A contest between hackers and administrators!

With the popularization of broadband networks, personal servers and home area networks have sprung up in Residential Area Networks and campus networks. They offer various sharing services based on their preferences, it provides a wide range of shared resources for the majority of online worms. However, due to their own energy and funds, they are often unable to establish a sound protection system and become a test product for hackers and quasi-hackers, data loss or hardware damage. Therefore, how to ensure network security and the security of your own machines has become an increasingly important issue.

Hackers and administrators are the opposite of each other. a good administrator cannot set security policies to protect his network if he does not understand the ideas and practices of hackers, if a hacker is unfamiliar with various security measures, he or she will not be able to take any measures in the face of a wide variety of protection measures. The two sides have tried their best to attack and counterattack, and have exhausted all measures. The saying goes, "to do good things, we must first sharpen our tools." If we want to protect ourselves against attacks, we must first understand the ideas and ideas of the other party and the methods and tools they use, in this way, we can develop our own security policies based on the methods they adopt, so that they can adapt to different laws and be prepared to defend against intrusion without changing the rules.

Threat Classification

First, let's take a look at the division of network resources and the potential threats to these resources. Generally, there are four types of resources in the Network: local resources, network resources, server resources, and data information resources. Local resources refer to personal computer operating systems in the local LAN or server application operations. These resources are not only threatened by hacker attacks, when using an application or operating system, downloading or opening a file of JAVA, ActiveX, virus, or backdoor programs poses a threat to the operating system of the Local Computer, causing the operating system to crash, the computer cannot be used. Network resources, that is, the network system is a means of data exchange between local resources and the WAN. Hackers can use IP spoofing to obtain new IP addresses and access inaccessible areas, for example, the campus network and the internal LAN of the residential area. For personal servers, computers with IP addresses are prohibited and blocked due to improper use of servers (for example, downloading or deleting files as required, this method is used to re-enter the server for destruction. Server resources are various services opened on the server (such as WEB, FTP, E-MAIL, etc.), hackers will exploit these server vulnerabilities, intrusion into the server, to obtain various permissions, to control the server or LAN. Data Information Resources refer to visitor information, friend information, and customer information in the personal WEB. Compared with the company's data information, personal data information is much less threatened by intrusion.

To classify these threats, they can be roughly divided into two categories: contingent threats. This is because of the reasons for the system equipment, such as sudden power failure, restart, line interruption, and other reasons, obtained high-level permissions, so as to enter or access to the region or information not authorized to him, this type of user has no special purpose, and the probability of an event is very small, generally does not cause great harm to the system. Another type of users pose a great threat. They have come to use various tools and methods to test system vulnerabilities and then intrude into the system from these vulnerabilities, retrieving the required information or modifying the data results in irreparable losses.

To classify hackers, they can be roughly divided into two categories. One is an accidental attacker. They are different from the users mentioned above in the accidental threat. They often attack the server without a destination and try to search for information in the server, the only reason for doing so is to satisfy their curiosity and make them addicted to hacking. These people generally only use existing hacking software, or copy the attack methods from the Internet to test system vulnerabilities. In general, the level is average and very amateur. You only need to take general protection measures, such as simple firewalls or system patches, to block them out. It is not that easy to deal with another type of stubborn attackers. Most of them are network and programming experts. They are familiar with various programming languages, operating systems, and protocols between different layers of the network. They can write their own attack programs, find system vulnerabilities, and find intrusion methods. In addition, these people aim far more than just to satisfy their curiosity, but to trade secrets, revenge and other reasons.

