Security Technology: Configure IIS honeypot to defend against hacker attacks

Bkjia.com expert contribution]According to relevant information, a large number of servers are still using IIS to provide Web Services, and even compete to occupy the Apache market. In today's increasingly severe Web threats, we certainly need to use anti-virus, firewall, UTM, NAC and other means to enhance network security. However, building a honeypot correctly is also an essential task for dealing with hackers.

What is a honeypot? In short, a honeypot is a computer system on the Internet. Its specific purpose is to attract and "trap" hackers who attempt to penetrate into other computer systems. To build a real Honeypot, you need to do a lot of things, but at least three of them are required. First, install an operating system without patching and use the default configuration, the second is to ensure that there is no data in the system, and the third is to add an application designed to record the activity of intruders.

Configuring a honeypot in IIS is not a complex task, but it can greatly reduce attacks on IIS servers. Strictly speaking, this article is not about a real Honeypot, because a real honeypot is a host with many vulnerabilities that are intentionally exposed on the Internet, this is just a data communication steering gear. Using the HTTP Host header information, we can completely redirect the attacker's communication to an existing site.

Hackers will use port scanners to find IP addresses opened with port 80, and conduct attacks and intrusions on these ports. On the other hand, end users of the website use domain names to access the site, so our measures will not affect these ordinary users. By enabling host headers on the website and attempting to redirect IP addresses, we can track and record where hackers come from, while maintaining the availability of end users.

In theory, let's talk about it first. Next we will build a honeypot..

The first thing we need to do is to create an empty directory on the Web server. The name has nothing to do with the location. In this example, the author created a directory named Honeypot, which is located in the directory C: \ Inetpub \ wwwroot. Start the IIS management program and assign a Host header name to all sites so that each virtual server has a Host header name with an IP address. Example 1:

Figure 1

Make sure that the virtual server cannot map with the IP address on port 80 without the Host header name, and that the server cannot have "all unallocated" IP address lookup. And ensure that the Host header information is correctly set and the user can still access all sites. 2:

Figure 2

Then, create a new website pointing to the directory you just created. This honeypot website should specify all unassigned IP addresses and cannot configure Host header information. Although the website name is "honeypot", it does not affect access by hackers. Go to the attribute settings page of the new website, select the "Directory Security" tab, select "Integrated windows Authentication", deselect other authentication methods, and click "OK ". Figure 3:

Figure 3

Next, select the website tab, click "advanced", click "add" under "multi-site configuration", and add all IP addresses. If you receive an error message about IP address conflict, it does not matter. This indicates that you have not set a Host header name for this website. What you need to do is to clear the IP address from the list or configure a Host header name for this website. Figure 4:

Figure 4

Save all the changes and exit Internet Information Service.

In this way, when a malicious user accesses the website through an IP address, the user will be sent to an empty directory and receive a 403 error. Users who access the website through DNS domain names can access the website content with the Host header information.

This is not absolutely safe because hackers still try to access the website through the domain name, but most of the attacks are sent to the IP address. Using the header information of the host improves the performance of the Web server, because the WWW Service does not need to allocate a non-webpage internal pool for the website using an independent IP address.

In addition, some earlier browsers that do not comply with HTTP1.1 specifications will be directly switched to an empty directory because such browsers do not accept the Host header name. However, almost no such browser is used now, right?

Bkjia.com exclusive Article. For more information, see the source and author !]

Related Articles]

• Introduction to virus: Basic knowledge of honeypot deception

• New members of the honeypot family gradually become a new means of Enterprise Security Defense

• Honeypot technology: eliminates firewall limitations and vulnerabilities