 So, again this I want we all know this that even without internet we have to worry about in the LAN itself spoofing IP addresses wrong address wireless access anybody can come start what is the static MAC IP mapping this is important. So you are in the hostel 6, 10.6 so one solution is to allow them to use any address 10.6 point x point y from their room is that a good or a bad thing, bad thing because he can make it look like his friend's PC cost that attack. So in this room if he is using a PC the wire has to come in that wire the switch can be told do not accept any packets which are masqueraded have you seen software or you ask to use software which will fake a MAC address which will fake an IP address. So your all these packets are software right generated what you put as the address what you put as the thing is in the control of the kernel level software and tools are available to make your machine send out a packet whose MAC address is some other thing whose IP address is some other thing. Now one level one sensible defense will be that at the very first point where is a very first point this can be detected and blocked the switch connecting that hostel room the lowest leaf the hostel room has a connection that switch if you buy a very old and a cheaper switch with no control then you are in trouble you have to do it at the next level but today almost every switch even at that level affordable switches have what is called static MAC IP binding that on this port only this MAC can be used and only this IP can be used at that switch port is this a good thing or a bad thing from security perspective it is a good thing from administration perspective why is it a bad thing. Now you buy some new machine it changes the network card so is there a via media so I am not going to give you the answer because for security if you make everything a nightmare that one solution is this that you should fill and replicate the new IP the new MAC okay and you should submit one application to the hostel warden one to the main building one to the director's office and then the signatures will be taken and after two months he will be told use this IP and all these papers will be filed for 10 years everybody in triplicate is giving paper application is that the way that is the way of the Indian economy long back it seems again this is a sorry but last joke I want correct jokes anymore Nehru was asked why are you doing this why are you asking people to submit forms in triplicate to different places how else how else will I employ so many people government has to employ people right so he was trying to do job creation instead of giving service delivery so if CC says security is an issue therefore CC means computer center then what will happen CC will be the most disliked unit in the campus and do you want to be disliked you're the sister now right I told you to think you're a sister do you want to be disliked by your users no so what is the wire media a user can online make a request software can be written that if he tries with a new IP he'll be redirected to a website which will say are you this user login give your credentials approval will be done sometimes approval is automatic and then monitoring of that port happens for the next three days something unusual we block it think very sophisticated solutions can be done which makes it a matter of provided there is a centralized authentication system all of us all of us have that right we need that students need that faculty need that so I just did it I don't know how much you came early enough to use internet from this room I had to give my LDAP ID if you have now a mobile phone with smart you might get into the wireless even that you need a name and password beyond that also you need a name and password why do you need that same reason okay but if I have the name and password I have to fill three forms so I can go anywhere in campus with this laptop and connect and get redirected and similarly they can do but it gives control it is recorded anomalies are detected if somebody is changing IP address 10 times in the two weeks flag goes up SMS alerts email sysad hostel sysad is asked to explain check is done it is not enough to put all these mechanisms in place what is more important it is not enough to have power you must show that power once a week you must go and actually ask a student why he did it then what is the message that you said you know it is you know it is not a wrong thing yet you go and ask why to demonstrate to them that you have the ability to find out if you cannot demonstrate the power sorry okay I don't want to talk like but this is important all I'm telling you is technical is 70% of the solution the remaining the most important 30% is thinking through your strat and response how you react how you project that CC knows that the head CC knows director will know so once the students know that you know then the behavior is very different than suppose you put a video camera the number of banana skins that are thrown in the mess here and there will reduce nobody needs to see the video the video can be dev null but the very fact that it can be seen and you can be seen throwing this and it can be used to name and shame you should you do it or not don't ask me okay that's a different issue all I'm saying is that do not just think solutions are out of the box like I said not push button everything has to have a policy everything has to have a buy-in buy-in means what student should know this is the policy they should be told why they are being asked it is not arbitrary ad hoc exercise of power