Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Good Bad Ugly
Security Assurance: A Sysad’s Perspective
िशवकुमार G. Sivakumar சிவகுமார்
Computer Science and Engineeringभारतीय ौोिगकी संान म ुबंई (IIT Bombay)
May 18, 2014
• The Good (Web 1.0, 2.0, 3.0)• The Bad (Threats, Vulnerabilities, Attacks)• The Ugly? (Configure, Monitor, Analyze, React)
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Blind men and the Elephant - अ-गज ायः
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Partial Landscape
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Tomorrow’s Info, Yesterday’s Professional
Moksha Story: copper, fibre, ...
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Small Science (Last 4 centuries)
How much data? computation? collaboration?िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
e-Science
Computation and Data-enabled science.
G. DjorgovskiApplied computer science is now playing the role that mathematicsdid from the 17th through the 20th centuries: providing an orderly,formal framework and exploratory apparatus for other sciences.
Quite different from• Real-time Internet security (altas.arbor.net)• Real-time fraud monitoring in financial transactions• Real-time screening of Facebook/Google posts
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Surviving Computers and Internet
1 MathematiciansTurn coffee into theorems!Principia Mathematica (Newton/Russel)Mechanical Theorem Proving, Automated mathematician,Godel’s Undecidability Theorem
2 BankersBrick and mortar? Vaults? Cashless? Financial Advice?P2P payments (PayPal, Square, ...), Bitcoin
3 University ProfsAre we still world class? (Narayanamurthy)NPTEL (National Program on Technology EnhancedLearning), NKN (National Knowledge Network)Akash (MHRD tablet that will cure all ills!)
No denying that computers/Internet have changed the paradigm!
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Atlas.arbor.net
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Atlas.arbor.net
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Atlas.arbor.net
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Atlas.arbor.net
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Real-time Intelligence- atlas.arbor.net
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Who is scanning?
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Who is hosting phising sites?
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Malicious Servers
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Vulnerabilities• Application Security
• Buggy code• Buffer Overflows
• Host Security• Server side (multi-user/application)• Client side (virus)
• Transmission Security
A B
C
Network Security
Secrecy
Integrity
Availability
A B
C
A B
C
A B
C
(Modification)(Fabrication)
(Denial of Service attack)िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Internet Attacks Toolkits (Youtube)
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Internet Attacks TimelineFrom training material at http://www.cert-in.org.in/
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Internet Attack TrendsFrom training material at http://www.cert-in.org.in/
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Security Requirements
Informal statements (formal is much harder)• Confidentiality Protection from disclosure to unauthorized persons• Integrity Assurance that information has not been modified
unauthorizedly.• Authentication Assurance of identity of originator of information.• Non-Repudiation Originator cannot deny sending the message.• Availability Not able to use system or communicate when desired.• Anonymity/Pseudonomity For applications like voting, instructor
evaluation.• Traffic Analysis Should not even know who is communicating with
whom. Why?• Emerging Applications Online Voting, Auctions (more later)
And all this with postcards (IP datagrams)!
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Defending a Critical National Infrastructure
Recent fibre cut.
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Defending a Critical National Infrastructure
Our Solutionिशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Attacking IIT Bombay
Use dnsstuff.com to get some information.
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Mail Servers Information
Use dnsstuff.com
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Mail Servers Information
Use dnsstuff.com
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
TraceRoute
Very sophisticated tools (nmap, nessus, metasploit) available toattackers.Let’s get back to defence and security assurance.
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
The Big Picture
Where all does security figure?Let’s focus on network first.
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Overview
• Campus Network Infrastructure• Academic Area• Hostels• Residential• Hardware and Network (the easy part!)
• Gigabit L3 switches• 10 Mbps Internet (4 Links)• 5000+ nodes
• Applications (Complex enough)• Mail• Web Browsing/Hosting
• Users and Management (Nightmare begins)• MisUse (mp3, movie, porn, hacking, fake mails, ...)• CCTeam
• We carry your Bytes• Our T-shirt (cows, dogs, leopards!)
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Residential Network
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IIT-B’s WAN Links and Firewall
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Important LAN Issues
Important Considerations• Virus, Spware• Wrong IP addresses• Wireless Access (guest house, conference halls)• Static MAC-IP mapping• Software Piracy• Illegal Content (pornography,...)• ...
Good LAN design can help a lot with this...
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Critical Network Services
• Firewall (Security sine qua non)
• Domain Name Service (DNS) http://cr.yp.to/djbdns/
• Directory Services (LDAP)
• Virus Scanning clamav.elektrapro.com
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Critical Network (WAN) Services
• E-mail (www.qmail.org)• Newsgroups (inn)
• Web Proxy• WWW Servers (httpd.apache.org)
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Firewall
• Inside IIT we have 50+ IP subnets.• Over 5000 nodes.• All Private addresses 10.x.y.z• 4 Different WAN subnets
• 128, 64, 32, 32 address only!• iptables (www.iptables.org) to the rescue.• Selective services/machines opened up
• Incoming ssh to different dept. servers.• Outgoing ssh, Yahoo/MSN chat• Outgoing port for SciFinder• Outgoing ftp from select machines
• Making a good policy is the hardest!
