Security protection-intrusion detection in the field of comprehensive questions and answers _ Web surfing

Source: Internet
Author: User
Tags decrypt lowercase administrator password
In the field of network security, with the continuous "fool" of hacker application technology, IDs of intrusion detection system is gradually increasing. In a network, only effective implementation of IDs, can be acutely aware of the attacker's violations, in order to prevent them! In this paper, the concept, behavior and strategy of IDs are introduced in question and answer form, which is expected to help managers to use IDs faster and better.

  Q: What are the important IDs systems?

According to different monitoring objects, IDS system is divided into many kinds, the following are several important IDs systems:

  1, NIDS

NIDs is the abbreviation of network intrusion detection system, i.e. network intrusion detection systems, which are mainly used to detect hacker or cracker intrusion behavior over the network.

There are two ways to run a nids, one that is running on the target host to monitor its own communication information, and the other is running on a separate machine to monitor communication information for all network devices, such as hub and router.

 2, SIV

SIV is the abbreviation of System integrity verifiers, that is, systems integrity detection, mainly used to monitor system files or Windows registry, and other important information is modified to plug the attacker's future visit to the back door. Siv more is in the form of tool software, such as "tripwire", it can detect the transformation of important system components, but does not produce real-time alarm information.

  3, LFM

LFM is the abbreviation of log file monitors, which is used to monitor the log files generated by network services. LFM detects the intrusion behavior by detecting the contents of the log file and matching the keyword, for example, for HTTP server log files, as long as the search "swatch" keyword, you can determine whether there is a "PHF" attack.

 4, Honeypots

The honeypot system, which is a decoy system, is a system that contains vulnerabilities, by simulating one or more vulnerable hosts, providing a hacker with an easy target to attack. Since the honeypot has no other task to complete, all connection attempts should be considered suspicious. Another use of the honeypot is to delay an attacker's attack on its true target, allowing the attacker to waste time on the honeypot. At the same time, the original targets were protected and the truly valuable content would be inviolable. One of the first purposes of the honeypot is to collect evidence for the prosecution of malicious hackers, which seems to have the feeling of "trapping".

  Q: Who is the intruder?

Usually we call an intruder a hacker, but it's actually inaccurate. It can be said that hacker is the discovery of system vulnerabilities and fix vulnerabilities, cracker is exploited to exploit the destruction of the mountain's intruders. In order not to confuse the confusion, this simply unification is called the intruder. In general, intruders fall into two categories: internal and external. Internal intruders often use social engineering to steal unauthorized accounts for illegal activities, such as the use of other people's machines, posing as directors or directors, and external intruders using certain attack techniques to monitor and leak the targets, and then take destructive actions.

One thing to keep in mind: statistics show that 80% of invasive behavior comes from within.

  Q: How do intruders get into the system?

There are three main ways:

  1. Physical intrusion

The intruder is physically accessing a machine for destructive activities, such as tapping the keyboard at the center of the engine room to try to break into the operating system, take the pliers screwdriver off the machine shell, and take the hard drive mounted on another machine for further research.

 2. System intrusion

Refers to the intruder in the system with a low-level account authority to carry out the damage activities. In general, users with low-level privileges may take advantage of system vulnerabilities to gain higher administrative privileges if the system does not "hit" The most recent patch in time.

  3. Remote intrusion

The intruder penetrates a system through the network. In this case, the intruder usually does not have any special permissions, they want through the vulnerability scan or port scanning technology to discover the target, and then use the relevant technology to perform the sabotage activities. The main target of NIDs is this invasion.

Q: Why do intruders break into the system?

Flies don't stare at seamless eggs, intruders can easily break into a system by finding a seam in a complex computer network. Therefore, it is important to know where these seams are likely to be repaired. Usually, the cracks are mainly manifested in the bugs in the software writing, the improper configuration of the system, the theft of passwords, the interception of the plaintext communication information and the defects in the initial design.

 1. There are bugs in software writing

Whether it is a server program, client software or an operating system, as long as it is written in code, there will be different degrees of bugs. Bugs are mainly grouped into the following categories:

Buffer overflow: An intruder has entered a string that exceeds the specified length in the program's relevant input project. The excess is usually the attack code the intruder wants to execute, and the program writer does not check the input length, which eventually results in the extra attack code occupying the memory after the input buffer. Do not think for the login user name left 200 characters is enough and no longer do the length check, the so-called anti-villain not to the gentleman, the intruder will try every means to attempt to attack the way.