Attack type

Now let's talk about several major and common attack types of hackers. Denial of Service (DoS) attacks are currently the most common attack methods. Generally, programs occupy all the resources on the host, or send a large number of packets to the host in a short time, affecting other normal data exchanges, this results in system overload or system paralysis. Network Worms are currently the most common method to achieve the most influential denial of attack service. In addition, denial-of-service attacks can be implemented by suspending the TCP handshake process and email bombs. A front-door attack is the most direct attack method. Hackers attempt to log on to the system as a legitimate user recognized by the system for access. They will directly try to use a combination of letters to crack legitimate user names and passwords. Because a powerful computer computing cracking program is used, front-door attacks are not difficult for senior hackers. Therefore, when a large number of Logon failures occur in server logs, it means that hackers may have begun to patronize the front door of the server. Skylight attacks are similar to Trojan Horse attacks. The former uses the backdoor left by the Administrator (that is, the special user channel used for system detection or fault maintenance) to intrude into the system; the latter opens a special channel for illegal intruders at any time through memory resident programs (backdoor viruses, code bombs, etc. IP Spoofing and man-in-the-middle attacks are two similar attack methods. The first one has been mentioned before. The new IP header is used for illegal access to the legal network for communication, A man-in-the-middle attack first obtains a valid identity through IP spoofing, then captures packets in the network to obtain the data, and steals valid usernames and passwords from the data.

Anti-attack and anti-intrusion

The Administrator must be cautious when configuring server security policies. For example, when configuring the Authorization Service, add a detailed description to each user in his/her own way to express his/her identity, in this way, once you find that a new user has no description or does not use your method to describe it, you can immediately check its validity and check whether it is an extra control account left after the intrusion. Configuring data protection and data integration can provide authorization protection and encryption for various types of data on the master machine. This prevents users from being listened to and intercepted during Remote logon to the host, if it has been intercepted, it can prevent it from being cracked. Security Policy is the most basic tool in the hands of administrators. Effective use of this tool can repel most illegal intrusions.

As the administrator of a server, you must first evaluate and analyze the intrusion to your server and the resource data on your server that is vulnerable to attacks. So that we can establish our own security policies easily and build the most appropriate protection methods at the minimum cost. Intrusion monitoring software is also an essential weapon for administrators. Instead, it monitors data flowing into and out of the server and checks its legitimacy. This type of software also has a rule database, which is used to detect and compare the data that communicates with the network in real time, and stop those illegal ones through those legal ones. Administrators can set network rules and contingency measures on their own. For example, they can perform anti-tracking after an intrusion is detected to find the source of the intrusion. Or directly counterattacks, forcing hackers to stop the attack and transfer it into the Defense (Common listening software include ISS RealSecure, Axent Intruder Alert, etc ). In addition, avoid using default system configurations When configuring servers. These default configurations are intended for the convenience of common users. However, many hackers are familiar with the default configuration vulnerabilities, it is easy to intrude into the system from here, so after the system is installed, the first step is to upgrade the latest patch and then change the default settings of the system. Create detailed attributes and permissions for the user so that you can easily confirm the identity of the user and access the modified information. Regularly modify user passwords to minimize the threat of password cracking. In short, we need to make good use of various security policies of the server's own system to occupy the minimum amount of resources and block most hackers.

Firewall technology is not the same as the monitoring software mentioned above. They are completely independent of each other. Firewall is used as a barrier at the LAN exit (of course, there are also many personal firewalls on the market, but their principles are similar whether it is PC or LAN). The firewall system can be composed of routers, servers, and PCs, the private network and public network to be protected are isolated from each other. They can be deployed at advanced gateways, such as INTERNET connections of networks, or at low-level gateways, in this way, some sensitive systems in the LAN can be isolated. Complex and advanced firewalls are mostly composed of many software and hardware. They are responsible for connecting secure internal LAN to insecure wide area networks; enable internal users to access the external network while ensuring security (Meanwhile, the administrator can set a firewall to block some special websites so that internal users cannot access them ); all attacks on internal networks are concentrated on the firewall, which greatly reduces the workload of administrators. You only need to adjust the security measures on the firewall to ensure the security of the entire network host; in addition, the communication of this network must be carried out through the firewall to facilitate monitoring and control.