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IPtablesStateful firewalling. See www.netfilter.orgWhat is IPtables?• IPtables is an implementation of a Firewall in Linux• IPtables is an userspace command line program used to
configure the Linux packet filtering ruleset.• The framework inside kernel is called Netfilter• Full matching on IP, TCP, UDP and ICMP packet headers• Lesser matching on other packet headers possible
Advantages• Protection from external entities• Regulate Traffic based upon user’s security requirement• Provide choke point for screening the packets entering your
networkिशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IPtablesStateful firewalling. See www.netfilter.orgWhat is IPtables?• IPtables is an implementation of a Firewall in Linux• IPtables is an userspace command line program used to
configure the Linux packet filtering ruleset.• The framework inside kernel is called Netfilter• Full matching on IP, TCP, UDP and ICMP packet headers• Lesser matching on other packet headers possible
Advantages• Protection from external entities• Regulate Traffic based upon user’s security requirement• Provide choke point for screening the packets entering your
networkिशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IPtables
Packet Filters• List consisting of sequence of rules• Every packet is matched with the rules• If a rule does not match, try to match next rule• If a rule matches, take appropriate action
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Basic Functionalities
• NAT (Network Address Translation)• DNAT - Destination Network Address Translation• SNAT - Source Network Address Translation• Requires connection tracking to keep states and expectations
• Packet Mangling• Strip all IP options• Change TOS values• Change TTL values• ...• Mark packets/connections within kernel
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Kernel Packet Traversal Diagram: KPTD
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IPtables: Example
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IPtables: Example
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the Firewall
Firewall + Router : Enable Forwarding and Flush currentrules[root@router ]# /sbin/sysctl -w net.ipv4.ip_forward=1[root@router ]# iptables -nvL[root@router ]# iptables -F -t filter[root@router ]# iptables -F -t nat
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the Firewall
Firewall + Router : Set Policy[root@router ]# iptables -P INPUT ACCEPT[root@router ]# iptables -P OUTPUT ACCEPT[root@router ]# iptables -P FORWARD DROP
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the Firewall
Firewall + Router : SNAT in POSTROUTING[root@router ]# iptables -t nat -A POSTROUTING -o eth0 -s192.168.0.0/16 -j SNAT - -to-source 10.105.11.XX
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the Firewall
Firewall + Router : Allow all ESTABLISHED connections[root@router ]# iptables -A FORWARD -m state - -stateESTABLISHED,RELATED -j ACCEPT
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the Firewall
Can your enable HTTP (dport 80), SSH (dport 22)packets?
Firewall + Router : Allow HTTP packets[root@router ]# iptables -A FORWARD -m state - -state NEW -s192.168.0.0/16 -p tcp - -dport 80 -j ACCEPT
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the Firewall
Can your enable HTTP (dport 80), SSH (dport 22)packets?
Firewall + Router : Allow HTTP packets[root@router ]# iptables -A FORWARD -m state - -state NEW -s192.168.0.0/16 -p tcp - -dport 80 -j ACCEPT
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring the FirewallFirewall + Router : New but Not SYNiptables -A FORWARD -p tcp ! - -syn -m state - -state NEW -i eth0-j LOG - -log-prefix ”New not syn:”
iptables -A FORWARD -p tcp ! - -syn -m state - -state NEW -i eth0-j DROP
Firewall + Router : Firewall MARKiptables -A PREROUTING -t mangle -p tcp -s 192.168.0.0/16 --dport 22 -j MARK - -set-mark 2
Firewall + Router : Limiting DoS attacksiptables -A FORWARD -p tcp - -syn -s 192.168.0.0/16 - -dport 389-m limit - -limit 10/s -j ACCEPT
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Recap
Did Achieve• Only a few selected services are allowed• New connection initiation only from Internal Network• Almost all IP layer and TCP layer attacks are defeated• Eg: port scans, subnet scans, spoof attacks, or SYN attacks
and many more
Didn’t Achieve• Trust in User• Protection against Application Layer attacks• Redundancy: Failure Protection
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
How DNS works?
First accept packetsThen DNAT them to internal server
FInally, allow responses to go out with SNAT
Connection tracking is important!
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Incoming Email
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Incoming Email
Open Relays: http://www.abuse.net/relay.html
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Sender Policy Framework
http://spf.pobox.com/
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Why Monitor?
