User:Jasper.kamboj/sandbox

Contents 1 Ubuntu 2 Servers 2.1 File Server (Jaguar) 2.1.1 File ServerConfiguration 2.2 Web Server (Giraffe) 2.3 Backup Server (Camal) 2.3.1 Rsync 2.3.2 Backupc 2.4 GatewayServer (Lion) 2.5 Intrusiondetection preventionsystem(IDPS) Server (Eagle) 2.5.1 Snort 2.5.2 OSSEC 2.6 MediaWikiServer (Elephant) 2.6.1 ConfiguringMediaWikiServer (Elephant) 2.7 DHCPServer 3 Backup and recovery procedures 3.1 MediaWikiserver backup 4 Failover procedures of the DHCPserver 5 Procedures for adding and removingVolunteers 6 User Access 7 NetworkConfiguration 8 Attack/ Securitybreach 9 Unauthorisedaccess to the mainFile Server 10 Support staff access 11 All servers Security 12 Support staff access 13 System/ Securityalerts 14 Passwordagingimplementation

Ubuntu Ubuntuis computer operatingsystembasedon DebianLinuxdistributionand distributedas free and open source software. It is namedafter the Southern African philosophyof ubuntu("humanitytowardsothers"). Ubuntuis designedprimarilyfor use on personal computers, althougha server edition also exists. Ubuntuis sponsored by the UK-basedcompanyCanonicalLtd., owned by SouthAfrican entrepreneurMark Shuttleworth.

Servers In the context of client-server architecture, a server is a computer programrunningto serve the requestsof other programs, the "clients". Thus, the "server" performs some computationaltask on behalf of "clients". The clients either run on the same computer or connect through the network. File Server (Jaguar) Samba allowsfile and print sharingbetweencomputersrunningWindowsand computersrunningUnix. Samba can create a number of directories and assign user to themsame as in windows. Only by editing one configurationfile of sambacan assignuser logon and group policy implementation. This file is located in /etc/samba/smb.conf. The first step is to install the samba package, which can be installed by typing following command: sudo apt-get install samba File Server Configuration The mainSamba configurationfile is located in /etc/samba/smb.conf The default configurationfile has a significantamountof comments in order to document various configurationdirectives. First, edit the following key/value pairs in the [global] section of /etc/samba/smb.conf workgroup = EXAMPLE ... security = user To create the shareddirectories and grant themaccesswe need to configure /etc/samba/smb.conf file by adding following coding: [Grants] comment = Grants Department Directory writeable = yes valid users = Peter/Ben/Nindi/Nigel path = /home/samba/Grants public = no create mode = 0660 directory mode = 0770 [Organisation] comment = Organisation Department Directory writeable = yes valid users = Ben path = /home/samba/Organisation create mode = 0660 directory mode = 0770 [Operational] comment = Operational Department Directory writeable = yes valid users = Nigel path = /home/samba/Operational create mode = 0660 directory mode = 0770 [General] comment = General Department Directory writeable = yes valid users = Peter path = /home/samba/General create mode = 0660 directory mode = 0770 [Volunteers] comment = Volunteers Department Directory writeable = yes valid users = Ran/Daniel path = /home/samba/Volunteers create mode = 0660 directory mode = 0770 Now that Samba is configured, the directoryneeds to be created and the permissions changed. From a terminalenter: sudo mkdir -p /srv/samba/share sudo chown nobody.nogroup /srv/samba/share/ The -p switchtellsmkdir to create the entire directorytree if it doesn't exist. Finally, restart the samba services to enable the newconfiguration: sudo restart smbd sudo restart nmbd

Web Server (Giraffe) There are two additionalpackagesto install that allowour webserverto run php and be configuredlike apache2 sudo apt-get install lighttpd php5-cgi apache2-utils To allowourMediaWikito use fastcgi and phpwe need to enable twomodules: sudo lighty-enable-mod fastcgi sudo lighty-enable-mod fastcgi-php For the added modules to take effect we need to reload the lighttpddaemon: sudo service lighttpd force-reload To test that our lighttpdserver is working, access the default index page using our host's web browser: http://serverIPaddress/index.lighttpd.html When you open localhost IP addressit shouldappearlike picture given below Backup Server (Camal) To takeDaily, Weekly, Monthlybackupsa followshell scrip can be written and added to crontab. Crontabruns the shell scriptwith the desired time. Ubuntu MediaWiki S0149938 Page 4 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM backup_files="/home" dest="/mnt/backup" day=$(date +%A) hostname=$(hostname -s) archive_file="daily.tgz" echo "Backing up $backup_files to $dest/$archive_file" date echo tar czf $dest/$archive_file $backup_files echo echo "Backup finished" date ls -lh $dest Cron is driven by a crontab (cron table) file, a configurationfile that specifies shell commandsto run periodicallyon a given schedule. The crontabfiles are storedwhere the lists of jobs and other instructionsto the cron daemon are kept. Users can have their own individualcrontab files and often there is a system widecrontab file (usuallyin /etc or a subdirectoryof /etc) which only systemadministratorscan edit. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) When crontabwill execute the shell script the following three files will be generatedon the basisof shell script. Rsync rsync is a softwareapplicationand networkprotocol for Unix-like andWindowssystems that synchronizesfiles and directories from one location to another whileminimizingdata transfer using delta encodingwhen appropriate. rsync can be used to backup all the servers on backup server.Rsysncis not installed on the machine, so to install it: sudo apt-get install rsync Once rsync is installed on the machine by typing following commandwill simplyretrieve the backup file from one server to another: rsync -avz /mnt/backup backup@192.168.18.11:/mnt/Mediawiki/backup Backupc BackupPCis a free backup softwaresuite with a web-basedfrontend. The cross-platform serverwill run on any Linux, Solaris, or UNIXbasedserver. No client is necessary, as the server is itself a client for several protocols that are handledby other services native to the client OS. Backuppcworks like samba, it creates directories and save the file to remote place. Installation sudo apt-get install backuppc By adding the IP addressand users to /etc/backuppc/hosts will create backupson backuppc. Here is an example of backed up files on remote server: Ubuntu MediaWiki S0149938 Page 5 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM Gateway Server (Lion) Agatewayis a node that allowsyou to gain entrance into a networkand vice versa. On the Internet the nodewhich is the stoppingpoint can be a gatewayor a host node. Acomputer that controls the traffic your networkor your ISP (InternetService Provider) receives is a node. In most homes a gatewayis the device provided by the InternetService Provider that connects users to the internet. To make a server a Gatewayserverwe need to install iptables package. sudo apt-get install iptables This file describes the networkinterfaces availableon your systemand how to activate them auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.18.254 network 192.168.18.0 netmask 255.255.255.0 broadcast 192.168.18.255 To change the nameserver/etc/resolv.conf sudo vi /etc/resolv.conf nameserver 192.168.1.1 Iptableon Gatewayserver Ubuntu MediaWiki S0149938 Page 6 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM iptables -t filter -F iptables -t nat -F iptables -t mangle -F iptables -t raw -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A FORWARD -i eth1 -p ALL -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -d 192.168.1.10 -p tcp --dport 22 -j ACCEPT Restartthe neworkingservice using the following command sudo /etc/init.d/networking restart Intrusion detection prevention system (IDPS) Server (Eagle) Intrusiondetectionand preventionsystems (IDPS), are networksecurity appliancesthatmonitor networkand/or systemactivities for maliciousactivity. The main functions of intrusionpreventionsystems are to identifymaliciousactivity, log information about said activity, attemptto block/stop activity, and report activity.Intrusiondetection and preventionsystems (IDPS) are primarilyfocused on identifyingpossibleincidents, logginginformation about them, and reportingattempts. Snort Snort is open sourcenetworkintrusionpreventionand detectionsystem, which capturesrawpacketsoff the networkand compare themwith the set of rules. When snort detects an event that’s been defined as interested it can alert systemadministratorto block the undesiredtraffic. To install snort: sudo apt-get install snort In configurationscreen changeip addressfrom192.168.0.0/16 to 192.168.12.0/24 To create a backup copy of the originalfile use this command: sudo cp /etc/snort/snort.conf /etc/snort/snort.conf.orig Nowopen configurationfile using vim change line 50 varHOME_NETany to varHOME_NET$eth0_ADDRESSand open this file and changeline 569 from enable_srvoverflowenable_protomismatchto enable_srvoverflow sudo vi /etc/snort/snort.conf /etc/snort/snort.conf.orig Sudo vi /etc/snort/snort.conf Nowrestart snort by sudo /etc/init.d/snort restart OSSEC OSSECis free softwareavailableas source code and provide the following services: 1. Rootkitdetection 2. File