it is something which will keep the whole system hygiene it's normal hygiene so that is what this lecture is about I hope even if I cannot communicate all the technical parts I want that 30% to be something which you all agree that if you are going to make your campus network secure you have to think through beforehand the policies the what your information you need why you need it tell the users have it written down have it agreed and executed okay not arbitrary so this is what is the thing good land design so again I'm just naming some of the software some of this has upgraded now DJB DNS was five six years back now it's tiny DNS something to run our name server then open edit app is we still use clam antivirus we use firewall squid is one of the best proxy softwares email Q mail has given way to post fix today okay news groups web proxy apaches or web server and so on so this is something now I can go a little faster because I have already told you most of this that we have many subnets we have so many nodes all private addresses it is not four van subnet so there are three van links now I'll show you the next and IP tables is the focus of the next 10 minutes that I want to now control who out of these 5000 users can do what can I set up a web server in my hostel and publish the URL to the whole world so that somebody can see www.h6.itb.ac.in it's not automatic to do that we need to have a policy a method and all that and for that we have to change our IP tables rules what you said that it should result to the same IP and that IP should be a firewall netting or a virtual host reverse proxying and that permissions and policies have to be in place and we need many policies which server should be allowed people can access from outside which so from inside which you can go to what you can go to and all that and the last bullet is why I spent the last five minutes that if you don't make a good policy and if the policy is not having the buy-in from the users it is unlikely to work it is despite the best tools okay so we should do both so IP tables is the next 10 15 minutes it's an important component again I do not expect that you should understand IP tables fully at the end even more important you should not understand IP tables because the next one is already on the way it's called net tables NF tables net filter is the bigger project and IP tables has made a mark for itself as a free open source state full firewall doing many interesting things but IP tables is too complex and its design is not the best in terms of performance also so its successor which is compatible with IP tables is already on the way January 2014 so those who do not want to learn old technology can directly go to if you have not seen IP tables before go directly to NF tables okay but it's not too hard it's not like rocket science or anything but let's just stay with IP tables it's an implementation of firewall in Linux it is a packet filtering route it's called net filter and all that and it can filter on many parts of the packet the wire shark you saw no there are many different parts of the packet we can configure it to allow disallow rate limit and so many good things and it has protect regulate traffic and it can provide screening the packets and so on more important it can log what is log the second part I said right you want to know if some somebody from China is scanning your network you want to know if somebody from the hostel is trying something else from the internal firewall log means what write that information somewhere you know it's not enough to stop if the security guard at IIT Bombay's gate is seeing you know every day hundreds of certain type of you know suspicious persons coming and he's turning them away and he's doing this every day and keeps quiet is that good what is the next step it's called escalation he has to report it to somebody somebody has to say why find out you don't want to keep doing this every day you want to find out why that is happening and prevent it right that is what the logging means and IP tables allows you to log if you log everything please remember how much data how many packets so IP tables allows this intelligent if you match a particular pattern that's what is meant there full matching only the events of interest I want to log I don't want to log things that say this fellow came Google sent a mail you are Gmail sent a 10 mb mail at that 5000 packet all that I don't want so suspicious what is suspicious how to classify that how to put those filters all that is again possible full control with the user so basically IP tables works this way that we have a rule chain and when a packet comes on one interface IP tables can work even on a single machine single desktop with a single card when a packet comes we can still block it if somebody is trying to do bad things to our computer I'm not a router so it is similarly packets leaving also I can block why should I block packets leaving if a bot net a bot has infected my computer what will it try to do it'll try to connect to some vague IP on some vague port so that it can get its commands and then do damage it normally won't do damage to me why will it not do damage to me it's like a parasite if the host dies the parasite also dies so the host should not die okay but it'll the channel without my knowledge if it's trying to establish connections back including MS exchange then I need to be able to using IP tables block it and not allow it even for a single machine but here we are going to look at routers okay and every packet is matched from the top with all the rules the first