Avoid threats to keep hackers away from DNS and SMTP servers

As we all know, servers are the most important resources in computer networks and have high security requirements. If the running server is not properly configured, a large amount of useful information may be leaked, so that hackers can damage your network. Therefore, we should check the server to ensure that hackers cannot obtain the key information they need.

Today, almost every organization is running DNS servers and SMTP servers. Any savvy hacker will almost certainly try to penetrate it. If successful, hackers can view any information collected from it.

DNS server security

One thing hackers can do is to transfer data from the execution area of the preferred DNS server. An alternate DNS server in one region means that a complete copy of the source record can be obtained and copied from the preferred DNS server by performing region transfer. There are several reasons for doing so: first, the notification region of the preferred server has changed, second, the first startup, and third, the update time has to be refreshed. On the other hand, hackers do not intend to perform a regional transfer.

There is a good reason for hackers not to do so. This is because a region transmission contains a large amount of key information about computers in a specific region, including IP addresses, server names, and the functions of the servers that imply them. Without a doubt, if hackers are interested in these things, this should be very valuable information.

If your DNS server is correctly set, no problem should occur. The backup DNS server can perform zone transfer, but hackers cannot. On the other hand, if you do not pay enough attention to setting up a DNS server, anyone can perform regional transmission and obtain important information.

To find whether your DNS server is leaking information, run the following command in Linux:

# Host-t ns yourcompanydomainname.com

(Yourcompanydomainname should be replaced by your company domain name)

To get a list of your company's DNS servers:

Yourcorporatedomainname.com name server ns1.yourcorporatedomainname.com
Yourcorporatedomainname.com name server ns2.yourcorporatedomainname.com

To execute a region pass, type the command as shown in:

# Host-l yourcompanydomainname.com ns1.yourcorporatedomainname.com

Host yourcorporatedomainname.com not found: 5 (REFUSED)
; Transfer failed (Transfer failed)

If you receive this message, congratulations. Your DNS server has been correctly set, or at least configured in this respect.

If you are not so lucky, you will see a complete list of the names and IP addresses of all machines in the domain. Any hacker who obtains this information will receive an overview of the company's network layout, which is undoubtedly very valuable.

Mati Aharoni, offensive-security.com's network security expert and trainer, said, "I have seen several situations where companies mistakenly configure their DNS servers, the enterprise does not divide its internal DNS namespace and external DNS namespace into different and unrelated regions. "" This leads to a complete view of the external network structure and internal network structure.."

Therefore, if your DNS server allows anyone to execute the region transfer, it should be repaired immediately.

SMTP server security

Although the SMTP server does not necessarily hand over your network map to a hacker, it can reveal a valid Email user name. Email user names are very valuable information, because some user names can be reused as evidence of logon to other systems. If you use online password tools (such as Hydra) to match these usernames with valid passwords, hackers can use more threatening tools to damage your system.

There are two SMTP commands: VRFY and EXPN. These two commands can be used to confirm that (VRFY) a specific user name is being used on the server, and expand (EXPN) The Mail List name to display the user name in the list.

The VRFY command is useful when we diagnose internal email faults or problems to check whether the specific user name is correct and is re-verified by the server. If a valid user encounters an error when using email, you can use the Netcat tool to connect to the IP address and port of the SMTP server:

# Nc-v xxx. xxx 25

(Xxx. xxx represents the IP address)

Once you receive the SMTP server to confirm your connection to the server, run the following command:

VRFY validuser (valid user name)

If the user name is actually valid, the user will receive the following feedback:

250 2.1.5 validuser validuser@yourcorporatedomainname.com

Otherwise, you will see:

550 5.1.1 validuser... User unknown

This information is useful for fault diagnosis, but may be more useful to hackers. This is because with the help of a simple Python script and a text file containing a list of possible user names, hackers can quickly browse the user name list, confirm which are valid and invalid user names on the SMTP server. Likewise, hackers can use the EXPN command to check the list of possible usernames and find out who the potential users are. For example, the EXPNing "postmaster" will show who the postmaster mail is sent. Once a list of valid user names is available, you can try to match the list of common passwords that are easily obtained.

Disabling VRFY and EXPN is usually a very simple configuration problem, and it is unlikely to have any major impact on daily management work.

In fact, there is no absolute way to prevent hackers from "approaching" your server, but taking these measures to prevent the server from leaking information that may be detrimental to you is indeed correct and worthwhile. After all, why are hackers so easy to win?