systemintegritycheck Ubuntu MediaWiki S0149938 Page 7 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM 3. Log files analysis 4. Time-basedalerting 5. Active response To installOSSEC: 1. sudo apt-get install build-essential 2. mkdir ossec (To make a separate directory) 3. cd ossec (change directory) 4. /ossec$ wget http://ossec.net/files/ossec-hids-latest.tar.gz 5. /ossec$ tar -xvf ossec-hids-latest.tar.gz 6. /ossec$ cd ossec-hids-* 7. /ossec/ossec-hids-2.6$ sudo ./install.sh 8. Press enter for default language 9. Choose the server to ‘local’ from server, agent, local or help 10. Configuring the OSSEC HIDS. Press yes to continue 11. What is your email address? (put your email) 12. What's your SMTP server ip/host? (Type localhost) 13. Do you want to run the integrity check daemon? (y/n) Press ‘y’ 14. Do you want to run the rootkit detection engine? (y/n) y 15. Do you want to enable active response? (y/n) y 16. Do you want to enable the firewall-drop response? (y/n) y 17. Default white list for the active response: - 192.168.1.1 18. Do you want to add more IPs to the white list? (y/n)? n 19. Setting the configuration to analyze the following logs: -- /var/log/auth.log -- /var/log/syslog -- /var/log/dpkg.log -- /var/log/snort/alert (snort-full file) - If you want to monitor any other file, just change the ossec.conf and add a new localfile entry. Any questions about the configuration can be answered by visiting us online at http://www.ossec.net. --- Press ENTER to continue --- [Enter] to continue. 20. sudo apt-get purge build-essential 21. sudo apt-get autoremove 22. sudo /var/ossec/bin/ossec-control start 􀀀 Error ossec-analysisd: Configuration error. Exiting. 23. sudo vi /var/ossec/bin/ossec-control 24. echo | ${DIR}/ossec-logtest > /dev/null 2>&1; Add /bin to the path: echo | ${DIR}/bin/ossec-logtest > /dev/null 2>&1; 25. sudo /var/ossec/bin/ossec-control restart 26. Check your email. MediaWiki Server (Elephant) MediaWikiis a free softwareopen sourcewiki packagewrittenin PHP, originallyfor use onWikipedia. It is now used by several other projects of the nonprofitWikimediaFoundationand bymanyother wikis, includingthis website, the home of MediaWiki. To installMediawikion ubuntuserver: sudo apt-get install mediawiki EnableMediaWikiby editing the following file and remove the '#' from the third line so that it reads 'Alias /mediawiki/var/lib/mediawiki': sudo vi /etc/mediawiki/apache.conf Then restart apache: sudo /etc/init.d/apache2 restart Start your MediaWiki: http://localhost/mediawiki(localhostis your ip address, which you can get using ifconfigcommand) ConfiguringMediaWiki Server (Elephant) All the settingof MediaWikisaved in LocalSettings.php: (located in /etc/mediawiki/LocalSettings.php) Ubuntu MediaWiki S0149938 Page 8 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM To change the icon make a 135x135 pixel logo in PNGformat andmove it to the right place: sudo cp my_new_logo.png /var/lib/mediawiki/skins/common/images/my_new_logo.png Insert the path to the image at the end of configurationfile in /etc/mediawiki/LocalSettings.php like so: $wgLogo = "/mediawiki/skins/common/images/my_new_logo.png" To upload different type of media on the MEdiaWikifile extensions can be added: $wgFileExtensions = array('png','gif','jpg','jpeg','ppt','pdf', 'psd', 'mp3', 'xls', 'xlsx', 'swf', 'doc','docx', 'odt', 'odc', 'odp', 'odg', 'mpp'); DHCP Server The DynamicHostConfigurationProtocol (DHCP) is a networkconfigurationprotocol for hosts on InternetProtocol (IP) networks. Computers that are connected to IP networksmustbe configuredbefore they can communicatewith other hosts. The most essential information needed is an IP address, and a default route and routing prefix. DHCPeliminates the manualtask by a networkadministrator. It also provides a central databaseof devices that are connected to the networkand eliminatesduplicateresource assignments. DHCPprimaryserver is primarily connecting all deviceswith the gateway. To make a Ubuntuserver a DHCPserver, DHCPpackagemust be installed on the server. This packagecan be installed by typing following command: sudo apt-get install dhcp3-server This networkinterfaces file /etc/network/interfaces need to be edited to connect DHCPserver to gateway: sudo vi /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.18.1 network 192.168.18.0 netmask 255.255.255.0 broadcast 192.168.18.255 gateway 192.168.18.254 You will probablyneed to change the default configurationby editing /etc/dhcp3/dhcpd.conf to suit your needs and particularconfiguration. sudo vi /etc/dhcp/dhcpd.conf This file is for my primaryDHCPserver, all the server given fixed ip addressfromtheir