See the attachment file carefully, and answer everything on it.
CSCI3042 - Computer Security - Lab 6 - Linux Network Security - 50 points Name of Student: ______________________________________ Summary: This lab will continue with Linux network security techniques along with firewall and intrusion detection system configurations and log file analysis. ● Download and start the MobaXterm Application: ■ Make a Windows folder on your desktop called “MobaXterm” ■ Access this shortened URL: https://goo.gl/PnA3Wg ■ Download the MobaXterm_Portable_v10.9.zip file ■ Extract the downloaded zip file into the recently created MobaXterm folder ■ Login info: ● IP Address: “172.104.30.32” for the “Remote host” field ● Login id/username: “laroche” for the “Specify Username” field ● Password: “FallClass2018#” The authorities from the Inteligencia, Colvin & Hornick, have reported to Field Marshal Vershave that all students suffered tremendously after being administered the basic linux competency exam. The infirmary reported a 300% increase in students admitted for observation and likely exhaustion.. Field Marshal Vershave has once again conferred with the remaining Inteligencia leadership, Thomas & Woollett, who were heard saying, “This will be the final nail in their coffin!”, as they were seen departing yet another emergency council session. Given the impact on breaking the remaining momentum of the despondent students, they are being asked to complete the following expanded chart to once again measure their level of linux expertise. The Inteligencia has sent a telegram to the Field Marshal: “low marks are expected -- we have chosen wisely!.” ● Question: Please complete the below solutions table. The following are twenty-four known Linux commands, network ports, and acronyms used during labs 1-5. man cat ls grep nslookup geoiplookup whois ip arp ss find wc awk sort uniq head RFC yum ps firewall-cmd iptstate sudo jq JSON CIA Triad GET POST FQDN TCP Port 80 TCP Port 443 TCP Port 22 UDP Port 53 1 Important Note: Table continues to page 3... Command Description of Usage Determine the IP address record of a given hostname Used to print the contents of a file to the terminal A query tool used to determine a list of available linux software updates Well known port number for DNS queries Used to display IP state table information for a linux firewall Determine country of origin of an IP address use this for detailed linux command usage information / documentation Command to process JSON data Determine what TCP or UDP ports are currently connected Well known port number for HTTP connections Request for Comments Determine local server IP address and network mask Print the currently running linux processes to the terminal Put the output in alphabetical or numeric order JavaScript Object Notation Confidentiality, Integrity, Availability Used to execute a command as another user Global regular expression print - tool for searching files/data for strings HTTP Method to send/insert data Determine the location of a file or directory in the linux filesystem hierarchy Determine domain registrant information, name servers, and contact info Well known port number for HTTPS/SSL/TLS connections Given a list of items, remove redundant ones and print a final list Used to review and modify local linux firewall rules Tool to help quickly count the number of lines in a given file or output Used to output the first few lines of a file to the terminal 2 HTTP Method to read/request data List/display timestamp and size information about a file or directory Determine layer 2 network neighbors and their associated MAC addresses Well known port number for secure shell connections Fully Qualified Domain Name (ie: www.laroche.edu or www.superburger.com) Tool used to select and print and possibly alter columnar data from output Linux Networking Command Review: ● Question: Please complete the following chart specifically for the Linux Linode server for a typical HTTP connection: Networking layer Description of Layer Determined Address or Port Information (please write N/A if not applicable) 0 1 2 3 4 5 3 Intrusion Detection System (IDS) - Suricata The Suricata IDS has been deployed to the Linode Linux server, and is logging all network activity. ● Please use the following chart to identify what FQDN you are personally assigned, and then use it for the remainder of the lab. Alahmadi www.nbcnews.com