Saturday, January 12, 2019

Installing Snort On Ubuntu Server With VirtualBox

www.metime.web.id

✸ Persiapan Install Snort (PENTING)

✸ Update and Upgrade Server 

  • apt-get update -y
  • apt-get upgrade -y
✸ Install Required Dependecies
  • apt-get install openssh-server ethtool build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev liblzma-dev openssl libssl-dev

✸ Download Daq 

  • wget https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
✸ Extrax daq-2.0.6.tar.gz (file hasil download)
  • tar -zxvf daq-2.0.6.tar.gz
✸ Masuk ke Directory daq-2.0.6 hasil extrax dari daq-2.0.6.tar.gz


  • cd daq-2.0.6
✸ Compile and Install Daq
  • ./configure
  • make
  • make install
  • atau untuk menyingkat waktu bisa kalian ketikan :
  • ./configure && make && make install

✸ Installing Snort

✸ Download Snort
  • https://www.snort.org/downloads/snort/snort-2.9.12.tar.gz
✸ Extrax snort-2.9.12.tar.gz (file hasil download)
  • tar -xvzf snort-2.9.8.3.tar.gz
✸ Masuk ke Directory snort-2.9.12 hasil extrax dari 2.9.8.3.tar.gz

  • cd snort-2.9.12
✸ Compile and Install Snort
  • ./configure --enable-sourcefire --disable-open-appid
  • make
  • make install
Untuk Configurasi Snort akan saya posting di postingan selanjutnya
Read More

Monday, January 7, 2019

ROUTING TO DEBIAN ROUTER IN VIRTUALBOX AND WEB SERVER ON ENGINE X (NGINX)

Assalamualaikum wrwb..

Kali ini saya akan berbagi tentang bagaimana konfigurasi debian router serta untuk web server-nya menggunakan engine x atau nginx.

1.PENGERTIAN

Router  adalah perangkat yang digunakan sebagai penghubung antar dua atau lebih jaringan (network) untuk meneruskan paket data dari satu jaringan ke jaringan lainnya. Sedangkan  PC router merupakan Router yang di buat dari sebuah  PC yang dijadikan sebagai Fungsi Router yang dijalankan dengan sistem operasi dan kebanyakan sistem operasi yang digunakan adalah berbasis OS (Operation System) Linux sehingga biasa di sebut Linux Based Router.
Dan kali ini saya akan menggunakan salah satu OS berbasis linux yaitu Debian.
Namun dengan catatan komputer yang akan dijadikan router ini sudah memiliki dua Network Interfaces, jika lebih akan lebih baik.Karena disini saya menggunakan virtualbox jadi kita bisa men-setting berapa interface yang kita inginkan.

2.LATAR BELAKANG

Dengan semakin berkembangnya IPTEK maka semakin banyak hal atau pun fitur baru yang bermanfaat dan memudahkan pekerjaan manusia.Nah salah satu kelebihan pada debian router adalah kita bisa me-manage atau mengamankan server kita dari debian router baik menggunakan IP tables atau pun squid.

3.MAKSUD DAN TUJUAN

Agar mampu menggunakan debian router dengan maksimal dan dapat memanfaatkan fitur-fitur ya sehingga nantiya dapat mempermudah pekerjaan kita.

4.ALAT DAN BAHAN

- Laptop
- Software virtualbox (jika belum ada silahkan klik disini.)
- koneksi internet

5.JANGKA WAKTU PENGERJAAN

Dapat dilakukan dalam waktu 30-40 menit karena masih dalam tahap pembelajaran.

6.TAHAP PELAKSANAAN

1.Silahkan buka virtualbox anda dan klik New dan silahkan beri nama serta type  OS-Nya.Lalu anda hanya menentukan Jumlah RAM yang dipakai serta directory penyimpanan-nya.Selebihnya tinggal pilih NEXT.




2.Selanjutnya setelah selesai silahkan pilih Menu SETTING dan isi ISO yang ingin kita install.


3.Selanjutnya kita tentukan untuk koneksi internetnya.

