intrusion detection & recovery
TRANSCRIPT
-
8/7/2019 INTRUSION DETECTION & RECOVERY
1/3
Sudhirkumarmeena
INTRUSION DETECTION & RECOVERY
INTRUSION:
A process which we dont want to happen on system by some unauthorized party which do
some wrong for system or a company whose work is done on that system then that process is known as
intrusion.
Attack may be happen at path or on machine, but intrusion is like that the machine files are
used by unauthorized hands, the machine files are deleted, unnecessary files are added to the machine,
means which thing done wrong work on the machine is known as intrusion.
Like, if we configure a server any server like DNS, MAIL, FTP, APACHE etc. and we implement asecurity. Now, some illegal authority crack that security and use in unauthorized why is known as
intrusion.
INTRUSION RISKS:
Illegal party performs different types of risks on machine are as follows:
System downtime.
Theft of data. Modification & changing of data. Installation software & application. Bad publicity & functional impact.
SYSTEM DOWNTIME:
It means we can down the system by different different methods. Suppose, we sending data
thoroughly one after another in sequence and lots of packets rich at the system and the system not
understand what is happening and unable to decision or take wrong decision and the system downs
these is an intrusion.
-
8/7/2019 INTRUSION DETECTION & RECOVERY
2/3
Sudhirkumarmeena
THEFT OF DATA:
It means we are copied important data from a system which is not legal and use it for illegal
purpose it is also known as intrusion.
MODIFICATION & CHANGING OF DATA:
We crack the security of system and modified or change in the files which aredone some
corruption in the system or some wrong this is also an intrusion risk.
INSTALLED SOFTWARE & APPLICATION:
We go on the system and installed software or an application which can do improper work for a
system security. Like, we installed a software which can do email of history or some important
information or any modification done in the system i.e. is taking information of a system that is also an
intrusion risk.
BAD PUBLICITY AND FUNCTIONAL IMPACT:
If some illegal authority attack on system and doing bad things like doing unauthorized (fake)
emails to another systems these is like a Bad Publicity of a system, open the financial information of a
company to another company and developing bad image of a company in respect of another these is
also a type of intrusion risk.
INTRUSION DETECTION:
If we detect the intrusion then at least we can done recovery of it and if we cant detect we
cannot do anything.
Different detection methods are as follows:
Monitor log messages. Monitor n/w and open port. Capture n/w. Implement tool for changing & modification of data.
-
8/7/2019 INTRUSION DETECTION & RECOVERY
3/3
Sudhirkumarmeena
MONITOR LOG MESSAGES:
In these we monitor the log messages. Log messages are information that what is done by the
system at any time that all things are captured by the system and put it the ********* file. There is file
syslog.conf in which the entry is given that which service log messages where should be store as shownin screenshot of file syslog.conf.
# /etc/syslog.conf
If we find out the service start after monitoring the log messages we can kill it and after that we
block that IP. So, by these we can detect and secure it. Up to, now the log messages are on the same
machine on which attack was performed and the hacker also deleted the log messages after doing its
works. So, to remove these problem we have to make log messages on another messages maintain
remotely log message and emails it to time with the help of crontab or save it on pen drive or check it by
these way hacker steps are long and it not detect it easily so log messages are saved properly on some
another directory which is unreachably to hacker.
For ex:-
authpriv.* @172.24.0.254
#service syslog restart
For remotely log messages done we name to modified file syslog the path as follows:
#vim /etc/sysconfig/syslog
SYSLOGD_OPTIONS = r m 0
#service syslog restart
It is done on that machine on which we have to make remotely log messages. Another way by
top command we can monitoring the running process. Here by these we can know all information like
PID, memory held by process by which the system was slowdown etc. if some are illegal process we kill it
by PID.