Abdou Thioye

Abdou ThioyeMAC252Research Project: Automatic Threat Detection for Apache Web Service

Abstract: This project will demonstrate an automatic threat detection mechanism on the Internet web server, in order to prevent attackers from getting unauthorized resources. During the detection procedure, a watchdog program is created monitoring the real-time user activities on the server. Unusual behaviors are analyzed through comparing with multiple threat patterns in the database. Once a match is found, the system administrator is alarmed to take countermeasures. Further, both the false alarm the confirmed threats are added to the database, and the patterns are refined to better represent the characteristics of intrusion behaviors on a web server. To display the efficacy of the detection mechanism, we will establish the web server-attacker model with two Linux computers. One generates different types of attacks trying to access data from the server, and the other one runs the monitoring program on the targeted Apache web server. The threat pattern matching and learning algorithms will be explained using the runtime results extracted from the monitoring statistics.

Procedure:

Setting up Website and Basic Defenses

1. I needed to enable Virtual hosts under /etc/httpd/conf/httpd.conf file.The first thing I needed do in this file was activate Virtual Hosts

After activating virtual hosting, I needed to set up my website. I start by first opening the Virtual Host directives.

1

Abdou Thioye

Server Admin: I specified the Administrator’s e-mail address. This will come in handy of situations such as too many log in attempts or files downloaded and the administrator is notified. DocumentRoot: I specify the file location of where the index.html for this website will be, and where all the folders and files will be located at. ServerName: The name of the website.ErrorLog: The errorlog tracks the number of failed login attempts and other information. The error log is at /etc/httpd/logs/MAC252_ErrorLog3CustomLog: The access log contains information of the files accessed, what time a user successfully logged in, and other valuable information. This information is stored in /etc/httpd/logs/MAC252_AccessLog3.

I have to create another directive for user and group authentication.Authtype: This is set to basic authentication for the purposes of this labAuthName: The displayed text on the log in screen. This is seen on the results tab screenshot.AuthUserFile: The directory where all the login information (user/password) of a user will be stored at.AuthGroupFile: The directory where the group name and users of the group are stored at. Require group: Only users that are in group MAC_252 can log in.

Creating DNS entry

2

Abdou Thioye

This is to manually tell the DNS server that if www.MAC252ResearchProject.com is not found, check the /etc/hosts. This fiel says if www.MAC252ResearchProject.com is typed, translate it to 192.168.1.7. Note: I change the host of the website between 10.4.3.126 or 192.168.1.7 depending on the location where I will use the RHEL 5.

Creating Files:

This is how I create 500 files for the project.

The for loop is designed to create 500 of anything.Under do, I use touch to create 500 files from the for loop, since i is my variable and i goes to up from 1 - 500. I want to add some text to the 500 files. So I use echo and redirect the message to a file. To redirect it to each file from file1 – file 500, I user file$i since $i goes from 1-500.

All of these files are directed toward the shared directory. From here, they can be easily accessed by any outside user.

Setting up User1 and User2 authentication:I use the commandhtpasswd –c /etc/httpd/webpass user1 wujuwuju

Then I just need to change my /etc/httpd/webgroups and I added the groups and the users allowed

3

Abdou Thioye

Now to have my scripts run automatically, I make some entries in my /etc/crontab. The crontab will have all the three scripts I will build. I put the crontab ahead of time.

I put * * * * * because I want my three “watchdog” scripts to be running at all times. The second part is the user running it, root. The next part is how I would need to run the command if root was in / directory.

After I finish setting up my Apache Web server and all these other steps, I type apachectl restart to restart my apache service and see my new modifications be loaded.

Attacker

Kali Linux is the program I am launching attack.bat. Kali Linux is penetration testing software, however I will only be using this to download files. This is my script that will download files from my website. The purpose of this, is to set the hypothetical that a hacker wants to steal all 500 files in the website.

4

Abdou Thioye

I am using a for loop to control how many files I want to automatically download with the attack.bat script. If I change to “i<=500”, only the first 500 files will be downloaded, etc. The wget command means to download in the arguments I put the username, password, and where the files are located at.

For Kali Linux to properly find the www.mac252researchproject.com/shared files, I need to add an entry to /etc/hosts. Please note that I do change the IP Address depending on which location I am at.

Clash of Attacker and Defender

Now I need to make my monitor.bat file.

5

Abdou Thioye

6

Abdou Thioye

Monitor.bat file explanation:

I decide to use egrep to split the MAC252_AccessLog3 records into 6 time frames.

For my grep –c, I count “200” shows up. This is the HTTP Code for “OK” meaning the file was downloaded.

I can redirect the output of the monitor.bat into record.dat using the monitor.bat > record.dat

7

Abdou Thioye

knowledge.dat

8

Abdou Thioye

9

Abdou Thioye

This script will have the average amount of login time frames and uses for each user for the time span of May 17-May 23. This can be easily adjusted by changing the egrep command depending on the days you want to get the average.

I created a simulation of one week of usage by user1 and user2 with the help of Kali Linux. The purpose of knowledge.dat is to find any anomaly. For example, if user2 logs in at time frame 1,2, or 3, that is usual, which can mean a user2 has been hacked.

Detect.bat

10

Abdou Thioye

11

Abdou Thioye

Now I create my detect.bat. The purpose of detect.bat is to shutdown the web server if certain triggers happen. The triggers are both too many files downloaded or a user logging in at the wrong time.

Results:

After I set up the website, I am now prompted to enter a user name and log in.

Please note, MAC252 Research Project, is also mentioned in the /etc/httpd/conf/httpd.conf.

Results of the attack.bat script:

Here is the attack.bat output when it is downloading files

12

Abdou Thioye

File1.7 is the bottom left file. The content matches the content from the file from Apache.

This is the results of my monitor.bat.

13

Abdou Thioye

Knowledge.bat

14

Abdou Thioye

Conclusion:

I have learned how to read the Apache log files and use them to make sure that I am not hacked. I have learned how to make shell scripts that not only can detect any network anomalies but the shell scripts offer a strong defense from intrusions.

15