rule that matches its action will be taken and suppose action says over then over otherwise next rule next rule like that so there are different types of actions action is simply log then it's not over then you have to continue something suspicious log it and continue but if it's something reject reject don't continue so there are many rules we can write for processing a packet and the rules are straight from the top okay this is where the complexity comes people write the rules in the wrong order and it doesn't work the way they want okay so the next the three functionalities that is very important is and I'll explain this not the second half of packet mangling what is destination NAT so I want to send the packet out after changing the destination IP give me an example of when that will happen the website we host that I said that fellow sending HTTP request I am not the server so he sends with my address as the destination I change it to CSE servers address and send it inside when the reply comes this is the state that I have to maintain I have to keep that information for who made it what change on which port and when the reply comes I have to put it back what is source natting when I send from my browser request to atlas dot arbor or whatever minus ten point zero ten point five ten point something I can't send this packet out so that guy has to change it to his public IP send it when the reply comes change it back that is source natting and the third one is connection tracking that if you keep doing this for every packet no but if you know this is part of an existing TCP connection how do you identify TCP connection source IP destination IP source port destination port so if in your tables this connection is already on then I don't have to check the rules all over again I just follow what I was doing so the table says it is still alive states and expectations so we can do interesting things and this again is important in some sense but maybe after this I will like not explain less but this there are many more slides but this what I will explain this is your computer and your computer can either receive packets from the network or send packets to the network so the local process in my computer it can be HTTP process it can be a mail process can send a packet so which chain of rules is used output chain the process on my computer is sending a packet and it has to go to internet then I use the rules which are called output chain rules the forward chain rules is that I am getting a packet on the network look at the top a packet is coming to me I have to decide is that packet for an application on my OS is the packet for my IP if it is they should go to the input chain whether it should be given to my HTTP process if it is not for my IP then I should go to routing that means I may be acting like a router like the internal firewall or the residential net firewall so the packets are not for me the packet is coming from Shiva's house and it is going to CSC department so I have to decide whether to forward or not and I can now configure that Shiva's house can only talk to CSC department if I try to connect EE department packet will be dropped in the forward chain I can put rules source address 10.161 can only reach destination 10.105 so if I try to reach any other destination why would you do that if you don't like faculty and don't want to give them a lot of access configure it in a very default deny give them only the minimum they avoid you want internet at home they will say I want to go to Google so give them only Google what is this policy called I'm going to explain that so this is what is called policy policy policy policy that will keep coming so you understood the three tables that when you set up IP tables on any machine there are three tables one is the output chain rules for packets originating from that machine and going out next is input chain rules for packet coming to that machine third one is forward now if you are a single machine you want forward but if you are having multiple cards then you may act like a router take packets from here put it that take packets from there routers use the forward chain and then there is pre-routing post-routing some decisions are made before routing some decisions are made after routing not all that so the example is here I said that if from home I try to connect EE department the forward rules can say drop it minus J reject that means no more rules will be used I can explicitly reject I can explicitly accept if it is going to the right IP of course you don't want to put so many rules for every pair you don't want to put you want to use wild cards regular expressions patterns I am just explaining you can accept the packet and send it further so this is what is important that when you do that first you have to do enable the forwarding if you are acting as a router and then you have to flush all the rules and then this is important that if you are acting as a router and you are having two cards then you have to give what is called a default policy what is the last rule first rule second rule third rule fourth rule fifth rule none of the rules apply then what should I do so default can be so this is forget IP tables in general default accept or default deny which is good default deny if you want to be very secure default accept if you want to provide services that block only the bad guys is default accept I know what is bad I will block it but if you don't know what all is bad something else could be bad if I say I know what is good I'll allow only the good then it is default deny if you'll block