Algamadi www.cbsnews.com Bin Saeed www.homedepot.com Colvin www.lowes.com Estep www.rmu.edu George www.duq.edu Hornick www.pitt.edu Kobert www.meow.com Magar www.target.com Monat www.amazon.com Mucyo www.psu.edu Patel www.wpxi.com Rametta www.kdka.com Sowko www.petco.com Swegman www.disney.com Thomas www.weather.com Vershave www.army.mil Woollett www.nytimes.com Zhan www.whitehouse.gov Zubasic www.nordstrom.com Generate FQDN specific traffic so that Suricata will create log entries for it. ● Enter the command “man curl” ● This will display the reference manual for the “curl” command ● Please briefly read through, and review the “DESCRIPTION” section ● Press “q” to quit, and return to the command line ○ Question: Please write a brief description of the curl command: ■ . ○ Question: In the context of Internet, Networking, and Computer Security, what does the acronym “RFC” stand for: ■ . ○ Challenge Question: What RFC number and description are associated with the URL section in the man page for the “curl” command? ■ RFC #: ■ RFC Brief Description: 4 ● The following command will make a connection the given FQDN / website, similar to what happens behind the scenes when you use a browser like Chrome, or Firefox. ● Enter the command: “curl -v -4 www.cmu.edu” - but replace “www.cmu.edu” with the assigned FQDN from the above table. ○ Question: What IP address was returned/displayed (Connected to… on port 80)? ■ . ○ Question: What “Server:” info and version was returned? ■ . ○ Question: What is the purpose of the “-4” flag/parameter on the above “curl” command? ■ . ○ Question: On the line: “HTTP/1.1” - what three-digit HTTP status code and description was returned in the output? ■ Code: ■ Description: ○ Question: Please complete the below chart ○ (please consult Wikipedia - “List of HTTP status codes”). HTTP status code level/tier Description Choose a specific example of a response code number for each tier and identify it, and describe it below 1xx 2xx 3xx 4xx 5xx ● Congratulations. By running the above curl command, you have made at least two entry types (dns & http) in the Suricata IDS logs. 5 http://www.cmu.edu/ http://www.cmu.edu/ ● Enter the command: “cat /var/log/suricata/eve.json | jq '.|.event_type' | sort | uniq -c | sort -rn ” ○ Question: What alert types were displayed? ○ Hint: There should be at least four (dns & http will be listed here) ■ . ■ . ■ . ■ . ● Lets choose the event_type “dns” to see what entries were logged. ● Enter the command: “cat /var/log/suricata/eve.json | jq 'select (.event_type == "dns")' “ ● Note: This will give you more entries that you care to read. ● Let’s choose event_type “dns” specifically for your FQDN: ● Enter the below command: (Replace your assigned FQDN for www.cmu.edu) ● “cat /var/log/suricata/eve.json | jq 'select (.event_type == "dns" and .dns.rrname == "www.cmu.edu")' “ ○ Question: At least one JSON entry will be returned, but likely there will be multiple. Please review the last JSON key/value pairs displayed to the screen and complete the following table. ● key value src_ip src_port dst_ip dst_port proto dns.type dns.rrname dns.rrtype ○ Question: why is the identified proto value “UDP”? ■ . ○ Challenge Question: What network direction (inbound or outbound) is the examined DNS record above describing? and what proves this fact based on the source and destination port numbers? ■ inbound or outbound? ■ explanation: 6 ● Enter the below command: (Replace your assigned FQDN for www.cmu.edu) ● cat /var/log/suricata/eve.json | jq 'select (.event_type == "http" and .http.hostname == "www.cmu.edu")' ○ Question: At least one JSON entry will be returned, but likely there will be multiple. Please review the last JSON key/value pairs displayed to the screen and complete the following table. key value src_ip src_port dst_ip dst_port proto http.hostname http.http_user_agent http.http_method http.http_status ○ Question: why is the identified proto value “TCP”? ■ . ○ Question: Based on the returned HTTP Status code above, what is the corresponding description for the specific HTTP code, as detailed in the (Wikipedia - “List of HTTP status codes”) ■ . ○ Challenge Question: What network direction (inbound or outbound) is the examined HTTP record describing?, and what proves this fact based on the source and destination port numbers? ■ inbound or outbound? ■ explanation: ○ Challenge Question: As discussed in class, what