Laboratory Work: Intrusion detection (20p)

In this task you have to install intrusion detection into your network.

SNORT configuration (5p)

Install Snort on the Server Ubuntu virtual image, set basic configuration (2p) and additionally configure it to (alerts only since Snort has a tendency to report a large number of false positives):

  • alert about port scans (1p)
  • alert about SSH port attempts (1p)
  • alert about ICMP pings from (1p)

SNORT Questions (3p):

  1. How the snort recognizes the attacks?
  2. How the snort can react to different kinds of attacks?
  3. How it can be configured to detect some specific traffic type? E.g., if you are running a Quake III server and you want to prevent DDoS amplification attacks.

FAIL2BAN configuration (8p)

Install fail2ban on the Server Ubuntu virtual image and configure it to

  • Block every HTTP/HTTPS service user for 2 minutes after 3 wrong credentials in 3 minutes – block only the used ports with REJECT (2p)
  • Monitor snort log file for port scan attempts and react to second alarm within 10 minutes by blocking (DROP) all access for that address for 5 minutes (2p)
  • SSH port attempts and react to third alarm within 5 minutes by blocking all access to the system with hostsdeny for that address for 10 minutes (2p)
  • Since the Server Ubuntu virtual image has an SMTP server running, configure your fail2ban installation to send emails to “user@server1.example.com” (2p)

FAIL2BAN Questions (2p):

  1. How the different backend mechanisms work? On the virtual ubuntus you should use the default because of some bug in another packet that is delivered from the distribution repositories.
  2. Why the fail2ban can be regarded as slow as sometimes it can report that already banned a user?

TESTING THE SETUP (2p):

Test your setup by (½p each):

  1. Scanning the Server ubuntu with nmap from Wireshark ubuntu
  2. Try to SSH login onto Server ubuntu with ssh administrator@server.ubuntu.ip.address
  3. Go to server.ubuntu.ip.address/private with HTTP and HTTPS and give false login information for both from Wireshark ubuntu
  4. Ping the Server ubuntu with Wireshark ubuntu with ping -c 10 server.ubuntu.ip.address
Last modified: 2014/02/07 15:52