only the bad is default accept so neither one is the best but the safer policies default deny just deny that if you don't know and it's unknown connection unknown packet drop it your safer but you may be causing inconvenience to the users it may be a harmless so that is policy so let me now go a little bit faster in the interest of time that you can do source netting like this so you don't have to do all these lines in the command line I've typed it in the command line minus T NAT post routing Ethernet 0 if the source is the source NAT 2 this is my residential address you change the source to department address and so on so forth so that the reply can come when I try to connect to my department server 10.105 it should know how to reply okay so it may not have root to this other subnet so I do NATing okay so this type of rules can be put in a file can be put in the right order and the rules can be read in a batch and there are front ends to make these rules what are the front ends you click you put type you put then the rule is generated for you so those front ends are not something you should learn right now okay right now in the lab and so on and when you do the experiment when you go home you should actually tried out the syntax read the pages later on use all those easy tools okay which will act as preprocessor and post processor so this one says except all establish connections and again let me skip this you can allow HTTP you can allow SSH you can all other protocols you can drop and in this page I want you to focus on the last rule this is important so the protocol is TCP and what is this sin means what sin flag is set means what is trying to establish a new connection yes and what does this say minus limit it could have been one per second okay or two per minute what is the what are we trying to say that if somebody is trying to connect to my server do not allow more than 10 per second why 10 per second even email no I told you 50,000 message you can do the arithmetic and so on 6 lakh miles 10 how many per minute how many per hour how many per second so you don't want to be blocking unnecessarily you don't want you have to calculate that number and adjust it depending on what is allowed and if it is not critical services like mail and so on you can afford to be very you know one per minute is enough if a student is wanting to see some page why should he see it more than once a minute okay so you can choose but this is called rate limiting and why is it important it makes attack much harder denial of service attack in the first place okay half open connections do you know I send us in I don't send the act I don't send there again the act that means the other machine is using some resources to process my connection so again so this is what IP tables I hope you got a brief flavor that we can take a machine and we can achieve allow only some services allow new connections only from some places allow TCP layer at you can in sports cans cans poops I can't from my house fake IP and send an IP which is some other department IP because the firewall will drop it okay so spoofing everything is reduced if you are able to segment your network and in the routers and this is strongly encouraged in your campus I am not saying don't buy commercial routers you don't need is all I'm saying you can use a normal Linux box with 2 gigabit ethernet cards and it will perform like this okay and you can configure IP tables much more flexibly commercial products also are there boxes like this which also have IP tables where you can go and similar rules you can set up so when we teach students we are going to teach them only IP tables it's just firewall with source NAT destination NAT rate control limiting and most firewall support features like this so this is how we bring in some level of security and the last slide on IP tables is simply to tell you that DNS queries for IIT Bombay which are coming from outside come on the UDP port destination port 53 or TCP port and we NAT it set it to the internal server allow the responses to go back so that people outside can resolve IP addresses we internally use only even in the demilitarized zone we use only 10 dot addresses the 101 or the public IP addresses are used only in the firewall external firewall so we have full control over full control unless IP tables itself has a bug and so on so forth and we have a little bit more confidence that only what we want is coming what we don't want is not coming now similarly and I think I will probably go a little faster on this how we receive mail I just want to say one important thing for outgoing mail so this is important again I'm not going to say how you fix it what's an open relay if I'm a spammer and I want to send a phishing email where do I want to send it from so not my own account okay if I can find a mail server which is wrongly configured to access a relay that I connect to IIT Bombay's mail server and ask it to send mail to Gmail IIT Bombay's mail server should never do that right why should you allow somebody in Germany to send mail to you and then pass it to Gmail because then he can fake his source IP and Gmail will think it came from IIT Bombay and forget Gmail some US government White House so when they're in their locks the mail has come from us so they will now investigate here we can of course later on prove that we are not guilty or so on so forth but it becomes one more level of safety for him and open relay is doing no good for you so you have to make sure that your mail is not being misused by spammers and this is even more important this is