A list of practical measures to prevent hacker intrusion into ADSL

With the rapid development of ADSL networks in various regions, it is no longer a distant dream to achieve permanent connection and online at any time. However, we must understand that, permanent connection to the Internet also significantly increases the possibility of intrusion. If you know yourself and know what you want to do, let's take a look at the methods and Preventive Measures for hackers to intrude into ADSL users.

Hacker intrusion into ADSL users

In many regions, the monthly subscription is used. In this way, hackers can scan ports and vulnerabilities for a longer period of time, or even steal passwords using online brute force cracking, or use the sniffing tool to wait for the other party to automatically send the user name and password to the door.

To complete a successful network attack, follow these steps. The first step is to collect various information about the target. In order to thoroughly analyze the target, you must collect as much effective information as possible to obtain the vulnerability list of the target. The analysis results include: operating system type, operating system version, open service, open service version, network topology, network equipment, firewall, and maque?

Hacker scanning mainly uses TCP/IP stack fingerprints. There are three main implementation methods:

1. tcp isn sampling: Check whether the specified length of the initialization sequence matches the specified OS.

2. FIN Probe: Send a FIN package (or any package without ACK or SYN flag) to an open port of the target, and wait for a response. Many systems return a RESET (RESET flag ).

3. Use the BOGUS flag: by sending a SYN packet, it contains a TCP header with no defined TCP flag. Some operating systems can be distinguished by the system's different responses to the mark.

4. Use the TCP initialization window: Simply check the Window Length in the returned package and uniquely confirm the operating systems according to the size.

Although there are many scanning technologies, the principle is very simple. Here is a brief introduction to the scanning tool Nmap (Network mapper ). This is claimed to be the best scanning tool at present. It has powerful functions and diverse uses. It supports multiple platforms, is flexible and mobile, and is easy to use. It has a strong portability and has few traces; not only can TCP/UDP ports be scanned, but also can be used to scan/detect large networks.

Note that some real domain names are used here to make the scanning behavior look more specific. You can replace addresses/names with the name in your network. You 'd better scan the website after obtaining the permission. Otherwise, the consequences will be borne by yourself.

Nmap-v target.example.com

This command scans all the reserved TCP ports on target.example.com.-v indicates that the detailed mode is used.

Nmap-sS-O target.example.com/24

This command starts a half-open SYN scan, targeting the class C subnet where target.example.com is located. It also tries to determine what operating system is running on the target. This command requires administrator privileges because half-open scanning and system detection are used.

The second step of launching an attack is to establish a connection with the other party to find the login information. Now we assume that the host of the other party has an IPC $ created by scanning. IPC $ is a resource for sharing named pipes. It is important for inter-program communication and is used for remote management of computers and viewing shared resources of computers. By using IPC $, hackers can establish an empty connection with the other party (without the user name and password), and use this empty connection to obtain the user list of the other party.

Step 3: Log On with appropriate tools and software. Open the command line window and type the command: net use \ 222.222.222.222ipc $ "administrator"/user: 123456
　　
Assume that the administrator password is 123456. If you do not know the administrator password, you need other password cracking tools. After logging in, everything is under the control of hackers.

Defense methods

Because ADSL users generally have a long online time, their security awareness must be enhanced. There are not many people who have been surfing the internet for more than 10 hours every day, or even boot all night, and some people make their machines into Web or ftp servers for others to access. The daily preventive work can be divided into the following steps.

　　

Step 1: Disable the Guest account. There are many intrusions that use this account to further obtain the administrator password or permissions. If you don't want to use your computer as a toy for others, you can still deny it. Open the control panel, double-click "user and password", and select the "advanced" tab (figure 1 ). Click "advanced" to bring up the local user and group window (figure 2 ). Right-click the Guest account, select properties, and select "Account Disabled" on the "General" Page (Figure 3 ).

　　

　　

 

Step 2: Stop sharing. After Windows 2000 is installed, some hidden shares will be created. Click Start → run → cmd, and then type "net share" in the command line to view them (figure 4 ). Many articles about IPC intrusion on the Internet use default shared connections. To disable these shares, open administrative tools → Computer Management → shared folders → share, right-click the corresponding shared folder, and click "stop sharing.

Step 3: disable unnecessary Services, such as Terminal Services, IIS (if you do not use your machine as a Web server), and RAS (Remote Access Service. Another annoying Messenger service should also be turned off. Otherwise, some people will always use the message service to send online advertisements. Open Management Tools → Computer Management → services and applications → services, and turn them off if they are useless.

Step 4: do not create a null connection. By default, any user can connect to the server through an empty connection, Enumerate accounts, and guess the password. We must disable NULL connections by using either of the following methods:

(1) modify the registry:

Under the HKEY_Local_MachineSystemCurrent-ControlSetControlLSA, change the key value of the DWORD Value RestrictAnonymous to 1.

(2) modify the Local Security Policy of Windows 2000:

Set RestrictAnonymous in "Local Security Policy> Local Policy> Option" to "do not allow enumeration of SAM accounts and sharing ".

Step 5: If the Web service is enabled, you also need to configure the IIS Service Security:

(1) Change the Home Directory of the Web service. Right-click "Default Web site> Properties> Home directory> local path" and point "local path" to another directory.

(2) Delete the Inetpub directory installed by default.

(3) Delete the following virtual directories: _ vti_bin, IISSamples, Scripts, IIShelp, IISAdmin, IIShelp, and MSADC.

(4) Delete unnecessary IIS extension mappings. You can right-click "Default Web site> Properties> Home directory> Configuration" to open the application window and remove unnecessary application mappings. If you do not need other mappings, only. asp and. asa are retained.

(5) Back up IIS configuration. You can use the backup function of IIS to back up all the configured IIS configurations so that the security configuration of IIS can be restored at any time.
　　
Don't think that's all right. We don't know about Microsoft's operating system, and there are many bugs, so we must complete Microsoft's patches.

Finally, we recommend that you select a practical firewall. For example, the Black ICE produced by Network ICE Corporation. It is easy to install and run. Even if you are not familiar with network security, you can use the default configuration to detect most types of hacker attacks. For experienced users, you can also select "Advanced Firewall Settings" in "Tools" to accept or reject configurations for specific IP addresses or ports of UDP, to achieve a specific defensive effect.