Unexpected joint Use problem: A program often consists of multiple layers of code with different functions, even the lowest level of operating system. Intruders often use this feature to enter different content for different layers to steal information. For example, for a program written by Perl, an intruder can enter a similar "| Mail </etc/passwd "string so that Perl lets the operating system invoke the mail program and sends an important password file to the intruder. Diehard, borrow mail to send "letter", is really high!

Do not expect the input content to be checked: Some programmers are afraid of trouble, the input content does not carry out the expected match check, so that the intruder to send the bomb work easy.

Race conditions: Multitasking multithreading more and more, in improving operational efficiency, but also pay attention to the problem of Race conditions. For example, both program A and program B operate a file in the order of "read/Change/write". When a is finished reading and changing the work, B start immediately finish "read/change/write" All the work, then a continue to write work, the result is a operation has no performance! Intruders may use this process sequence to rewrite some important files to get into the system, so programmers need to pay attention to the sequence of file operations and locking problems.

  2. Improper system Configuration

Insufficient default configuration: Many systems have default security configuration information after they are installed, often referred to as easy to use. However, it's a pity that easy-to-use also means easy to break in. Therefore, must be the default configuration to discard the work.

Lazy administrator: One of the manifestations of laziness is the null value of the administrator password after the system is installed, and no modifications are subsequently made. You know, the first thing an intruder has to do is search the network for a machine with an empty password from an administrator.

Temporary port: Sometimes for testing purposes, the administrator will open a temporary port on the machine, but after the test has forgotten to prohibit it, so that the intruder has a hole to find, there are leaks can be drilled. The usual solution is to prohibit a port unless it is required to use it! In general, a security audit packet can be used to discover such a port and notify the manager.

Trust relationships: Systems between networks often establish trust relationships to facilitate resource sharing, but this also gives intruders the possibility of leveraging and indirect attacks, for example, as long as one machine in the trust group is compromised, it is possible to further attack other machines. Therefore, the trust relationship should be rigorously reviewed to ensure a true security alliance.

 3. Password theft

Weak can not help breaking the password: that is, although set the password, but simple and easy, but the cunning intruder only chuihuizhili to crack.

Dictionary attack: means an intruder using a program that uses a dictionary database of user names and passwords to continually attempt to log on to the system until it is successfully entered. There is no doubt that the key to this approach is to have a good dictionary.

Brute force attack: similar to a dictionary attack, but the dictionary is dynamic, that is, the dictionary contains all possible combinations of characters. For example, there are approximately 500,000 combinations of 4 character passwords that contain uppercase and lowercase, and approximately 10 trillion combinations of 7 character passwords that contain uppercase and lowercase characters and punctuation marks. For the latter, it takes about a few months for the average computer to experiment. See the advantages of a long password, it is really a two-dial!

 4. Sniff unencrypted communication data

Shared Media: Traditional Ethernet architecture makes it easy for intruders to place a sniffer on the network to view the communication data on that segment, but sniffing can become very difficult if switched Ethernet structures are used.

Server sniffing: Switched networks also have an obvious disadvantage that intruders can install a sniffer software on a server, especially one that acts as a routing feature, and then break into client machines and trusted machines through the information it collects. For example, although you do not know the user's password, you can sniff the password he entered when the user logs on using the Telnet software.

Remote sniffing: Many devices have the Rmon (Remote monitor) feature so that managers can use common body strings (public community strings) for remote debugging. With the increasing popularity of broadband, intruders are becoming more and more interested in the backdoor.

  5, TCP/IP initial design defects

Even if the software is written without bugs, the program executes in the correct steps, but the initial design flaw can still lead to an intruder attack. The TCP/IP protocol is now widely used, but it was designed long before the invaders were rampant today. As a result, there are a number of deficiencies that are unavoidable, such as Smurf attacks, ICMP unreachable packet disconnects, IP address spoofing, and SYN annihilation. However, the biggest problem is that IP protocols are easy to "swallow", meaning that intruders can spoof and modify IP packets without being discovered. Thankfully, the Great Saver IPSec protocol has been developed to overcome this deficiency.

