During the attack, hackers will use other systems to achieve their purposes, such as the next target of the attacks and the use of the computer itself was occupied and so on. This article describes the occupation of the common computer hackers on the use and safety management Members of the appropriate way to deal with.
hacker network attacks, in addition to the computer directly with their own hands, but often when the attack and after use, control other computers. They attack or to achieve the purpose of or sent to the computer for other purposes. This summary describes the use of other computer hackers all means, wish to network and system administrator through the understanding of these attacks for better ways to achieve the purpose of security.
a, the Get introduced
principle this is a computer is compromised and have full control, the hacker first thing to do. Many malicious hackers claim that they are not only interested in computer security, access to others in the computer, not to destroy, remove, tamper with such an operation. even more that these data stored on the computer itself, how to deal with. Indeed, to destroy other people's computers that harms others in this most negative things that hackers have not much in terms of meaning, but they are not opposed to the ; broiler One of the three when the damage should be considered safe has been damaged. in the occupied may be saved on the computer with the user information, network topology, trade secrets, financial statements, military intelligence and other types of need for confidentiality data, hackers access to these data (even if only to view data contents without downloading), the confidentiality is destroyed. In reality, many business and political espionage espionage are in this category, they just quietly take Your data will not do any damage, but the maximum extent possible to conceal the traces of their actions. These hackers want to get a lot of precious time data without being noticed, this is actually the worst kind of attack .
many hackers in the may be found. do not want to be hackers who will find themselves establishing a FTP server, so that data is not stolen, of course, first thing to consider is the computer itself is not broken. If he is a drum, the water is not poured into the hacker in your network can not get any access to a computer privileges, of course, put an end to Most of the leaks may be (note that this time there may be leaks! such as fraud and hackers to send data out). We first look at how to enhance your computer's operating system, for all the needs of the prior control The attack, these means are effective in the later chapters will not repeat shows.
In short, the strengthening of the operating system, whether Windows, Unix or Linux, are available from physical security, file system, account management, network settings and applications to consider several aspects, where we do not discuss in detail a comprehensive security solution, just some simple and practical system safety inspection items. This is a necessary condition for security, but not sufficient conditions.
simply physical security, physical security is your computer's physical environment is reliable and will not be natural disasters (such as fire, flood, lightning, etc.) and man-made damage (theft, damage ) and so on. physical security is not entirely the responsibility of system or network administrator, but also the company's other departments such as administration, security, and so working together, but because it is the basis for other security measures, we should still pay close attention to network administrators The. to ensure in particular that all the important equipment and servers to focus on rooms, and to develop room-related systems, such as unrelated persons allowed to enter the room. network administrators no special circumstances to enter the engine room do not need to specify the terminal can be managed outside .
important server if anyone can close exposure to the outside, then no matter how well you set a strong password, no use, a variety of operating systems can use a floppy disk, CD-ROM starts to crack the code.
file system security settings of files and directories have correct permissions on the system, those important documents, permission to re-set;
in Unix and Linux systems, but also to document the setuid and setgid permissions, whether documents are not suitable to be given these rights;
account
account information system security, user name and password is in compliance with the rules, of sufficient complexity. Do not need to give rights to any person;
in Unix / Linux can be a reasonable use of su and sudo;
off unwanted account;
Network Security
off all unnecessary services. This is not to say more, for each open service as an open door, there may be hackers quietly entered;
network interface features. Note card not to listen in promiscuous mode;
prevent DoS the network settings. banned IP forwarding, not forwarding directed broadcast, limited multi-host, ignore and do not send redirect packet, turn off the timestamp response, does not respond to Echo radio, broadcast address mask does not set the source routing to forward packets, ARP table to speed up the expiration time, increase the queue is not connected the size of the increase is connected to the size of the queue;
disable the r * commands, and telnet commands to use SSH encrypted remote management;
of NIS / NIS + security settings;
security settings for NFS; < br>
application services application services security reasons there is a server, but also often have questions. because so many types of applications, there are unable to describe to your attention the information in this respect it. If possible, I will continue to provide some relevant knowledge of the future. You can say with certainty that no one application is perfectly safe to rely on us to re-set.
to prevent data theft, but also means you can use, After hacking into a computer so that data and information can not be stolen. This is the access control and encryption. The system requires software to access control, you can restrict root privileges, those important data set in addition to specific users, the even root can not access , so that even if hackers become root to no avail. encryption means there are many, not described in detail here, the file will be encrypted to form ciphertext stored in the hard disk, if not properly decrypted, that is a bunch of no sense characters, even if hackers got no use.
