SlideShare a Scribd company logo

Aws security with HIDS, OSSEC

Mayank Gaikwad
Mayank Gaikwad

Gives insight about HIDS implementation to secure your infrastructure.

Technology
1 of 29
Download to read offline
Securing AWS with HIDS Gaurav Harsola Mayank Gaikwad »
IDS  What ?  Why ?  How ?
Intrusion Detection System An IDS is a software application that monitors network or system activities for malicious activities.
An IDS is not a Firewall
NIDS and HIDS HIDS  A host-based intrusion detection system (HIDS) is a system that run on individual hosts and monitors a computer system  Detect an intrusion and/or misuse, and responds by logging the activity  It is an agent that monitors and analyzes whether anything or anyone, whether internal or external, has bypass the system’s security policy.  Tools like : Samhain, Ossec NIDS  NIDS is placed within the network to monitor traffic to and from all devices on network  NIDS scan all inbound and outbound traffic  NIDS tools operate by inspecting traffic that occurs between hosts. Various Tools like Snort, Suricata, Bro, Kismet
Available HIDS OSSEC: OpenSource Wazuh : OpenSource, Wrapper Over OSSEC with API, ELK, And Signature DB AlianVault: Licenced, USM (Unified Security Management) is based OSSEC MicroTrend: Licenced AlertLogic: Licenced,
OSSEC ? OSSEC is an Open Source Host-based Intrusion Detection System. Key Features:  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active response Ossec is mainly used for three things: See what is going on Stop brute-force attacks ( ftp, ssh, web )
Ossec Benefits  Open-Source  Log Analysis  Easy to install  Easy to customize (rules and config in XML format)  Scalable (client/server architecture)  High Availability (Can have multiple OSSEC Server)  Multi-Platform  Ossec comes with existing standard decoders /rules which analyse our logs like telnetd, Sudo, SSH, FTP etc  PCI DSS Compliance at some extent.
Ossec Agent/Server Flow
Ossec Internal Components Analysisd – Does all the analysis (main process) Remoted – Receives remote logs from agents Logcollector – Reads log files (syslog, Flat files, Windows event log, IIS, etc) Agentd – Forwards logs to the server Maild – Sends e-mail alerts Execd – Executes the active responses Monitord – Monitors agent status, compresses and signs log files, etc Integratord - Integrating OSSEC with Slack and PagerDuty Authd - Daemon will automatically add an agent to an OSSEC manager
Wazuh Wazuh, A wrapper over OSSEC that provide additonal fucntionality like Restful API, ELK integration.
Ossec Server/Client Installtion Firstly, Install necessary package required  sudo apt-get install gcc make git  sudo apt-get install libssl-dev After this clone our Github repository  mkdir ossec_tmp && cd ossec_tmp  git clone -b stable https://github.com/wazuh/ossec-wazuh.git  cd ossec-wazuh  sudo ./install.sh Choose server for server installation and agent for client installation when being asked about the installation type and answer the rest of questions as desired. Once installed, you can start your OSSEC manager running: sudo /var/ossec/bin/ossec-control start Check the service : ps aux |grep ossec
Connect Client with Server After Setting up agent we need to Connect it with OSSEC-Server . To make life easier, OSSEC added a new daemon on the server, called ossec-authd.  it is a daemon you run on the server when you deploy your agent;  it will populate your agents key;  when you have finished to deploy, you stop it. Once the keys are created, you can start the ossec-authd: /var/ossec/bin/ossec-authd -p 1515 Setting up the agents On the agents, the work is minimal. All you have to do is to run the following command: /var/ossec/bin/agent-auth -m <ServerIP> -p 1515 -A <agent-name> That’s it. The keys are now exchanged and you can start your agent. sudo /var/ossec/bin/ossec-control start
Sample of Alerts.json
Ossec Integration with ELK OSSEC HIDS integration with ELK Stack provides a real-time alerts managemnet console, as well as flexible way to store data for as long as needed.
Ossec Directory Structure
Internal log flow
Log pre-Decoding (1) Decoding of a SSHD message: After pre-Decoding by OSSEC? time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshd log -> Accepted password for root from 192.168.2.190 port ...
Log Decoding (2) Process to identify key information from logs OSSEC comes with hundreds of decoders Generally we want to extract source ip, user name, id After Decode by OSSEC : time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshd log -> Accepted password for root from 192.168.2.190 port srcip -> 192.168.2.190 user -> root
Writing decoders Writing a decoder. What it requires? sshd example: We want to extract the user name and source ip If program name was pre-decoded as sshd (remember predecoding?), try this regular expression
Log Rules Next step after decoding is to check the rules User-defined XML Very easy to write! Allows to match based on decoded information OSSEC comes with more than 400 rules by default! What it requires? A Rule id (any integer) A Level - from 0 (lowest) to 15 (highest) Level 0 is ignored, not alerted at all Pattern - anything from “regex” , to “srcip” , “id” , “user” , etc
Writing your own rules
PCI DSS  Payment Card industry Data Security Standard .  Visa, MasterCard and other card brands create common industry security requirements  Intended to protect cardholders data – wherever it resides  compliance is mandated for all organization handling credit card data  12 Steps that we need to take to achieve PCI DSS compliance are Firewall, password, storage, Encrypt, anti-virus, uniquid, track and monitor etc  OSSEC helps to implement PCI DSS by performing log analysis, file integrity checking, policy monitoring, intrusion detection, real-time alerting and active response.
Monitor AWS logs Cloudtrail pushes data to s3 bucket and then using python script we store that log on ossec server
Alerting and Notification Slack Integration: Integration of logs with slack and set alert level so that only particular message come in slack. <integration> <name>slack</name> <hook_url>https://hooks.slack.com/services/T0EV123BK/B1V3JHzUko97IdmCAl</hook_url> <level>7</level> </integration> Email Integration: Integration with Email .Send granule email alert based on the level/rulegroups/rule_id to different recipient. <email_alerts> <email_to>gaurav04@protonmail.com</email_to> <group>sql_injection|authentication_failed|authentication_failures</group> <level>6</level> <format>sms</format> </email_alerts>
HIDS Implementation Testing Tested FTP, SSH brute force attack using HYDRA as penetration testing tool. Example: hydra -L /home/ubuntu/user.txt -P /home/ubuntu/pwd.txt -s 22 <IP> <service- name> -L file which contain list of userName -P file which contain list of passWord service-name : it may be ssh,ftp,mysql,telnet -s port Number for service
Elasticsearch UI
Kibana UI
Thanks & Questions ?