hardwareEthernet address: Ubuntu MediaWiki S0149938 Page 9 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.18.255; option routers 192.168.18.1; option domain-name-servers 192.168.1.1; failover peer "dhcp-failover" { primary; address 192.168.18.0; port 647; peer address 192.168.18.2; peer port 847; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3; mclt 3600; split 128; } subnet 192.168.18.0 netmask 255.255.255.0 { range 192.168.18.10 192.168.18.20;} host giraffe {hardware ethernet 08:00:27:97:18:7f; fixed-address 192.168.18.12;} host MediaWiki {hardware ethernet 08:00:27:32:1b:2f; fixed-address 192.168.18.10;} host Backup {hardware ethernet 08:00:27:f9:ee:ae; fixed-address 192.168.18.11;} host ubuntu {hardware ethernet 08:00:27:8f:28:a0 fixed-address 192.168.18.13} host IDPS {hardware ethernet 08:00:27:6f:59:4d fixed-address 192.168.18.14} Backup and recovery procedures To backup all the servers following shell script can be written: backup_files="/home" dest="/mnt/backup" day=$(date +%A) hostname=$(hostname -s) archive_file="daily.tgz" echo "Backing up $backup_files to $dest/$archive_file" date echo tar czf $dest/$archive_file $backup_files echo echo "Backup finished" date ls -lh $dest Cron is driven by a crontab (cron table) file, a configurationfile that specifies shell commandsto run periodicallyon a given schedule. The crontabfiles are storedwhere the lists of jobs and other instructionsto the cron daemon are kept. Users can have their own individualcrontab files and often there is a system widecrontab file (usuallyin /etc or a subdirectoryof /etc) which only systemadministratorscan edit. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) Ubuntu MediaWiki S0149938 Page 10 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM When crontabwill execute the shell script the following three files will be generatedon the basisof shell script. MediaWiki server backup MediaWikisaves its content files in whicheverdatabaseyou are using as a backend(MySQLor PostgreSQL). For a full backup, you would have to backup theMediaWikidatabase. XMLdump It is easiest, however, to backup content with anXMLdump, which can then be imported to future (or even past) versionsof MediaWiki. See these instructions. In brief: If you do not have a backup folder, make one now: sudo mkdir /etc/mediawiki/backups sudo chmod -R 777 /etc/mediawiki/backups Edit your LocalSettings.php file: sudo nano /etc/mediawiki/LocalSettings.php and add the lines: $wgDBadminuser = $wgDBuser; $wgDBadminpassword = $wgDBpassword; then run the XMLdumpscript from a command-line terminal: sudo php /usr/share/mediawiki/maintenance/dumpBackup.php --current > /etc/mediawiki/backups/MediaWikiBackup_DateToday Note: I usuallyspecify today's date in place of DateToday. Note: To use this, php5-cli mustalreadyhave been installed: sudo apt-get install php5-cli If you wish to protect this backup folder, you can change the permissions. sudo chmod -R 444 /etc/mediawiki/backups Import XML dump To import the XMLdumpyou made: sudo php /usr/share/mediawiki/maintenance/importDump.php /etc/mediawiki/backups/MediaWikiBackup_DateToday Note that when you importXMLdumps, it maintainsrevision dates. if you have pages that are more recent than the imported pages, then the more recent pageswill be retained. If you wantto promotean imported page to the most recent page, you mustdo this in the page history section (like usual). This droveme nuts until I figured this out, because, of course, when you upgradeor reinstall a wiki, the newly createdMainPagewill be the most recent (not the oldMainPagefrom the importedwiki). The importedMainPage does not showup unless you promotethe old version from the history file. Failover procedures of the DHCP server DHCPserver fail-over can be problematic, as all other serversworkingon the IP addressprovided by DHCPserver if DHCPserver fails others cannotwork. For this solutionwe installed a secondaryserverwith a littlemore configurationby adding time stamp of 3 seconds. Both of the servers connected to the gatewayif one of primaryserver fails and did not respondedin 3 seconds other serverwill pick up same configurationand start working. Ubuntu MediaWiki S0149938 Page 11 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.18.255; option routers 192.168.18.1; option domain-name-servers 192.168.1.1; failover peer "dhcp-failover" { secondary; address 192.168.18.0; port 847; peer address 192.168.18.1; peer port 647; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3; } subnet 192.168.18.0 netmask 255.255.255.0 { range 192.168.18.10 192.168.18.20;} host giraffe {hardware ethernet 08:00:27:97:18:7f; fixed-address 