1.2, introduced the principle of illegal proxy
Proxy agent technology to improve speed and efficiency of Internet access there is a great role in this technology based on appeared Cache Server optimization techniques such as Internet access, but also hackers use Proxy for illegal activities. hackers to It is better access to Internet, the WWW browser; second is the use of this platform Proxy free and open for all computers WWW Proxy service if the hackers want to get a suitable Proxy, it does not need to attack their own personal computer and install Proxy software, just use these ready-Proxy computer on it. in the startle soft site, like many Proxy Hunter software, enter a segment to run to automatically search existing Proxy computer. Although the Proxy itself will not be attacked, but running Proxy service, the number of client connections more time will cause a great burden. and some attacks, such as Unicode, Lotus Notes, ASP is through the HTTP protocol attack also carried out, eventually the attacker will attack the source as a Proxy server, in other words, Proxy server become a scapegoat for the attacks. so it is best not to open the Proxy services provided from outside, even if because of the need and opened, it should be strictly limited.
using Proxy to bypass some access restrictions in the use is also very common. Give me an example for a company to improve efficiency, allow employees to use QQ to chat, instructions on the firewall in the company of all restrictions on UDP 8000 from inside to outside access to this port, so that Internet connection can not be out within the QQ chat server. But hackers use their own set of QQ Proxy to bypass normal access this restriction QQ server.
Chart hackers to bypass access restrictions by QQ Proxy < br> Figure A, QQ Proxy with the WWW Proxy settings and using the same method. In the QQ Proxy With Internet, the hackers out within the company access to the UDP 18000 port QQ Proxy, which is not prohibited The. The QQ Proxy will be the identity of the client access to the real target-QQ server access, and then the information from the UDP 18000 port to turn back to the hackers computer. In this way, hackers have used the Proxy access restrictions to achieve a breakthrough on.
can also use this principle to bypass the limitations of other protocols, such as the WWW, ICQ, MSN, Yahoo Messager, AOL, etc., as long as the Proxy software support.
defenses
we have set up any type of Proxy server should be limited to the client, not to provide nothing to do with permissions. This improves server efficiency, but also to prevent the hacker attack through our Proxy possible.
prevent insiders when an external Proxy can be restricted at the firewall, only the requirements of external service provision to access the site. Of course, this may cause inconvenience to the business, so in the specific environment considered to be specific, integrated weigh.
1.3, hacker Introduction
platform is this principle of These computers are generally faster CPU, memory, large hard disk space and the speed fast enough, the function of the hackers need to be well supported. hackers distributed in every corner of the world, in addition to some fixed hacker organizations, many hackers are the only communication through the network, such as through email, online chat, etc. not met in real life, it is not surprising.
we will ask you a direct e-mail hacker, ICQ is not on the line on it? why take the risk to attack other computers as a communication platform for it . Please note that the spread between the hackers are people that can not be known information, such as If any of the mail server and chat server to be intercepted are morally obliged to remind the network is the network responsible for attacks on people, so the use of public means of communication network is not reliable for the hacker, hack ah :-) have confidential customer. how to do? hackers since the control of the for the exchange with the server. in such a communication platform, the hackers are much less likely to be found, the highest authority allows hackers to control the activities of these kinds of cover. There is another advantage of the form is the FTP server for uploading and downloading brothers hackers hackers software to pass on.
hacker in the mass download. If you find your internal and external communications suddenly increased abnormally, check your computer now.
poor defensive sense of responsibility, often in their own computer occupied for a long time do not know, until one day received a single high data communication charges, only surprise: liability for it?
defenses
administrators have a means of real-time monitoring and to develop a reasonable system of inspection and regularly on network and server are responsible for checking. for the sudden increase of network traffic, suspicious visit to the emergence of server abnormally, abnormal log entries, must be checked immediately. To remember these records are classified backup log so that when the before and after the occurrence.
security depends largely on the administrators of unsafe whether due diligence, a good manager must have a good habit.
1.4, learning / development platform
introduced
this principle is relatively rare, very interesting. we usually use a personal computer generally can install Windows, FreeBSD, Linux and other Unix systems x86 version, if you want to practice the operating system on other platforms, it is almost impossible. like AIX, HP-UX, Solaris (sparc), IRIX, would require the corresponding hardware platform to support, in an ordinary personal computer is not on the installation of these well-known manufacturers of Unix computers and very expensive, has become general computer enthusiasts elusive treasure. hackers brothers have had to show their talents here The time has come to the Web to find anything that can invade the AIX machine, occupation, want to learn the operation of this platform is not very easy to use thing? a hacker site I have seen people on the transfer of a Sun E250 ; chicken, do have significant risk. promise hackers are not full-time work, many of them are programming expert, will embrace by friends and other channels, some of program development tasks, to earn some pocket money. a lot of custom procedures run in a specific platform, if a program needs to HP-UX platform development and debug how to do? HP-UX computer is rarely found. but then hackers can use their one, as a development platform. but we all know that when developing and debugging the program have a variety of species like the bug, ranging from lead to procedural irregularities, while in the system to crash, but also leave a record in the log. This is why that to do so is dangerous because it is too easy to be found. If a computer is used as a development platform for a long time and the administrator is unknown, then it should be a good reflection of this administrator.