Recommended

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOARDNIF
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 

Recommended

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOARDNIF
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Kangaroot
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroClavis Segurança da Informação
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Log Yönetimi ve Saldırı Analizi Eğitimi - 2
Log Yönetimi ve Saldırı Analizi Eğitimi - 2Log Yönetimi ve Saldırı Analizi Eğitimi - 2
Log Yönetimi ve Saldırı Analizi Eğitimi - 2BGA Cyber Security
 
Blue Team
Blue TeamBlue Team
Blue TeamNull Bhubaneswar
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Asep Syihabuddin
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...Amazon Web Services
 
Neuigkeiten von DEPAROM & Co
Neuigkeiten von DEPAROM & CoNeuigkeiten von DEPAROM & Co
Neuigkeiten von DEPAROM & CoArne Krueger
 

More Related Content

What's hot

Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Log Yönetimi ve Saldırı Analizi Eğitimi - 2
Log Yönetimi ve Saldırı Analizi Eğitimi - 2Log Yönetimi ve Saldırı Analizi Eğitimi - 2
Log Yönetimi ve Saldırı Analizi Eğitimi - 2BGA Cyber Security
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Asep Syihabuddin
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 

What's hot (20)

SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Mod security
Mod securityMod security
Mod security
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo Montoro
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
LDAP
LDAPLDAP
LDAP
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Log Yönetimi ve Saldırı Analizi Eğitimi - 2
Log Yönetimi ve Saldırı Analizi Eğitimi - 2Log Yönetimi ve Saldırı Analizi Eğitimi - 2
Log Yönetimi ve Saldırı Analizi Eğitimi - 2
 
Blue Team
Blue TeamBlue Team
Blue Team
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 