something very few people do it has a slight negative but the advantage is outweigh the disadvantages it's called sender policy framework that my what is my email ID sivaditb.ac.in suppose somebody in the US is using this in his access from can you do that in your mail client can you put any from ID you all use email no let me tell you you can okay you can say from sivad ID you're not siva you're sitting in America you're a student in a university there podium university and you say from sivaditb.ac you can use the basic SMTP protocol tell net this thing okay and you can now if our domain has sent this sender policy framework and the receiver is noticing this that in our MX records we say please use sender policy sender policy is that itb.email any email which claims to be from the domain itb.ac.in can only come from these 3 addresses which is our mail relay so even if I'm abroad and I want to send mail I must use our mail relay and send mail if I want to use the address otherwise other fellow will drop it he'll say this is spam mail this is a fake mail okay so don't worry just go and search for this SPF sender policy framework you will learn a little bit more that those who want their email to protect their users from your email ID being misused by others outside then you can set this up okay so now the last part the ours is long so I gave a flavor of IP tables flavor of how to set up services how to be secure now what I said it's not enough to set it up na koopa kanam yuktam pradipte varninagre hey when your house is burning then you don't go and dig a well you run okay when do you dig a well beforehand it's not a joke the fire department refused to give permission for the faculty flat 60 flats were ready in October and people could move in only in May because they came and inspected and they found that there is no water source in case there is a fire they insisted that you go nearby make this underground tank have a facility to fill it and check it then only they gave clearance for occupation exactly what this answered poem is saying okay similarly when you set up all these services if our director of IT Bombay and I hope I never become then I would not allow us to do mail unless the CISAT tells me that he has this log analysis that he knows how many males are coming how many males are going that he can find out if he does not give me the guarantee I'll say don't do mail why I will say don't do mail because I don't want CBI to come here and say that one of your students sent a threat mail to Obama and therefore he should be arrested it is my responsibility that my student should not be arrested therefore I should also take due diligence to ensure that these things are not easy for him to do and if he does it beyond that then he deserves let him be arrested so if this precautionary makers are not in place I am as much to blame as the student that is the role I think some of us take we are not so anti-student so we try to make it harder for them to may do crimes so that is what this is that security should not be an after thought and therefore in the next five minutes let me tell you that you should build what is called centralized log management so IT Bombay's motto is nyanam have you seen in that arch nyanam paramam dm what does it mean knowledge is supreme so in different context it is interpreted differently it cannot be stolen thieves cannot do it your brother will not ask for a herit reshare okay give me 50% my father's knowledge should come to me like that it doesn't come okay so knowledge is by you have to learn you have to do but it cannot be so it is important and here what is knowledge in this context what I said information about what is happening on your network and I just randomly wrote some questions so if you are the sysad and wearing the sysad hat you must answer this how much traffic came anything abnormal how many emails came what are the top ten senders is anyone trying to spam from China Pakistan how much bandwidth is used for browsing what are the top domains my students are browsing if I were director I would simply ask these questions do I need to know anything about IP tables or syslog nothing I should just call the sysad once a month and say please tell me all this tell me tomorrow morning if you cannot please find another sysad or give him assistance give him help okay so it depends because today you can't find sysads or tomorrow or actually today how many of you are aware is our M tech admissions for the three year M tech what they are called RAs you know about that there are some who get directly through gate in the two year program and there is this today is a big mela about 200 students who are just below in the gate cutoff they are called for an interview and 20 of them will be appointed as RAs and many of them 10 of them will become sysads for the next three years first year will be on the job training by their seniors second year and third year some of the TAs are in the lab for you in afternoon I mean not today afternoon is lectures they are going to set up and help us administer the network so that in some way that model works that trust some of the senior students give them some power with some accountability and allow them to do whatever I am going to say and they help the sysad to answer all these questions regularly now this is only step one if you answer tomorrow I will give you a pass mark 40 out of 100 when will I give you a plus you react when the thing happens and SMS comes to you you are just sitting nicely enjoying coffee you are not clicking clicking clicking that is not good work that is not