  • NAT "Kita mendapat IP dari virtualbox-nya dan jika laptop kita terkoneksi ke internet secara otomatis kita mendapat IP dari virtualbox (defaultnya:10.0.2.0/24)"
  • Bridge adapter "Kita mendapat IP dari koneksi internet dari laptop kita jadi nantinya IP dari virtualbox dan Laptop kita akan satu jaringan"
  • host-only adapter "agar laptop kita dapat berhubungan dengan virtualbox walaupun tanpa koneksi internet"
  • internal network "jika kita ingin menghubungkan beberapa debian router dengan debian lainnya atau menjadi induk koneksi maka kita hanya perlu menggunakan internal network ini seperti contoh pada kasus kali ini.

Kali ini saya menggunakan Bridge adapter untuk koneksi di virtualbox-nya.Dan karena saya akan membuat debian router maka saya memerlukan lebih dari satu interface pada debian saya maka pada virtualbox maka kita dapat mengatur pada pemilihan network.Pada adapter dan seterusnya adalah Eth0 dan seterusnya pada debian router nanti.



4.Setelah selesai maka silahkan klik START untuk memulai install.Jika anda lupa atau belum tau cara install debian silahkan klik disini.



5.Setela install,karena disini saya menggunakan hotspot maka agar debian router-nya bisa terkoneksi ke internet kita harus login terlebih dahulu.ketikkan:

#w3m "DNS untuk login hotspot anda"

Lalu silahkan masukkan Username serta password untuk login hotspot.


6.Setelah itu pastikan kita sudah bisa terkoneksi ke internet dengan cara test ping ke google.com.


7.Jika sudah coba anda cek IP anda dengan perintah:

# ifconfig  
Dan untuk melihat apakah virtual box dan laptop kita berada dalam satu jaringan silahkan buka connection information.


8.Selanjutnya kita remote debian router kita menggunakan terminal laptop kita menggunakan ssh.


 9.Setelah itu kita config untuk debian routernya silahkan ketikkan perintah:

# nano /etc/network/interface "Lalu silahkan buat IP untuk Eth1 dan Eth2-nya layaknya seperti pada mikrotik IP ini nanti akan menjadi gateway untuk debian dibawahnya nanti."


Setelah itu Simpan dengan Ctrl+X lalu tekan Y tekan Enter.Dan silahkan restart dengan perintah:

# /etc/init.d/networking restart

10.Selanjutnya agar Eth1 dan Eth2 pada debian router-nya mendapat koneksi internet maka kita perlu melakukan routing atau sama halnya pada mikrotik kita melakukan NAT.

Konfigurasi Routing:

1.Silahkan ketikkan perintah:

#nano /etc/sysctl.conf


Kemudian kita cari kata:

# net.ipv4.ip_forward=1


Lalu hilangkan tanda pagar (#) nya

Setelah itu simpan dengan Ctrl+X lalu tekan Y tekan Enter.

2.Setelah itu kita tambahkan rule IPTABLES NAT dengan cara ketikkan perintah:

#nano /etc/rc.local


Lalu tambahkan tulisan:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUARADE


3.Setelah itu silahkan reboot debian anda.


4.Setelah itu  coba lihat apakah pada tabel iptables ada rule yang tadi kita buat dengan cara:

# iptables -t nat -L 

Jika berhasil maka akan muncul tabel seperti dibawah ini.


5.Selanjutnya kita coba membuat web server menggunakan engine x (nginx)

 Engine x atau nginx sama halnya seperti apache2 namun menurut pengalaman saya pada nginx banyak terdapat penggunaan php tambahan jika ingin menginstall CMS.Dan untuk phpmyadmin-nya menggunakan postgresql.Untuk penjelasan lengkapnya silahkan baca di situs resmi atau klik disini.

Web server menggunakan NGINX:

1.Silahkan ketikkan perintah:

# apt-get install nginx


2.# apt-get install php5 php5-fpm php5-pgsql "tambahkan php5 lainnya jika ingin menggunakan banyak CMS"


3. Selanjutnya silahkan edit file nginx-nya dengan perintah:

# nano /etc/nginx/sites-available/default


Kemudian silahkan tekan Ctrl+W dan ketikkan kata "php-fpm"
lalu enter.

