Windows Server intrusion detection tips

Intrusion DetectionThe system is not omnipotent, and the high price also makes people retreat. Moreover, the investment in configuring intrusion detection systems or firewalls for a single server or small network is too large. In previous articles, we have introduced part of the process of Windows2000 Server intrusion detection. Today we will continue to introduce it.

Precursor detection for WWW Service intrusion

For Open servers on the network, the WWW Service is one of the most common services. Port 80-based intrusion is also the most common. Many sceipt kids are very keen on modifying WEB pages. The WWW Service has a large number of users, and the traffic is relatively high. At the same time, there are many WWW Service Vulnerabilities and intrusion methods and techniques, which are also relatively easy, many "hackers" use vulnerability scanners to scan for various vulnerabilities on port 80, such as wwwscan and X-ray, and even a vulnerability scanner that only targets port 80. IIS that provides WWW services on Windows has been prone to vulnerabilities and becomes a headache for system administrators.

Although port 80 has many intrusions and scans, it is also very easy to log on port 80. IIS provides a powerful logging function. In Internet Service Manager, you can enable logging for site properties. Logs are stored in % WinDir % System32LogFiles by default, and exyymmdd. log files are saved every day. You can configure these settings, including the log record content.

When configuring IIS, you should keep IIS logs as detailed as possible to help identify and analyze intrusions. Now we need to use these logs to discover the precursor to intrusion, or to detect whether the server is scanned. Open the log file and we can get a scan record similar to this (for example, Unicode vulnerability ):

 
 

  
  
05:42:27 192.168.1.2-192.168.1.1 80 HEAD/script/... wax ../..
  
  
 
  
  
Wax ../winnt/system32/cmd.exe/c + dir 404-
  
  
 
  
  
2002-03-10 05:42:28 192.168.1.2-192.168.
  
  
 
  
  
GET/script /..?.. /..?.. /..?.. /Winnt/system32/cmd.exe/c + dir 404-
 
 

Note the following content:

/Script /..?.. /..?.. /..?.. /Winnt/system32/cmd.exe/c ++ dir 404

If it is a normal user, it will not send such a request, which is the result of the Unicode vulnerability scan using IIS. The following 404 indicates that such a vulnerability does not exist. If 200 is displayed, it indicates that the Unicode vulnerability exists. It also indicates that it has been scanned or used by others. Whether it is 404 or 200, the content appears in the log, indicating that someone is scanning (or exploiting) The server vulnerability, which is a precursor to intrusion. The log also records the source of the scanner: 192.168.1.2.

For example, this log:

06:17:50 192.168.1.2-192.168.1.1 80 HEAD/-400-

This is a record that uses the HEAD request to scan the WWW server software type. Attackers can select the scanning scope by understanding the software used by WWW.

IIS can usually record all requests. This includes many normal user request records, which also makes the IIS log file very large, with 10 MB or larger size, manual browsing and analysis becomes unavailable. In this case, you can use some log analysis software to help log analysis. Alternatively, run the following simple command to check whether a scan event with a Unicode vulnerability exists:

Find/I "winnt/system32/cmd.exe" C: logex020310.log

The "find" command searches for strings in the file. We can use the scanning tool to create a sensitive string, such as the header character missing .exe (Unicode vulnerability), ". ida", ". idq" (IDA/IDQ remote overflow vulnerability), and ". printer" (Printer remote overflow vulnerability.

Precursor detection for FTP and other service intrusion

Based on the previous detection of the precursor to WWW Service intrusion, we can also detect FTP or other services (POP, SMTP, etc ). Taking the FTP service as an example, for the FTP service, the initial scan or intrusion is usually an account guess. The FTP service provided by IIS also provides detailed log records like the WWW Service (if other FTP service software is used, they should also have corresponding log records ).

Let's analyze these logs:

 
 

  
  
2002-03-10 06:41:19 192.168.21.130 administrator [36]USER administrator 331  
  
  
 
  
  
2002-03-10 06:41:19 192.168.21.130 - [36]PASS - 530 
 
 

This indicates that the User Name administrator requests logon, but the logon fails. When a large number of Logon Failure records appear in the log, it indicates that someone attempts to guess the FTP account. This is a precursor to intrusion from the FTP service.

The log analysis method is similar to the log analysis method of WWW Service. Because FTP does not support account enumeration, If attackers find that the user name is exactly the same as the one you are using, they need to modify the account and increase the password length.

Intrusion detection is a supplement to the firewall. It helps the system deal with network attacks and extends the security management capabilities of system administrators, including security auditing, monitoring, attack identification, and response ), this improves the integrity of the information security infrastructure. We hope that you will learn more about intrusion detection to effectively protect your computer.