smart work go to that click watch go to that click watch that is not a smart sysad what is a smart sysad usually drinking coffee suddenly an SMS comes that service being attacked he reacts so that is where we want to go that is the OSSEC in tomorrow's lab that we set up the system so that they trigger these issues now if alerts like this come five times a day and only one of them is serious it is not wrong okay the other four I can ignore but I need those alerts so it is called false positives some false positives will be there it is better to be safe than sorry so today right now in the next few minutes I will only show some static reports that at least keep your logs analyze them and learn something from them but the dynamic reports is much harder and that could be I am just naming some software that we use I will show some more details how is the network doing we use MRTG and smoke ping and so on our services up we use some software called Negeos all of these are open source free installable by you and so on then log analysis tools and so on I will show you some of that so here is an information about ITB van links Vodafone 650 mbps I told you in the introduction remark that 64 kbps so 650 mbps means what? one of our van links is 10,000 times more bandwidth than what we had so professor Deepan Ghosh was a physics professor who was head of computer center he took us from 64 kbps to 2 mbps then when I was head of computer center it became from 2 to 16 he said you have done only 8 times look at what I did you cannot match me okay it is like Newton and Ramanujam all the easy stuff they did and got all the awards okay now we have to do much harder work to become famous so this is like one gbps nkn what is the usage is this enough just to see the graph this is yesterday's graph I can show you live also but I don't want to waste time you can have a daily graph and for those who can't see when is the maximum traffic just before midnight why does it fall at midnight our hostels we disabled the land at midnight for 5 hours why do we disabled the land so that they can sleep and come to class do they come to class no all that you ask me in open session but they find ways around and all that but still it pattern is predictable and that is happening every day midnight it will drop and that will happen if you see the weekly graph if you see the monthly graph now seeing this graph and trying to see anomaly is very difficult right microscope put up that is not the way so it has some software should be seeing this not us but seeing this gives us some comfort you know some major problems can be viewed and you can see the monthly graph also yearly graph however much bandwidth you have usage expands to fill it so this is one of the links 650 mvp what is what is coming so mvm director I am going to ask why what is the blue line and green line how much it has going out of IT Bombay can you see it is remaining very low why is it very low so if I am director and I am showing this graph I will ask this at first this question what is green what is blue so you will say green is data coming into IT blue is data going out of IT so what will I say why nobody wants our data my faculty are not publishing papers there are no videos here how many of you have come to IT Bombay website before how many of you have gone to MIT so you will say show me the comparison yes director only has to ask questions he is only a director he does not have to do anything I hope he is not listening anyway so this is the sort of just getting this information and showing it allows many people from different perspectives to ask different questions and asking questions is important hiding is not a good policy at all to remain head of the computer center with everybody cursing you or you can make this information public and get cost improvement and show the curve and show and tell I know who is using I know why it has gone up I know what is coming in I know how our students are benefitting this is something that you have to do accountability why are you paying so much for this bandwidth can I cut down the bandwidth to half all that can only come if this is next quickly this is my web server that is called and red light means something is wrong but still I have to see it if I do not see the screen then naegios is configured to send mail now naegios can be configured to send an sms why sms is better because usually our mobile comes then we look at it sms that is how you should configure it is just watching are the services up if something seems abnormal it will send you that alerts then this is january 2003 mail statistics I use some software then now I am using in your lab tomorrow you will use a different software called pflogs summary postpixlogs summary and it will give you information like this that 34,000 mails came 534 MB outgoing was 17,000 mails and even here even as a human you can see and you can verify this 27 21 later weekends were slightly less number of mails going out people were not working sort of validates common sense reasoning but I want more I want to know who are the top 25 senders I can show you all this because it is 2003 so the RTI information I mean privacy loss hopefully no longer hold or probably the students have left so they won't sue me that fellow sent this many mails this much volume so you must first this is the first level of analysis second level the other script should run and if anybody sends more than 100 mails you should get a polite mail if it is academic usage please continue otherwise please stop this is an automated mail if this happens 10 times then