Viewers also liked

3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...Amazon Web Services
 
Neuigkeiten von DEPAROM & Co
Neuigkeiten von DEPAROM & CoNeuigkeiten von DEPAROM & Co
Neuigkeiten von DEPAROM & CoArne Krueger
 
Sunbrella Ottomans by Outdoor Elegance
Sunbrella Ottomans by Outdoor EleganceSunbrella Ottomans by Outdoor Elegance
Sunbrella Ottomans by Outdoor EleganceOutdoorEleganceAus
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Precisely
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)Brian Brazil
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScalePuppet
 
CloudStack EU user group - Trillian
CloudStack EU user group - TrillianCloudStack EU user group - Trillian
CloudStack EU user group - TrillianShapeBlue
 
Python Pants Build System for Large Codebases
Python Pants Build System for Large CodebasesPython Pants Build System for Large Codebases
Python Pants Build System for Large CodebasesAngad Singh
 
Reactive Cloud Security | AWS Public Sector Summit 2016
Reactive Cloud Security | AWS Public Sector Summit 2016Reactive Cloud Security | AWS Public Sector Summit 2016
Reactive Cloud Security | AWS Public Sector Summit 2016Amazon Web Services
 
Application Deployment at UC Riverside
Application Deployment at UC RiversideApplication Deployment at UC Riverside
Application Deployment at UC RiversideMichael Kennedy
 
Choosing the right data storage in the Cloud.
Choosing the right data storage in the Cloud. Choosing the right data storage in the Cloud.
Choosing the right data storage in the Cloud. Amazon Web Services
 
Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)
Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)
Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)Gaurav Srivastav
 
Platform - Technical architecture
Platform - Technical architecturePlatform - Technical architecture
Platform - Technical architectureDavid Rundle
 
Chicago AWS user group meetup - May 2014 at Cohesive
Chicago AWS user group meetup - May 2014 at CohesiveChicago AWS user group meetup - May 2014 at Cohesive
Chicago AWS user group meetup - May 2014 at CohesiveAWS Chicago
 
The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)Julien SIMON
 
NSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland ChapecoNSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland ChapecoRodrigo Montoro
 

Viewers also liked (20)

3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
3 Secrets to Becoming a Cloud Security Superhero - Session Sponsored by Trend...
 
Neuigkeiten von DEPAROM & Co
Neuigkeiten von DEPAROM & CoNeuigkeiten von DEPAROM & Co
Neuigkeiten von DEPAROM & Co
 
Sunbrella Ottomans by Outdoor Elegance
Sunbrella Ottomans by Outdoor EleganceSunbrella Ottomans by Outdoor Elegance
Sunbrella Ottomans by Outdoor Elegance
 
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
Machine Learning & IT Service Intelligence for the Enterprise: The Future is ...
 
What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)What does "monitoring" mean? (FOSDEM 2017)
What does "monitoring" mean? (FOSDEM 2017)
 
Aws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic ScaleAws + Puppet = Dynamic Scale
Aws + Puppet = Dynamic Scale
 
Java standards in WCM
Java standards in WCMJava standards in WCM
Java standards in WCM
 
CloudStack EU user group - Trillian
CloudStack EU user group - TrillianCloudStack EU user group - Trillian
CloudStack EU user group - Trillian
 
Python Pants Build System for Large Codebases
Python Pants Build System for Large CodebasesPython Pants Build System for Large Codebases
Python Pants Build System for Large Codebases
 
Reactive Cloud Security | AWS Public Sector Summit 2016
Reactive Cloud Security | AWS Public Sector Summit 2016Reactive Cloud Security | AWS Public Sector Summit 2016
Reactive Cloud Security | AWS Public Sector Summit 2016
 
Application Deployment at UC Riverside
Application Deployment at UC RiversideApplication Deployment at UC Riverside
Application Deployment at UC Riverside
 
Yirgacheffe Chelelelktu Washed Coffee 2015
Yirgacheffe Chelelelktu Washed Coffee 2015Yirgacheffe Chelelelktu Washed Coffee 2015
Yirgacheffe Chelelelktu Washed Coffee 2015
 
Jake Fox Pd. 5
Jake Fox Pd. 5Jake Fox Pd. 5
Jake Fox Pd. 5
 
Choosing the right data storage in the Cloud.
Choosing the right data storage in the Cloud. Choosing the right data storage in the Cloud.
Choosing the right data storage in the Cloud.
 
Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)
Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)
Gaurav dev ops (AWS, Linux, Automation-ansible, jenkins:CI and CD:Ansible)
 
Platform - Technical architecture
Platform - Technical architecturePlatform - Technical architecture
Platform - Technical architecture
 
ITV& Bashton
ITV& Bashton ITV& Bashton
ITV& Bashton
 
Chicago AWS user group meetup - May 2014 at Cohesive
Chicago AWS user group meetup - May 2014 at CohesiveChicago AWS user group meetup - May 2014 at Cohesive
Chicago AWS user group meetup - May 2014 at Cohesive
 
The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)The Lost Tales of Platform Design (February 2017)
The Lost Tales of Platform Design (February 2017)
 
NSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland ChapecoNSM (Network Security Monitoring) - Tecland Chapeco
NSM (Network Security Monitoring) - Tecland Chapeco
 

Similar to Aws security with HIDS, OSSEC

Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTAshley Deuble
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]Phil Huggins FBCS CITP
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsPaul Green
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSChris Riddell
 
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEEASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEAlex Himmelberg
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityScott Carlson
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Michael Ducy
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 

Similar to Aws security with HIDS, OSSEC (20)

OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Intro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERTIntro to NSM with Security Onion - AusCERT
Intro to NSM with Security Onion - AusCERT
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWS
 
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEEASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladium
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27Sysdig Tokyo Meetup 2018 02-27
Sysdig Tokyo Meetup 2018 02-27
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Aws security with HIDS, OSSEC