Selanjutnya silahkan hilangkan  tanda pagar dari kata location hingga tanda kurung kurawal akhir kecuali fastcgi_pass karena saya tidak menggunakan fastcgi.


Lalu selanjutnya cari kata "add index.php" 


Lalu tambahkan kata "index.php" dibawahnya.


Setelah itu simpan Ctr+X tekan Y tekan ENTER.Dan kemudian restart konfigurasinya.dengan perintah:

# /etc/init.d/nginx restart


4.Lalu silahkan masuk ke director "Var/www/html" dan silahkan buat folder test.php.


Dan buat script sebagai berikut.


5.Lalu silahkan coba anda akses melalui browser anda silahkan ketikkan IP dari debian anda.



7.HASIL DAN KESIMPULAN

Walaupun saya menginstall debian router ini di virtualbox namun semua konfigurasi-nya sama pada PC langsung yang membedakan hanyalah pengaturan untuk koneksi internet pada debian routernya.Dan pada virtualbox ini hanyalah untuk pembelajaran bukan digunakan untuk produksi atau secara permanen.

8.REFERENSI

- https://wiki.debian.org/Nginx
-http://www.pintarkomputer.com/cara-mudah-konfigurasi-router-di-linux-debian/

TERIMAKASIH
SEMOGA BERMANFAAT

Read More

Sunday, January 6, 2019

CCNA SECOPS (210-255) Cert Practice Exam Answers




SECOPS (210-255) Cert Practice Exam
Grade Score 99.1%

1.Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident?
human resources
IT support
the legal department
management

2.What is defined in the policy element of the NIST incident response plan?
how to handle incidents based on the mission and functions of an organization
a roadmap for updating the incident response capability
the metrics used for measuring incident response capability in an organization
how the incident response team of an organization will communicate with organization stakeholders

3.Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)
flag
identification
TTL
fragment offset
version
protocol

4.What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?
Add services and autorun keys.
Obtain an automated tool to deliver the malware payload.
Open a two-way communications channel to the CnC infrastructure.
Collect and exfiltrate data.

5.Refer to the exhibit. A security specialist is checking if files in the directory contain ADS data. Which switch should be used to show that a file has ADS attached?
/a
/r
/s
/d

6.What is the responsibility of the human resources department when handing a security incident as defined by NIST?
Review the incident policies, plans, and procedures for local or federal guideline violations.
Perform disciplinary actions if an incident is caused by an employee.
Coordinate the incident response with other stakeholders and minimize the damage of an incident.
Perform actions to minimize the effectiveness of the attack and preserve evidence.

7.In which top-level element of the VERIS schema does VERIS use the A4 threat model to describe an incident?
incident tracking
incident description
discovery and response
impact assessment

8.A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor? (Choose two.)
multiple failed logins from an unknown source
log entries that show a response to a port scan
an IDS alert message being sent
a newly-discovered vulnerability in Apache web servers
a host that has been verified as infected with malware

9.What is a goal of deploying an in-line security device that can analyze data as a normalized stream?
reduce the amount of event data
satisfy compliance requirements
detect and block intrusions
decrease network latency and jitter


10.What is the VERIS Community Database (VCDB)?
a collection of research of trend and potential security intrusions
a central location for the security community to learn from experience and help with decision making before, during, and after a security incident
a collection of incident data collected and categorized by a selected group of cybersecurity professionals
an open and free collection of publicly-reported security incidents posted in a variety of data formats

11.According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take?
action on objectives
exploitation
weaponization
installation

12.Which metric in the CVSS Base Metric Group is used with an attack vector?
the determination whether the initial authority changes to a second authority during the exploit
the presence or absence of the requirement for user interaction in order for an exploit to be successful
the proximity of the threat actor to the vulnerability
the number of components, software, hardware, or networks, that are beyond the control of the attacker and that must be present in order for a vulnerability to be successfully exploited

13.Which statement describes the card verification value (CVV) for a credit card?
It is the credit card account number.
It is a security feature of the card.
It is a PIN number for the card.
It is the bank account number.