192.168.18.12;} host MediaWiki {hardware ethernet 08:00:27:32:1b:2f; fixed-address 192.168.18.10;} host Backup {hardware ethernet 08:00:27:f9:ee:ae; fixed-address 192.168.18.11;} host ubuntu {hardware ethernet 08:00:27:8f:28:a0 fixed-address 192.168.18.13} host IDPS {hardware ethernet 08:00:27:6f:59:4d fixed-address 192.168.18.14} Procedures for adding and removingVolunteers By just typing the commandthe following commandwill add newuser in the system: sudo adduser username groupname By typing following commandwill remove the user. sudo deluser username groupname User Access NetworkConfiguration Ubuntu MediaWiki S0149938 Page 12 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM Attack / Security breach Accordingto Cisco(http://www.cisco.com/warp/public/cc/so/neso/sqso/roi3_wp.pdf) when a breach in networksecurity occurs, an organizationenters into an incident responseprocess. The goal of the process is to confirmthe security breach and accumulateaccurateinformation about the incident. Agood incident responseprocesswill minimize disruptionto businessoperations. Three teamsof peoplewill generallybe involved in the incident responseprocess: In-houseinformation systems security staff IT staff responsiblefor networksystems operation andmaintenance Lawenforcementofficers When computer systems are hacked or intrudedupon by an unauthorizedparty, the U.S. FederalBureau of Investigation(FBI) and the National Infrastructure Protection Center (NIPC) recommend that the following actions: Respondquickly. Contact lawenforcement. Traces are often impossibleif toomuch time is wastedbefore alerting lawenforcementor an internal incident responseteam. In most cases contactingthe FBI is necessary. If unsureof what actions to take, DONOT stop systemprocessesor tamperwith files. This maydestroytraces of intrusion. Followorganizationalpolicies and procedures as documented. (Your organizationshouldhave a computer incident responsecapabilityand plan in place.) Use the telephone to communicate. Attackersmaybe capable of monitoringe-mail traffic. Contact the incident responseteam for your organization. (Quick technical expertise is crucial in preventingfurther damageand protecting potential evidence.) Establishpoints of contactwith generalcounsel, emergencyresponsestaff, and lawenforcement. Pre-establishedcontactswill help in a quick response effort. Makecopies of files an intrudermayhave altered or left. Copying files mayassistinvestigatorsin determiningwhen and how the intrusion occurred. Identify a primarypoint of contact to handlepotentialevidence. Establishchain-of-custodyof evidence and identifywhich individualswill be involved to assurethat evidence is handledproperly. Potential hardwareand softwareevidence that is not properlycontrolledmaylose its value. DONOT contact the suspectedperpetrator. Accordingto Unauthorisedaccess to the main File Server Once a breach of security is confirmed, the following steps shouldbe taken as urgentlyas possible. These steps are listed in the order that theyshouldbe taken by ISTS(InformationStrategyand TechnologyServices)staff. If a particularstep is not appropriateto the breach, then the reader shouldignore it andmove to the next step. The Directorof InformationStrategy& TechnologyServices, or nominee, shouldbe notified as soon as practicable. If continuationof the breachwill cause serious damageto propertyor persons, action shouldbe taken as soon as possibleto halt or minimize this effect. If the Securitybreach is on files, the appropriateauthoritiesshouldbe notified as soon as possible. If anotherbreach or security alerts is involved, that unit shouldbe notified as soon as possible, preferablyvia the cost centre manageror an approved representative. Ubuntu MediaWiki S0149938 Page 13 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM If an organisationor person external to the site is involved in any capacity, then the AustralianComputerEmergencyResponseTeam (AUSCERT) shouldbe contacted. If an organisationor person external to the site is involved as a potentialvictim, then that organisationor person shouldbe advised as soon as possible. Support staff access All serversSecurity To check servers hardenabilityand vulnerabilityNessus is installed.In computer security, Nessus is a proprietarycomprehensivevulnerabilityscanning program. It is free of chargefor personal use in a non-enterpriseenvironment. Its goal is to detect potentialvulnerabilitieson the tested systems. Accordingto Nessus, it allows scans for the following types of vulnerabilities: Vulnerabilitiesthat allowa remote cracker to control or access sensitivedata on a system. Misconfiguration(e.g. openmail