Network Monitoring Techniques

Network Monitoring and Security

• A monitoring tool can be used to monitor remote hosts by periodically sending echo requests to them.
• It can also monitor the availability of a network link by querying network interfaces.

Cryptography and Keys

• An asymmetric key is a key used for both encryption and decryption that is generated in a pair.
• A symmetric key is a key used for encryption and decryption that is the same.

Host-Based Intrusion Detection (HID)

• A behavioral-based HID technique is an example of anomaly-based detection.
• HID can be used to monitor log files for failed login attempts in order to block traffic from offending network nodes.

Linux and File Management

• The setfacl command is used to set or modify ACL (Access Control List) permissions on a file.
• The setfattr command is used to set an extended attribute on a file in Linux.

Apache HTTPD and SSL

• The httpd-ssl.conf file is not the correct solution for enabling OCSP stapling in an Apache HTTPD configuration file.
• The SSLStrictSNIVHostCheck configuration option makes Apache HTTPD require a client certificate for authentication.

Database and NSS

• The shadow, passwd, and group databases can be used within a Name Service Switch (NSS) configuration file.

OpenSSL and Certificates

• The openssl s_client command can be used to specify the host name to use for TLS Server Name Indication (SNI).
• The subjectAltName parameter is used to add an X509v3 Subject Alternative Name extension to a certificate.

Security Threats and Vulnerabilities

• A buffer overflow is a type of software vulnerability.
• A Trojan is a type of malware that disguises itself as legitimate software.
• A rogue access point is an unauthorized access point that is set up to look like a legitimate one.

Linux Audit and AIDE

• The auditd command is used to manage the Linux Audit system.
• AIDE (Advanced Intrusion Detection Environment) is a tool used to detect malware on a Linux system.
• The ausearch command is used to provide searching and filtering of the audit log.

Package Management and Verification

• The RPM and DPKG package management tools can be used to verify the integrity of installed files on a Linux system.

Honeypot and DNS

• A honeypot is a network security tool designed to lure attackers into a trap.
• Recursive name servers are used to perform DNSSEC validation on behalf of clients.

FreeIPA and Active Directory

• The ipa trust-add command is used to establish a trust between a FreeIPA domain and an Active Directory domain.

ntop and Malware Detection

• The ntop command is used to set the administrator password for ntop.
• Linux Malware Detect is a tool used to detect malware on a Linux system.

Privilege Escalation and File Ownership

• Privilege escalation is the act of exploiting a bug or vulnerability to gain elevated access to a system or network.
• File ownership in Linux systems is used to restrict access to files, enable multiple users to access files simultaneously, and to ensure that files are backed up regularly.

Apache HTTPD and SSL/TLS

• The SSLVerifyClient configuration option is used to make Apache HTTPD require a client certificate for authentication.
• The dnssec-keygen command is used to generate DNSSEC keys.

DNS and DNSSEC

• The dnssec-signzone command is used to add DNSSEC records to a zone.
• The NSEC, NSEC3, and RRSIG DNS record types can be added to a zone using the dnssec-signzone command.

FreeRADIUS and Client Configuration

• The client configuration stanza is used to specify a client configuration for FreeRADIUS.
• The ipaddr and secret parameters are used to specify the IP address and password for a client configuration.

CA and Certificate Management

• A Root CA certificate is a self-signed certificate that does not include the private key of the CA.
• The Require valid-x509 configuration option is used to make Apache HTTPD require a client certificate for authentication.

HID and Security Best Practices

• A best practice for implementing HID is to configure it to alert security personnel of potential security incidents.
• HID should not be installed on every computer in the network, and should not be disabled when not actively monitoring for security incidents.

SELinux and Permissions

• SELinux permissions are related to standard Linux permissions in that they provide additional access controls for files and system resources.
• SELinux permissions can be used to restrict access to files and system resources, and to provide additional security features.

Network Monitoring

• ICMP echo requests are sent periodically to remote hosts to monitor their availability.
• Network links are monitored by querying network interfaces.

Cryptography

• Asymmetric keys are used for encryption and decryption, where one key is used for encryption and another key is used for decryption.
• These keys are generated in a pair.

Access Control

• SetUID allows a file to be executed with the permissions of the file owner.
• SetGID allows a file to be executed with the permissions of the group owner.

Database Configuration

• NSS (Name Service Switch) configuration files can contain database names such as shadow, passwd, and group.

OpenSSL

• The -servername parameter specifies the host name to use for TLS Server Name Indication.

Certificate Management

• A Certificate Authority (CA) issues and signs X.509 certificates.