14.Which three fields are found in both the TCP and UDP headers? (Choose three.)
window
checksum
options
sequence number
destination port
source port

15.Which specification provides a common language for describing security incidents in a structured and repeatable way?
VERIS schema
Cyber Kill Chain
NIST Incident Response Life Cycle
Diamond model

16.What is the responsibility of the IT support group when handing an incident as defined by NIST?
reviews the incident policies, plans, and procedures for local or federal guideline violations
performs actions to minimize the effectiveness of the attack and preserve evidence
coordinates the incident response with other stakeholders and minimizes the damage of an incident
performs disciplinary measures if an incident is caused by an employee

17.During the detection and analysis phase of the NIST incident response process life cycle, which sign category is used to describe that an incident might occur in the future?
attrition
impersonation
precursor
indicator

18.After a security monitoring tool identifies a malware attachment entering the network, what is the benefit of performing a retrospective analysis?
It can calculate the probability of a future incident.
It can identify how the malware originally entered the network.
It can determine which network host was first affected.
A retrospective analysis can help in tracking the behavior of the malware from the identification point forward.

19.Which field in the IPv6 header points to optional network layer information that is carried in the IPv6 packet?
flow label
version
traffic class
next header

20.Refer to the exhibit. A security analyst issues the cat command to review the content of the file confidential2. Which encoding method was used to encode the file?
8-bit binary
ASCII
Hex
Base64

21.How much overhead does the TCP header add to data from the application layer?
8 bytes
16 bytes
20 bytes
40 bytes

22.In which step of the NIST incident response process does the CSIRT perform an analysis to determine which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring?
incident notification
scoping
attacker identification
detection

23.Refer to the exhibit. Which techology generated the event log?
web proxy
NetFlow
syslog
Wireshark

24.When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server?
listening ports
service accounts
critical asset address space
software environment


25.Refer to the exhibit. A network administrator is examining a NetFlow record. Why would the record indicate that both TRNS SOURCE PORT and TRNS DESTINATION PORT are 0?
The flow contains four packets and they use varying port numbers.
The flow does not include transport layer protocols.
The Gig0/0 interface has not transmitted any packets.
The source host uses a different transport layer protocol from the one used by the destination host.

26.When establishing a server profile for an organization, which element describes the type of service that an application is allowed to run on the server?
listening port
user account
software environment
service account

27.Refer to the exhibit. A security specialist is using Wireshark to review a PCAP file generated by tcpdump. When the client initiated a file download request, which source socket pair was used?
209.165.202.133:6666
209.165.200.235:6666
209.165.202.133:48598
209.165.200.235:48598

28.A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur?
integrity requirement
availability requirement
user interaction
scope

29.What is the benefit of converting log file data into a common schema?
creates a data model based on fields of data from a source
allows the implementation of partial normalization and inspection
allows easy processing and analysis of datasets
creates a set of regex-based field extractions

30.What are the three impact metrics contained in the CVSS 3.0 Base Metric Group? (Choose three.)
integrity
remediation level
confidentiality
exploit
attack vector
availability

31.Which type of analysis relies on different methods to establish the likelihood that a security event has happened or will happen?
deterministic
statistical
log
probabilistic

32.When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?
routing protocol convergence
session duration
bandwidth of the Internet connection
total throughput

33.When attempting to improve system performance for Linux computers with a limited amount of memory, why is increasing the size of the swap file system not considered the best solution?
A swap file system cannot be mounted on an MBR partition.
A swap file system only supports the ex2 file system.
A swap file system does not have a specific file system.
A swap file system uses hard disk space to store inactive RAM content.