Defense Method
method with the first part, for not saying much. care about your server now.
Second, the use of other things, in the second most in the hacker will talk about how the use of is a case of aggressive behavior was found the next target, the other administrator can only be found in tracing the time this difficulties; Second, for certain types of attacks, ways.
2.1 illegal scanning / monitoring platform
scanning and monitoring principles are introduced
hackers on the The total network attack a computer would be the first break, once the gap opens, the entire network for all dangerous. This is because in most of the network security settings, the main defense is the outward direction, that is, that they are mainly external attack preparedness. hackers can use less of its internal computer preparedness weaknesses in the control of a computer, scanned directly from here.
Figure II Figure II Internal scan
Take a look at two cases before and after contrast. firewalls are very common network security devices in the network acts as a security barrier at the entrance to the role, especially when the hacker to scan the firewall will block the vast majority of port detection. At this time, also does not leave the corresponding log, can not easily be found. hackers can scan the end of the return,
in a network for illegal monitoring, the local has a the popularity of network, the network of illegal monitoring information can be collected to greatly reduce, but for those with illegal eavesdropping software where the One important server, then the harm is even greater, hackers will be much in it such as user accounts, passwords, servers unreasonable trust relationship between the information on the next play a significant role in support of attack .
defenses
prevent scanning is generally the main set in the firewall, in addition to the internal opening of the service than those not allowed access into the other, can best prevent information leaks. As a server on the same network segment become a Security strengthened, so that the internal scanner can not find the illegal use of loopholes.
general use of defensive monitoring network traffic encryption and switched network equipment. administrators to remotely log in when there are still many people like to use the default telnet, The hackers express transfer protocol is a favorite. Use SSH instead of telnet and those r command, you can make the data transmission on the network to become unreadable ciphertext to protect your account, passwords and other important information. Switched enables a single computer network equipment useless information received greatly reduced, thereby reducing the harm of illegal listener. but relatively speaking, it is still relatively high cost.
2.2 points against the reality principle introduced
attacks mentioned here are those obtained control over the actions of other computers, such as overflows and other exploits. and scanning the same monitor from within the may reduce detected. from here was found after the attack, tracing hackers will find it? also does not work, must first find the If the . hackers with Methods
also need to closely monitor the computer. Please refer to the previous content.
2.3 DDoS attack on the puppet
hackers using See IBM DeveloperWorks has published the article . In many networks use a firewall, some dangerous ports closed to the outside (which is out of the defense), where the hacker can have in-house ; to access these ports, then do not pay attention will not be blocked by the firewall, and firewall, hackers are not restricted from the port to visit, ; chicken port attack risk.
just use words to describe the more abstract, we look at an example.
This is a response to our actual security in the process, where the hackers used the combination of the means of attack, including 139 common Windows server port attacks on Solaris systems overflow attack, attack before the collection of information, as well as 2.4 ports to jump in the attack highlighted the way. Figure III (A) Network initial structure
Figure III A, the customer's system administrator found a Windows2000 server, abnormal behavior, immediately cut off this server's network connection to our report, which was the network topology. After careful diagnosis, we infer that hackers are using this 139 port server vulnerabilities, from the remote using nbtdump, password guessing tool, Windows net orders gained control of this server, and installed the BO 2000 Trojans. but the customer's system administrator We immediately rejected the judge: means! Are we all on the attack more than 70% internal rate of about it? But here's the router log shows that hackers are indeed from the outside to this server port to connect to the Trojans. We therefore continue to summarize and analyze data on all aspects of customers to check with our administrator. In checking other hosts on the network, we found that the internal network have a SUN workstation's network card IP address bound to the 3, one IP address and attack a Windows server segment! which immediately caught our attention. Client Manager explained that this is a Solaris Sparc machine, often used to do some tests, and sometimes access to the server segment, so that the segment with the address of a . And just a week ago, this station is also on the server SUN workstation segment. This is very suspicious, and we immediately had it checked, and sure enough that Taiwan has been occupied SUN workstations, because the main purpose is to test Customer Manager for security does not strengthen it, break it is easy to do. on it found a lot of scanning, monitoring and log removal tool, in addition to the port that we expected to jump tools - netcat, nc short .
