Professional Documents
Culture Documents
Step6: make a new directory to open your html code file or a template. Then
unzip your file using “unzip” command.
Step7: move the file to an HTML directory and use “ls -lrt” to check the
contents.
Step8: then enable the httpd and start by using the commands “systemctl
enable httpd” and “systemctl start httpd” and to check the status use “systemctl
status httpd”.
Step9: Now that httpd is up and running copy the PublicIps and paste it onto a
search bar, the website that you have created using ec2 will appear.
Modsecurity implementation
ModSecurity is a widely used open-source web application firewall (WAF) module
designed to enhance the security of web applications by detecting and preventing
various types of attacks. Developed by Ivan Ristic, it functions as an Apache or Nginx
module, offering real-time monitoring, logging, and access control capabilities.
Step 1: install ubuntu, and configure your settings. Then login with your
username and password.
Step2: install apache using these codes sudo apt update ; sudo apt-get install
apache2.
DocumentRoot /var/www/html
<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
AWS Security Hub serves as a central hub for security-related information within your
AWS environment. It aggregates, prioritizes, and presents security findings from
multiple AWS services and third-party tools, providing you with a holistic view of
your security posture. Some key capabilities include:
1. Unified Security Findings: Security Hub consolidates security findings from
various AWS services like Amazon Guard Duty, Amazon Inspector, Amazon
Macie, and others, as well as supported third-party solutions. This aggregation
helps you gain insights into potential security issues across your AWS
accounts.
2. Prioritized Insights: It prioritizes security findings based on severity levels
and provides actionable insights into the most critical issues that require
immediate attention. This prioritization allows you to focus on addressing the
most significant security risks first.
3. Security Standards Compliance: Security Hub supports various security
standards and compliance frameworks, such as CIS AWS Foundations
Benchmark and AWS Foundational Security Best Practices. It continuously
evaluates your environment against these standards, helping you ensure
compliance and adherence to industry best practices.
4. Automated Remediation Actions: Security Hub allows you to automate
remediation actions through AWS Lambda functions or AWS Systems
Manager Automation documents. This enables you to respond swiftly to
security findings by automatically triggering predefined remediation steps or
custom workflows.
5. Custom Insights and Dashboards: You can create custom insights and
dashboards tailored to your specific security requirements. This flexibility
allows you to focus on metrics and indicators relevant to your organization's
security goals and objectives.
6. Integration with AWS Services: Security Hub integrates seamlessly with
other AWS services, such as AWS Identity and Access Management (IAM),
AWS Config, and AWS CloudTrail, enhancing visibility and control over your
security environment.
7. Continuous Monitoring and Insights: By continuously monitoring your
AWS environment for security issues and compliance deviations, Security Hub
helps you stay proactive in identifying and addressing potential threats and
vulnerabilities.
Overall, AWS Security Hub simplifies security operations by providing a centralized
platform for monitoring, prioritizing, and managing security findings across your
AWS accounts and workloads. It empowers organizations to strengthen their security
posture and maintain compliance with industry standards effectively.
AWS Cloud Trails Configuration
AWS CloudTrail is a service provided by Amazon Web Services (AWS) that allows
users to monitor and record API activity within their AWS accounts. It tracks actions
performed by users, services, and resources within the AWS environment, providing a
detailed history of events such as calls made to AWS APIs, changes to AWS resources,
and user logins.
CloudTrail captures information such as the identity of the entity making the API call,
the time of the call, the source IP address, and the actions performed. This data is
recorded as event logs, which are stored securely in an Amazon S3 bucket or streamed
to Amazon CloudWatch Logs for real-time monitoring and analysis.
Step1: Search for AWS cloudtrail in the aws dashboard and click on create a
trail.
Step2: Edit your settings to your desire and needs ie, trail name, trail log
bucket etc.
Step3: Choose your log events type and also the management events, the move
to review and create by clicking next.
1. Environment Setup:
Create an AWS account and set up an S3 bucket to store sensitive data.
Enable AWS CloudTrail to monitor and log all API activity within your
AWS environment.
2. Simulated Attack:
The attacker gains unauthorized access to AWS credentials through a
phishing email targeting an employee with administrative privileges.