34.What will match the regular expression ^83?
any string that includes 83
any string that begins with 83
any string with values greater than 83
any string that ends with 83

35.Which type of evidence cannot prove an IT security fact on its own?
best
corroborative
indirect
hearsay

36.Which type of computer security incident response team is responsible for determining trends to help predict and provide warning of future security incidents?
coordination centers
analysis centers
vendor teams
national CSIRT

37.Which two actions should be taken during the preparation phase of the incident response life cycle defined by NIST? (Choose two.)
Fully analyze the incident.
Meet with all involved parties to discuss the incident that took place.
Detect all the incidents that occurred.
Acquire and deploy the tools that are needed to investigate incidents.
Create and train the CSIRT

38.Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting against known and emerging threats?
threat intelligence
network admission control
network profiling
website filtering and blacklisting

39.Which two actions can help identify an attacking host during a security incident? (Choose two.)
Use an Internet search engine to gain additional information about the attack.
Log the time and date that the evidence was collected and the incident remediated.
Determine the location of the recovery and storage of all evidence.
Validate the IP address of the threat actor to determine if it is viable.
Develop identifying criteria for all evidence such as serial number, hostname, and IP address

40.What classification is used for an alert that correctly identifies that an exploit has occurred?
false negative
false positive
true positive
true negative

41.Which type of analysis relies on predefined conditions and can analyze applications that only use well-known fixed ports?
statistical
deterministic
log
probabilistic

42.What are security event logs commonly based on when sourced by traditional firewalls?
application analysis
static filtering
signatures
5-tuples

43.Using Tcpdump and Wireshark, a security analyst extracts a downloaded file from a pcap file. The analyst suspects that the file is a virus and wants to know the file type for further examination. Which Linux command can be used to determine the file type?
file
tail
nano
ls -l

44.Which three things will a threat actor do to prepare a DDoS attack against a target system on the Internet? (Choose three.)
Install a black door on the target system.
Collect and exfiltrate data.
Compromise many hosts on the Internet.
Obtain an automated tool to deliver the malware payload.
Establish two-way communications channels to the CnC infrastructure with zombies.
Install attack software on zombies.

45.After containing an incident that infected user workstations with malware, what are three effective remediation procedures that an organization can take for eradication? (Choose three.)
Change assigned names and passwords for all devices.
Update and patch the operating system and installed software of all hosts.
Rebuild hosts with installation media if no backups are available.
Rebuild DHCP servers using clean installation media.
Disconnect or disable all wired and wireless network adapters until the remediation is complete.
Use clean and recent backups to recover hosts.

46.A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court?
rootkit
log collection
unaltered disk image
Tor

47.What is specified in the plan element of the NIST incident response plan?
incident handling based on the mission of the organization
organizational structure and the definition of roles, responsibilities, and levels of authority
priority and severity ratings of incidents
metrics for measuring the incident response capability and effectiveness

48.A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?
the TCP and UDP daemons and ports that are allowed to be open on the server
the IP addresses or the logical location of essential systems or data
the list of TCP or UDP processes that are available to accept data
the time between the establishment of a data flow and its termination

49.What are two sources of data in the operation of a security information and event management (SIEM) system? (Choose two.)
firewalls
dashboards and reports
antimalware devices
automation and alerts
incident management systems


50.What are two of the 5-tuples? (Choose two.)
IPS
source port
IDS
ACL
protocol

51.Refer to the exhibit. A network administrator is examining a NetFlow record. Which protocol is in use in the flow shown?
UDP
ICMP
TCP
HTTP

52.When real-time reporting of security events from multiple sources is being received, which function in SIEM provides capturing and processing of data in a common format?
aggregation
log collection
normalization
compliance

53.What is the role of vendor teams as they relate to a computer security incident response team?
They handle customer reports concerning security vulnerabilities.
They provide incident handling to other organizations as a fee-based service.
They coordinate incident handling across multiple teams.
They use data from many sources to determine incident activity trends.

54.At the request of investors, a company is proceeding with cyber attribution with a particular attack that was conducted from an external source. Which security term is used to describe the person or device responsible for the attack?
threat actor
fragmenter
tunneler
skeleton

55.What are three of the four interactive landscapes that VERIS schema use to define risk?
response
evidence
attack
threat
impact
control


Read More