, password, and day since
password was changed, may be changed, and must be changed, warning days, disable
days.
WEAK PASSWORD:
In the Weak password normally the Linux Operating System will give some
information while end-user is giving password tells that this same as username, it doesn’t
contains enough letters, the characteristics are not different and it is based on the
dictionary and so on. But some times the weak passwords are accepted when u give from
the root shell then it will warn u but it accepts the password. When the weak passwords
are easily breakable so there are so many tools, which will break the weak passwords at
that time hacker, can also misuse these tools and he will break the password of the end-
user and root. If the passwords are breakable then these passwords are weak passwords so
then it will get the details of the username and password which is breaked and it has six
rules to get the good password. When we follow the six rules then no one can break our
● Use Uppercase letters and Lowercase letters and mingle these lower and
Uppercase letters.
If password is breaked and breaked password details are stored in file and after breaking
the passwords the program will mail to the particular user by warning your password is
weak password and it can be easily breakable and it will mail the details that this your
password so when you are making the password follows these rules and it will contain
2. UN Blocking.
blocked user will be present in this list. If the user gives the exact password also
UNBLOCKING
In the Unblocking the admin has the right to unblock the particular user. This
program will run in the server system so Admin wishes to unblock the particular user he
SCANNING ATTACK
HACKER
IP ADDR
ALERT MSG
HACKER, USER,ADMINISTRATION
ALERT
MAIL
Before a cracker can attempt to break in to our network in anyway, the cracker needs to
various networking services to exploit the vulnerabilities, if any vulnerability exists. Port
scanners check accessible hosts for open networking ports to see which services are
listening for connections. Another reason cracker scan for particular ports is to find
Trojan Horses that may already be installed on the target machine. For example the
remote control Trojan horses back orifice, listening for connections by default on port
31337. Crackers will often can whole ranges of TCP/IP host addresses sequentially,
looking for ports that match known Trojan horses that may be listening for a connection.
N map.
SNIFFING ATTACK
HACKER
CHECK FOR NIC IN DEFAULT OR PROMISCUOUS MODE
HACKER, USER, ADMINISTRATION
IP ADDR
ALERT MSG
ALERT
MAIL
Packets sniffers are utilities that can monitor and log network traffic by retrieving or
displaying packet information passing through their host computer. These programs may
utilities may also be used to eavesdrop on network communications and therefore, may
Packets sniffing program read packet intended for other systems by putting the
card that allows a knowledgeable individual to gain administrative control over the local
system. This again highlights the need for policy, user awareness, and levels of trust for
local users. Even if local administrators have tight physical controls over workstation,
one person with a laptop may find an open network port, or disconnect a running machine
While in promiscuous mode, the listening system is able to read the packets broad
cast over its network segment. An Ethernet card in promiscuous mode will not only
receive broad cast traffic on a local segment, but will also display traffic that would
normally be ignored by all network cards except the one with the MAC address
referenced in the TCP header. This may be a cause for concern if sensitive data is not
IP SPOOFING
HACKER
IP ADDR
CHECK FOR IP ADDRESS IN NETWORK
IP ADDR
BLOCKING THE PARTICULAR MACHINE
CHECK FOR FIREWALL STATUS
IP
IP ADDR
ADDR
SERVER
IP spoofing refers to sending a packet to a host that appears to come from some place
other than its actual source. The attacking client sends a SYN message that contains a
false source address and port. The host then replies with the SYN – ACK message and
waits for a half open connection for the expected final reply. The host will be waiting for
floods with spoofed IPS to IP broadcast address are used for sending the same
If the information is sent to the broad cast addresses it not only to be sent once to
reach all machines with the broadcast address. Thus by spoofing the victims IP at an
1. /var/log/messages
In the /var/log directory, there is a file called messages. Inside is a long list of
events (In chronological order), with each line representing an individual log
entry. The /var/log/messages file is some what of a catch all for many of the
log messages passed by the kernel and programs that generate loggable
events. Most errors and system messages can be found in this file.
2. /var/log/secure
Another log file is the /var/log/secure file, which contains information specific
to the user who is accessing the system, how the user accessed the system, and
CONCLUSION
Today’s interrelated computer network is a realm filled with people that have
millions of man hours ready to employ against our strongest security strategy. The only
way to beat them is to know that they are attempting an attack and counter their attempts.
IDPS is mainly employed to secure computer networks ideally; an IDPS has the capacity
to detect in real time all intrusions, and to execute work to stop the attack. The IDPS
system uses a concurrent monitoring strategy for simultaneously detecting the various
attacks and also determining the path taken by the attacker of the allies of the attacker.
Strategy is the key for selecting the right IDS strategy will be instrumental in ensuring
REFERENCES
Publications, 2000.
Edition, 2000.
media Publications.