  Q: How does an intruder get a password?

  1, the monitoring of plaintext password information

A large number of communications protocols such as Telnet, FTP, basic HTTP all use plaintext password, which means that they are in the network is naked in unencrypted format transmitted to the server side and the client, and the intruder can only use the protocol Analyzer to see this information, so as to further analyze the export order, to become a true user cloning.

  2, listening to encrypt password information

Of course, more communication protocols use encrypted information to transmit passwords. At this point, the intruder will need to use the dictionary or the use of violent attacks to decrypt the law. Note that we are not aware of the intruder's listening behavior, as he is completely passive in the dark, without sending any information to the network, and the intruder's machine is only used to analyze the password information.

 3. Replay attack (replay attack)

This is also an indirect way of attack, that is to say: The intruder does not have to decrypt the password, it is necessary to rewrite the client software to use an encrypted password to implement the system login.

 4. Stealing Password files

Password files are usually stored in a separate file, such as the UNIX system's password file is/etc/passwd (or possibly the mirror of that file), and the Winnt system's password file is/winnt/system32/config/sam. Once the intruder has acquired the password file, it can use the crack program to discover the weak password information.

  5. Observe

The user may write the password on a piece of paper and press it under the keyboard at any time because it is difficult to remember, or if you have an "onlooker" standing behind you when you enter the password. Intruders have very good search power and memory, and these practices are simply easy training for them. So, don't overlook the intruder's eyes!

 6. Social engineering

As mentioned above, social engineering refers to the use of covert methods to steal unauthorized accounts of illegal activities, such as using other people's machines, pretending to be the director or the Director to defraud the Administrator to trust the password and so on. Remember: If someone wants your password, whatever he says, remember him, and once the password is in place, that person is the number one suspect!

  Q: What are the typical intrusion scenarios?

The so-called intrusion scenario, which means the intruder will take what steps to try to attack the system. A typical intrusion screen is a scene like this:

 1. External research

The enemy, win. The first step in an intruder attack is to do everything possible to investigate the target to obtain sufficient information. Methods include using the WHOIS tool to obtain network registration information, using the Nslookup or Dig tools to search DNS tables to determine the machine name, and to search for public news about the company. This step is completely unknown to the victim.

  2. Internal analysis

The basic attributes (site address, host name) of the attack target are determined, and the intruder will dissect them thoroughly. Methods are: Iterate through each Web page search for CGI vulnerabilities, use Ping tool one by one to explore "live" machines, and perform UDP/TCP scans on the target machine to find out if there are available services. These behaviors are normal network operations and cannot be counted as intrusions, but the NIDs system will be able to tell managers that "someone is shaking the doorknob ..."

  3, loophole utilization

Now it's time to start! There are so many damage patterns here: by writing shell command strings (shell commands) in an input project to test the security of the CGI script, by sending a large amount of data to determine if there is a notorious buffer overflow vulnerability, try using a simple password to crack the login barrier. Of course, the mixed use of a variety of ways is to capture the success of the begotten.

 4. Stand on Your feet

For intruders, once they successfully invade a machine in the network, they can be said to have a firm footing. What the intruder has to do now is to hide the traces of the intrusion and make a back door for future attacks, which requires modifications to the log files or other system files, or installing Trojan programs or replacing system files for backdoor programs. At this point, SIV (System integrity detection) system will notice the changes in these files. Because security in the internal network is usually relatively small, the intruder will use the first machine as a springboard to attack other machines on the network for the next home.

  5. Enjoy the fruits

In this way, the intruder can be said to have completed the attack, the rest is to enjoy the results: or misuse of stolen secret files, or abuse of system resources, or tamper with Web page content, or even your machine as a springboard to attack other machines.

The usual behavior of a purposeful intruder is discussed above. Another kind of intrusion scenario is often referred to as "birthday attack," which I think is a gift from a lot of acquaintances or unknown friends on a mock birthday, but with the word "attack" in front of the gift. A general step for birthday attack is to randomly search an Internet address, search for a specified vulnerability on it, and, if so, attack based on a known exploit.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.