Using the compromised credentials, the attacker gains access to the
AWS Management Console.
The attacker then proceeds to access the S3 bucket containing sensitive
data.
3. Detection:
AWS CloudTrail captures all API calls made within the AWS
environment, including authentication and access to S3 buckets.
Anomalies in CloudTrail logs, such as unusual API calls or access
patterns, trigger alerts in a monitoring system like Amazon
CloudWatch or AWS Security Hub.
4. Investigation:
Security analysts receive alerts indicating unauthorized access to the S3
bucket.
They immediately access the CloudTrail logs to investigate the
incident.
Analysts identify the suspicious API calls associated with the
unauthorized access, including the source IP address and user identity.
5. Response:
The compromised credentials are revoked to prevent further
unauthorized access.
Security policies and access controls are reviewed and strengthened to
prevent similar incidents in the future.
Any data potentially accessed or compromised during the incident is
assessed for impact, and affected parties are notified as necessary.
6. Remediation:
Implement multi-factor authentication (MFA) for all users accessing
the AWS Management Console to prevent unauthorized access.
Regularly review and rotate AWS credentials to mitigate the risk of
credential theft.
Utilize AWS IAM policies to enforce least privilege access, ensuring
that users only have access to the resources necessary for their roles.
7. Post-Incident Analysis:
Conduct a thorough post-incident analysis to understand how the
incident occurred and identify areas for improvement in security
controls and incident response procedures.
Update incident response playbooks based on lessons learned from the
incident to improve the organization's ability to detect, respond to, and
recover from similar incidents in the future.
Step5: Here you can check if your details have been compromised or not.
Step6: you can further protect your files by applying two factor authorization
or changing your credentials in the IAM dashboard.
Finalize and Present Findings
ModSecurity, Suricata, AWS Security Hub, and AWS CloudTrail are all tools used for
monitoring and enhancing security in different environments. They are all used on
web applications for better security of the web application preventing unauthorized
access to the data, hackers ie.
ModSecurity:
ModSecurity is an open-source web application firewall (WAF) designed to
detect and prevent web-based attacks. It analyzes HTTP traffic and applies
rules to identify and block malicious requests or payloads. Key findings
include the detection of suspicious HTTP requests, SQL injection attempts,
cross-site scripting (XSS) attacks, and other web application vulnerabilities.
ModSecurity provides detailed logs and alerts, allowing administrators to
monitor and respond to security incidents in real-time.
Suricata:
Suricata is an open-source intrusion detection system (IDS) and intrusion
prevention system (IPS) capable of analyzing network traffic at high speeds. It
inspects packets and applies rulesets to detect and block malicious activity on
the network. Findings from Suricata include the detection of network-based
attacks such as port scans, denial-of-service (DoS) attacks, malware command-
and-control traffic, and suspicious network behavior. Suricata generates alerts
and logs, providing visibility into network threats and enabling rapid response
to security incidents.
AWS CloudTrail:
AWS CloudTrail is a service that records and logs API activity within AWS
environments, including identity and access management (IAM) actions,
resource changes, and AWS service activity. CloudTrail provides a
comprehensive audit trail of user and resource activity, helping organizations
maintain visibility and accountability. Findings from CloudTrail include
unauthorized access attempts, changes to AWS configurations, and API calls
related to security-sensitive operations. CloudTrail logs can be used for
security analysis, compliance auditing, and incident response, enabling
organizations to detect and investigate security incidents in AWS environments
effectively.
step5: CODE: ip a s
Interface : eth0
Subnet : 192.168.113.43/20
vars
Search: af-packet, pcap, community-id
CODE: sudo suricata-update
ls -al /var/lib/suricata/rules //list rules directory//
sudo ls -al /var/lib/suricata/rules //rules set sources //
sudo suricata-update enable-source malsilo/win-malware //enable the rules //
sudo suricata -T -c /etc/suricata/suricata.yaml -v //run suricata in test mode//
Step6: alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1;
rev:1;)
Test The Configuration to see if there is any issue in it :
sudo suricata -T -c /etc/suricata/suricata.yaml -v
service suricata start
ls -al /var/log/suricata/
Note : fast.log contains the intrusion log in standard format.