Linux File System

• setfattr is used to set extended attributes on a file.
• getfattr is used to view the extended attributes of a file.

Linux Security

• Linux Audit system is used to monitor and track system events.
• auditd is the tool used to manage the Linux Audit system.

Denial of Service Attacks

• A buffer overflow is a type of software vulnerability.

System Hardening

• SELinux (Security-Enhanced Linux) is an access control model that enforces mandatory access control.

Network Scanning

• Nmap is used for network scanning, and techniques include Xmas Scan, Zero Scan, and FIN Scan.

Identity and Access Management

• FreeIPA is an identity management system.
• ipa user-add is the command used to add a new user to FreeIPA.

Man-in-the-Middle Attacks

• A man-in-the-middle attack intercepts communications between two parties to steal information.

OpenVPN

• openvpn is used to establish VPN connections.
• --mlock is an option used to ensure that ephemeral keys are not written to the swap space.

DNS Security

• DNSSEC uses RRSIG records to provide authentication and integrity.

Kerberos

• Kerberos is an authentication protocol used for secure authentication.

Linux Extended File Attributes

• Linux Extended File Attributes are organized in namespaces such as trusted, user, and security.

Snort Rules

• Snort is an intrusion detection system.
• Rules can be deactivated by placing a # in front of the rule and restarting Snort.

Certificate Management

• A Certificate Authority (CA) issues and signs X.509 certificates.

Linux System Security

• chkrootkit is a tool used to check for rootkits on a Linux system.

LUKS

• cryptsetup is used to manage LUKS devices.
• cryptsetup luksDelKey is used to delete a key from a LUKS device.

eCryptfs

• eCryptfs is a stacked cryptographic filesystem.
• eCryptfs can be used to encrypt directories that are the home directory of a regular Linux user.

LPIC-3 Security

• mount.cifs option uid=arg specifies the user that appears as the local owner of the files of a mounted CIFS share when the server does not provide ownership information.

Private Key Security

• Private keys should be created on the systems where they will be used and should never leave them.
• Private keys should have a sufficient length for the algorithm used for key generation.

DNSSEC

• NSEC3 prevents zone enumeration.

SELinux

• The command newrole is used to run a new shell for a user changing the SELinux context.

AIDE Configuration

• The file /etc/aide/aide.conf is used to configure AIDE.

ndpmon

• ndpmon monitors the network for neighbor discovery messages from new IPv6 hosts and routers.

PAM Module

• The PAM module pam_cracklib checks new passwords against dictionary words and enforces complexity.

TSIG

• TSIG signs DNS messages for secure communication.

IP Sets

• IP sets group together IP addresses that can be referenced by netfilter rules.

Extended Attributes

• Extended attributes in Linux store additional metadata about a file.

rkhunter Configuration

• The file /etc/rkhunter.conf is used to configure rkhunter.

TCP Packet Filtering

• The command iptables -A INPUT -d 10.142.232.1 -p tcp --dport 20:21 -j ACCEPT filters TCP packets.

getcifsacl

• The output of getcifsacl may include prefixes ACL, GROUP, and SID.

OpenVPN

• The option --tls-timeout 5 changes the timeout period for OpenVPN control packets.

File Permissions

• The Write permission bit allows a user to delete a file.

rkhunter

• rkhunter detects rootkits and other security threats.

Certificate Chain

• A certificate chain is a sequence of certificates used to verify the authenticity of a digital certificate.

IP Address Masquerading

• The command iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.0.2.11 changes the source IP address to 192.0.2.11 for all IPv4 packets that go through the network interface eth0.

FreeIPA Server

• The command ipa-server-install installs and configures a new FreeIPA server, including all sub-components, and creates a new FreeIPA domain.

OpenSSL

• The command openssl req -new -key private/keypair.pem -out req/csr.pem generates a certificate signing request (CSR) using the already existing private key.

Cryptography

• Cryptography is the art of sending secret messages.

HID

• HID monitors for unauthorized access attempts.

Ciphertext

• A ciphertext is the encrypted message.

Audit Rule

• The command auditctl -w /etc/firewall/rules -p rw -k firewall defines an audit rule that monitors read and write operations to the file /etc/firewall/rules and associates the rule with the name firewall.

Rootkit

• A rootkit is a type of malware that disguises itself as legitimate software.

ebtable Rules

• The command ebtables -t filter -L --Lc displays all ebtable rules contained in the table filter, including their packet and byte counters.

Plaintext

• A plaintext is the original message before encryption.

X.509 Certificate Transmission

• The protocol LDAP is commonly used to transmit X.509 certificates.

snort-stat

• The program snort-stat reads syslog files containing Snort information and generates port scan statistics.