Figure III B nc, set the port to jump, attack port 139 Windows 2000 server and successfully won it. restore the network topology at that time should be such, as shown in Figure III C III B.
use of ; springboard to jump
Figure III C port of the port springboard to explain how the role. nc installed, the hacker will be a number of operating parameters through the custom, in the Access will be automatically forwarded to the destination computer up to 139 ports. That is, access to ; the channel back to the hackers computer.
Figure III D hackers to bypass the firewall to jump through two ports on the 139 block
Figure III D we analyze the port after the jump attack to restore the nc topology, Hackers need two ports to jump in here, the first computer to use their linux port 139 access for the 2139 port to send to the SUN, thus bypassing the firewall to restrict access on port 139. and then SUN will on his 2139 visit to the port to send to the ultimate goal of the 139 attack on the port. Why is the figure of , by means of remote password guessing is the default port for the 139, and hackers can not be changed.
springboard in the two ports ready, the hacker access to your linux machine as long as the 139 port to connect to the target The Windows server attack, Changes in circumstances of this segment of the master speed is very fast, administrators do not because it is only temporary access to the neglect of safety. We subsequently found that time on the router to the SUN machine hackers remote port log 2139 , thus completely clear.
defenses
jump attack for this port, in addition to strengthening the internal host, do not make it into the system, but also respond to the strict rules of the firewall settings. set rules in accordance with the be completely closed, then a single open approach. so that even if hackers port from non-dangerous over time, it might be firewalled off.
three attacks with the various types of direct loan
situation is different, as a direct attack by the other computer platform, hackers do not need the first invasion of the computer being used, but to mislead them to attack targets. hackers here use TCP / IP protocol and the shortcomings of the operating system itself vulnerability, which more difficult to prevent the kinds of attacks, especially against, especially in the last two reflective distributed denial of service attacks and distributed denial of service attacks on DNS.
3.1 Smurf Attack
Smurf attack is a principle introduced earlier this attack form, is a means of attack in the LAN. It's action principle is based on the broadcast address and respond to the request. one computer to another computer to send some special data packet, such as ping request, it will receive a response ; if the network broadcast address to send the request packet will actually reach all the computers on the network, then all computers will get a response. The response is received the computer needs to be handled, each dealing with a will take a copies of system resources, if all the computers on the network also received the response, the receiving system is likely too much for a DDoS attack as being the same. you may wonder, who bored destination network address of the computer contract and attracted all the attack it?
as a normal course, the operator will not do it, but when the hacker to take advantage of this principle Smurf attack, he will do it instead of the victim.
map Four Principles of
Figure IV Smurf attack, the hacker sends a request packet to the broadcast address, all computers receive the request, but not sent to the hacker will respond there, but the computer at the attack. This is because the hack posing as a passenger attacked the host. hacker software is used by contract can be forged source address, and received a fake packet to the host response will be issued according to the source address, which of course is to be targeted address. hackers while also reduce the interval between the contract a few milliseconds, so the unit can send thousands of requests for time, so that the computer where the victim came to be deceived received a flood of responses. as were other types of denial of service attacks as was network and system attacks the host will not respond, can lead to serious system crash.
hackers using the network all the computers to attack the victim, without the need for these to be deceived prior to occupation of the host.
In actual use, the hackers were not fool enough in the local LAN do it, that would easily be detected. They will send broadcast packets from the remote to the target computer's network to attack.
defenses
is no need for LAN Smurf Attacks. We only need to be set on the router, the receipt of directed broadcast packets can be discarded, and so can not receive local broadcast address request packet, Smurf Attack impossible. Note also the potential to become a network router, a multihomed host (multiple network cards) for system settings, so they do not receive and forward these broadcast packets.
3.2 DrDoS (distributed denial of service reflective attack)
principle introduced
DDoS attacks is the deformation, it is the difference between DDoS DrDoS do not need to attack before the actual occupation of a large number of puppet machine. This attack is also in the forged source address of the case packet carried out under it to this point and Smurf attacks, and DrDoS can be carried out in the wide area network. Its name in the The contracting tool, the first to forge the source address of the SYN connection request packet is sent to a computer that is cheating, according to the rules of TCP three-way handshake, these computers will be sent to the source IP SYN + ACK or RST packet in response to the request. the same Smurf attacks, hackers request packets sent by the source IP address is the address of the victim, so that would be cheating the computer to send to the victims at the response, resulting in the host response has been busy dealing with these denial of service attacks. specific situation Smurf attack can refer to the principle of structure IV.
defenses
with D. ..
No comments:
Post a Comment