the head CC will be asked to look into it that's all the mail says so if you are a genuine user will you worry about this mail will you complain you will just ignore it if you are a bad user you will do that no it is not enough to know you must show that you know so the bad user one day sends 500 mails nothing happens next day he gets this polite love letter then what does he do hopefully most of them will reduce then you can tackle the hard cases the hard end criminals can be tackled once you have so clear that is what is the next step that is what AW starts in tomorrow's lab you will do real time monitoring analysis in the morning sending this thing mail service statistics how many interesting viruses and so on and so forth how much scans, what mails are read is the virus count and all that similarly web proxy who came to our site from where they came which pages they saw which country they came from and the top seems to be unknown next is US commercial then network then US educational then India then Canada so you can try to find out who is coming to my site why they are coming why at Bombay you would like to know this is the press coming can I find out so they will ask the sysad find out if press is coming so you need to know how to do that so to know to do that this is the very last part that you need what is called the R-Sys log R-Sys log means if you have in the DMZ you saw how many machines had drawn there load balancer this firewall IP table if each of them is having logs and you have to log into each machine run scripts collect then that is not good what do you want one machine all these other machines should be doing their normal job they should be reporting to this one guy that is R-Sys log remote sys log he should be receiving all these messages and filing them and archiving them so we want to look in one place using one set of tools we want to archive logs we want to generate alerts we want to verify trends and we want to do this open source so R-Sync R-Sys log is the thing for this and you can run it on a server and it can scale like anything it can get 1 million messages a second and store it without any problem on a normal x86 box Intel box with 2GB RAM you need a lot of hard disk of course and I will show you that and these are again syntax do not worry what to allow whom to allow which type of messages to accept from which IPs to accept again security this is important that our proxy server I will just explain these two things the template says store that in the log disk squid log files % here means 214 % month means 05 and so on so forth and below that day squid access log day this is another template squid access log 407 means denied TCP denied filter those messages that what this script is doing that is the log message says denied put it in a separate file if it says accept put it in another file we have two files why because there are so many denied messages we want to process them separately accept messages we want to process separately and we want to rotate why are we using the year month day and all time because we want to archive it for 1 year 2 years so are we doing do not worry about the exact syntax you can do this that you can go to one machine and in the log disk you can see there is a authentic DHCP log there is IMAP log there is an LDAP log there is a mail log for external there is a mail log for internal there is a mail log for outgoing SMTP auth there is a squid log squid log is the proxy server log so let us go one more level in squid logs if you go further these are the type of files you see can you see the size of this file yesterday's third line from the top it is 5GB compressed logs 5232841291 is the compressed log for 2014 may 17 this is not the denied logs the denied is the one with the 407 actually denied is bigger sorry denied is the one which is 5GB and 1.3 sorry the 158 MB is the non-denied so what is denied means your access control prevented that request from going and very often it is because the guide didn't authenticate very often most people have a virus or a worm in their machine and it tries to go out our proxy server and they bombard the proxy server so if I were the sysad I would analyze this why it is happening which machine it is happening virus infected remove it and so on so forth so this is the last slide in tomorrow's lab I told you IP stables and R syslogs can be done only by sysads who are controlling the entire network in a lab of yours you can set up an experiment you can ask your students to install all this but what we are going to ask you to do tomorrow and that's for tomorrow morning's lab is use two tools awstats and ossec awstats is for the centralized log analysis with a focus on security ossec is a real-time reactive host intrusion detection system and here let me just tell something log analysis one thing what is integrity checking I am the mail server or I am the web server of IIT Bombay who is accessing me what data that is one type of information if somebody corrupts my web page what is the meaning of corrupt my web page modifies by saying some bad things about me or adding more data or changing the files how will I know that's called integrity analysis so you need to know whether any of your important data or files have changed is it an authorized change or unauthorized change that's called integrity MD5 some hashing checking the file content similarly processes processes that should never run on this machine are they running if this process ever runs let me know you can't remove that process but if it runs you should know so this is always so I will stop here