िचनीया िह िवपदां आदाववे ितियान कूपखननं यंु दी े विना गहृेThe effect of disasters should be thought of beforehand. It is notappropriate to start digging a well when the house is ablaze withfire.Security cannot be an afterthought!There is a tide in the affairs of men, Which taken at the flood,leads on to fortune. Omitted, all the voyage of their life is boundin shallows and in miseries. Shakespeare
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
ानम प्रमम ्येम ् (Knowledge is Ultimate Goal)
न चोरहाय न च राजहाय न ातभृाम न च भारकारीये कृत े वध त एव िनं िवाधनं सव धनधान ंIt cannot be stolen by thieves, cannot be taken away by the king,cannot be divided among brothers and does not cause a load. Ifspent, it always multiplies. The wealth of knowledge is the greatestamong all wealths.கற்றது ைக மண்அளவுகல்லாதது உலகு அளவுWhat has been learned is like a fistful of sand,What remains is like the whole earth!If I have seen further [than others] it is by standing on theshoulders of giants... Issac Newton िवा ददाित िवनयमIIT Bombay’s motto is the title of this slide.Eternal vigilance is the price of liberty!Know what’s happening in your network!
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Monitoring Network and Services
How to answer the following questions?1 How much traffic in/out? Anything abnormal?2 How many emails came from outside IIT?3 Who are the top 10 senders/receivers/domains?4 Is anyone trying to spam/relay/DoS/break mail servers?5 How much bandwidth is used for browsing? Top domains?6 What are the biggest size downloads?7 Is anyone attacking academic office from hostels?
Where is all this information? How to find out?Reactive, static reports, pro-active, alerts?
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Network, Services and User ManagementEternal vigilance is the price of liberty!
• How is network doing?
• Are all services up?• How much email in/out? How many viruses?
• Who’s using Web proxy? For what?• Are User’s happy? www.gnu.org/software/gnats
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IIT Bombay WAN Links
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IIT Bombay WAN Links
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
IIT Bombay WAN Links
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Nagios
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Nagios (ctd.)
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Mail Usage Statistics
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Mail Usage Statistics
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Mail Server Statistics
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Mail Server Statistics
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Web Proxy Usage
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Web Server Hits
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Web Server Hits
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Goals of Centralize Logging
Static data/reports distributed over various servers not very useful.
1 Look in one place, using one set of tools.2 Archive Logs: Keep logs around for at least a year.3 Generate Alerts: when something goes wrong.4 Identify Trends: what “business as usual” looks like.5 Do this prerably with FLOSS (Open standards/source).
Achievable with rsyslog!
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Configuring rsyslog
/etc/rsyslog.conf1 # Provides UDP syslog reception2 $ModLoad imudp.so3 $UDPServerRun 51445 # Provides TCP syslog reception6 $ModLoad imtcp.so7 $InputTCPServerRun 51489 $AllowedSender UDP, *.iitb.ac.in
10 $AllowedSender UDP, 10.5.0.0/1611 $AllowedSender TCP, *.iitb.ac.in12 $AllowedSender TCP, 10.99.32.251
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Templates and Filtering PatternsStore by Date. Filter 407 (Denied) messages.
12 $template Dynsquid2,3 ”/logdisk/squid.logfiles/%$YEAR%%$MONTH%/4 squid_access_log_407.%$YEAR%%$MONTH%%$DAY%”5 $template Dynsquid3,6 ”/logdisk/squid.logfiles/%$YEAR%%$MONTH%/7 squid_access_log.%$YEAR%%$MONTH%%$DAY%”89 #:syslogtag, contains, ”squid” ?Dynsquid3
10 if \11 ($syslogtag contains ’squid’12 and ($msg contains ’TCP_DENIED/407’)) \13 then ?Dynsquid214 if \15 ($syslogtag contains ’squid’) \16 then ?Dynsquid3
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Log Archival at IIT Bombay
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Squid Logs
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective
Good Bad Ugly
Focus of Lab Tomorrow1 AWStats(http://awstats.sourceforge.net/)
AWStats is an open source Web analytics reportingtool, suitable for analyzing data from Internetservices such as web, streaming media, mail andFTP servers. AWStats parses and analyzes server logfiles, producing HTML reports. Data is visuallypresented within reports by tables and bar graphs.Static reports can be created through a commandline interface, and on-demand reporting is supportedthrough a web browser CGI program.
2 OSSEC (http://www.ossec.net/)OSSEC is a free, open source host-based intrusiondetection system (HIDS). It performs log analysis,integrity checking, Windows registry monitoring,rootkit detection, time-based alerting, and activeresponse.
िशवकुमार G. Sivakumarசிவகுமார்Computer Science and Engineering भारतीय ौोिगकी संान म ुबंई (IIT Bombay) [email protected] Assurance: A Sysad’s Perspective