  • 1. Securing AWS with HIDS Gaurav Harsola Mayank Gaikwad »
  • 3. Intrusion Detection System An IDS is a software application that monitors network or system activities for malicious activities.
  • 4. An IDS is not a Firewall
  • 5. NIDS and HIDS HIDS  A host-based intrusion detection system (HIDS) is a system that run on individual hosts and monitors a computer system  Detect an intrusion and/or misuse, and responds by logging the activity  It is an agent that monitors and analyzes whether anything or anyone, whether internal or external, has bypass the system’s security policy.  Tools like : Samhain, Ossec NIDS  NIDS is placed within the network to monitor traffic to and from all devices on network  NIDS scan all inbound and outbound traffic  NIDS tools operate by inspecting traffic that occurs between hosts. Various Tools like Snort, Suricata, Bro, Kismet
  • 6. Available HIDS OSSEC: OpenSource Wazuh : OpenSource, Wrapper Over OSSEC with API, ELK, And Signature DB AlianVault: Licenced, USM (Unified Security Management) is based OSSEC MicroTrend: Licenced AlertLogic: Licenced,
  • 7. OSSEC ? OSSEC is an Open Source Host-based Intrusion Detection System. Key Features:  Log analysis  File Integrity checking (Unix and Windows)  Registry Integrity checking (Windows)  Host-based anomaly detection (for Unix – rootkit detection)  Active response Ossec is mainly used for three things: See what is going on Stop brute-force attacks ( ftp, ssh, web )
  • 8. Ossec Benefits  Open-Source  Log Analysis  Easy to install  Easy to customize (rules and config in XML format)  Scalable (client/server architecture)  High Availability (Can have multiple OSSEC Server)  Multi-Platform  Ossec comes with existing standard decoders /rules which analyse our logs like telnetd, Sudo, SSH, FTP etc  PCI DSS Compliance at some extent.
  • 10. Ossec Internal Components Analysisd – Does all the analysis (main process) Remoted – Receives remote logs from agents Logcollector – Reads log files (syslog, Flat files, Windows event log, IIS, etc) Agentd – Forwards logs to the server Maild – Sends e-mail alerts Execd – Executes the active responses Monitord – Monitors agent status, compresses and signs log files, etc Integratord - Integrating OSSEC with Slack and PagerDuty Authd - Daemon will automatically add an agent to an OSSEC manager
  • 11. Wazuh Wazuh, A wrapper over OSSEC that provide additonal fucntionality like Restful API, ELK integration.
  • 12. Ossec Server/Client Installtion Firstly, Install necessary package required  sudo apt-get install gcc make git  sudo apt-get install libssl-dev After this clone our Github repository  mkdir ossec_tmp && cd ossec_tmp  git clone -b stable https://github.com/wazuh/ossec-wazuh.git  cd ossec-wazuh  sudo ./install.sh Choose server for server installation and agent for client installation when being asked about the installation type and answer the rest of questions as desired. Once installed, you can start your OSSEC manager running: sudo /var/ossec/bin/ossec-control start Check the service : ps aux |grep ossec
  • 13. Connect Client with Server After Setting up agent we need to Connect it with OSSEC-Server . To make life easier, OSSEC added a new daemon on the server, called ossec-authd.  it is a daemon you run on the server when you deploy your agent;  it will populate your agents key;  when you have finished to deploy, you stop it. Once the keys are created, you can start the ossec-authd: /var/ossec/bin/ossec-authd -p 1515 Setting up the agents On the agents, the work is minimal. All you have to do is to run the following command: /var/ossec/bin/agent-auth -m <ServerIP> -p 1515 -A <agent-name> That’s it. The keys are now exchanged and you can start your agent. sudo /var/ossec/bin/ossec-control start
  • 15. Ossec Integration with ELK OSSEC HIDS integration with ELK Stack provides a real-time alerts managemnet console, as well as flexible way to store data for as long as needed.
  • 18. Log pre-Decoding (1) Decoding of a SSHD message: After pre-Decoding by OSSEC? time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshd log -> Accepted password for root from 192.168.2.190 port ...
  • 19. Log Decoding (2) Process to identify key information from logs OSSEC comes with hundreds of decoders Generally we want to extract source ip, user name, id After Decode by OSSEC : time/date -> Apr 14 17:32:06 hostname -> ubuntu program_name -> sshd log -> Accepted password for root from 192.168.2.190 port srcip -> 192.168.2.190 user -> root
  • 20. Writing decoders Writing a decoder. What it requires? sshd example: We want to extract the user name and source ip If program name was pre-decoded as sshd (remember predecoding?), try this regular expression
  • 21. Log Rules Next step after decoding is to check the rules User-defined XML Very easy to write! Allows to match based on decoded information OSSEC comes with more than 400 rules by default! What it requires? A Rule id (any integer) A Level - from 0 (lowest) to 15 (highest) Level 0 is ignored, not alerted at all Pattern - anything from “regex” , to “srcip” , “id” , “user” , etc
  • 23. PCI DSS  Payment Card industry Data Security Standard .  Visa, MasterCard and other card brands create common industry security requirements  Intended to protect cardholders data – wherever it resides  compliance is mandated for all organization handling credit card data  12 Steps that we need to take to achieve PCI DSS compliance are Firewall, password, storage, Encrypt, anti-virus, uniquid, track and monitor etc  OSSEC helps to implement PCI DSS by performing log analysis, file integrity checking, policy monitoring, intrusion detection, real-time alerting and active response.
  • 24. Monitor AWS logs Cloudtrail pushes data to s3 bucket and then using python script we store that log on ossec server
  • 25. Alerting and Notification Slack Integration: Integration of logs with slack and set alert level so that only particular message come in slack. <integration> <name>slack</name> <hook_url>https://hooks.slack.com/services/T0EV123BK/B1V3JHzUko97IdmCAl</hook_url> <level>7</level> </integration> Email Integration: Integration with Email .Send granule email alert based on the level/rulegroups/rule_id to different recipient. <email_alerts> <email_to>gaurav04@protonmail.com</email_to> <group>sql_injection|authentication_failed|authentication_failures</group> <level>6</level> <format>sms</format> </email_alerts>
  • 26. HIDS Implementation Testing Tested FTP, SSH brute force attack using HYDRA as penetration testing tool. Example: hydra -L /home/ubuntu/user.txt -P /home/ubuntu/pwd.txt -s 22 <IP> <service- name> -L file which contain list of userName -P file which contain list of passWord service-name : it may be ssh,ftp,mysql,telnet -s port Number for service