relay, missingpatches, etc.). Defaultpasswords, a few commonpasswords, and blank/absent passwordson some systemaccounts. Nessuscan also call Hydra (an external tool) to launcha dictionary attack. Denials of service againstthe TCP/IP stack by usingmangledpackets Preparationfor PCIDSS audits Support staff access System/ Security alerts For security purposeOSSECis installed on the IDPS server. OSSECis anOpen SourceHost-basedIntrusionDetectionSystem. It performs log analysis, integritychecking, Windowsregistrymonitoring, rootkit detection, real-time alerting and active response. InstallingOSSECis very different fromall our previous installations. There is no pre-builtUbuntupackagefor OSSEC, so we will have to compile and install it manually. Alert generationis applied to following files entered in ossec.conf /var/log/auth.log /var/log/syslog /var/log/dpkg.log /var/log/snort/alert (snort-full file) Everytimewhen someone tryingto access these files security level alertswill be generated and emailed to jas-pal@live.com. Example of alert generated: OSSEC HIDS Notification. 2012 May 23 15:35:50 Received From: s0149938->/var/log/syslog Rule: 5104 fired (level 8) -> "Interface entered in promiscuous(sniffing) mode." Portion of the log(s): May 23 15:35:48 s0149938 kernel: [ 98.675833] device eth0 entered promiscuous mode --END OF NOTIFICATION Password aging implementation PasswordAgingis the concept that a usermust periodicallychangehis or her passwordin order to continue to authenticateto services. If the passwordis not changedwithin a specific amountif time, it expires andmust be reset. The idea behind passwordagingis that a passwordis less likely to be compromisedif it is changedregularly, or that the exposurefrom such a compromisewill be reduced, and that a userwho stops using a servicewill have their password automaticallyexpire if theydo not otherwiseintervene. This can help reduce the exposureto passwordsniffing and social engineering. Linuxchage commandcan be used to performseveral practical passwordagingactivities includinghow-to force users to change their password. Chage ca be installed by executing the following command: sudo apt-get update chage Ubuntu MediaWiki S0149938 Page 14 http://192.168.1.3/mediawiki/index.php/Main_Page 6/4/2012 5:10:16 AM By typing following chagecommanduser can know when his passwordwill be expired: chage -l username Passwordexpiration time can be changedby following commandwhere you can put day value: chage -M number-of-days username In this case passwordis set to be expired in 5 days. Retrievedfrom "http://192.168.1.3/mediawiki/index.php/Main_Page" This page was last modified on 3 June 2012, at 16:06.
 * 1) What to backup.
 * 1) Where to backup to.
 * 1) Create archive filename.
 * 1) Print start status message.
 * 1) Backup the files using tar.
 * 1) Print end status message.
 * 1) Long listing of files in $dest to check file sizes.
 * 1) /etc/crontab: system-wide crontab
 * 2) Unlike any other crontab you don't have to run the `crontab'
 * 3) command to install the new version when you edit this file
 * 4) and files in /etc/cron.d. These files also have username fields,
 * 5) that none of the other crontabs do.
 * 1) m h dom mon dow user command
 * 1) The loopback network interface
 * 1) The primary network interface
 * 1) The internal network interface
 * 1) h all iptables rules from the packet matching tables.
 * 1) Reset the built-in chain policies to accept all traffic.
 * 1) Drop all packets coming in to and forwarded by the gateway.
 * 1) Allow all connections through the firewall that originate from within.
 * 1) Allow incoming responses to internal host requests.
 * 1) Enable NAT on outgoing interface.
 * 1) iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.12
 * 2) Allow SSH connections to the external IP address of the gateway for testing.
 * 1) This file describes the network interfaces available on your system
 * 2) and how to activate them. For more information, see interfaces(5).
 * 3) The loopback network interface
 * 1) The primary network interface
 * 1) What to backup.
 * 1) Where to backup to.
 * 1) Create archive filename.
 * 1) Print start status message.
 * 1) Backup the files using tar.
 * 1) Print end status message.
 * 1) Long listing of files in $dest to check file sizes.
 * 1) /etc/crontab: system-wide crontab
 * 2) Unlike any other crontab you don't have to run the `crontab'
 * 3) command to install the new version when you edit this file
 * 4) and files in /etc/cron.d. These files also have username fields,
 * 5) that none of the other crontabs do.
 * 1) m h dom mon dow user command
 * 1) Database administrative user/password