How to track intruders _ security-related

On the regional network you may have heard of the so-called "broadcast mode" of the data transmission method, this method does not specify the receiving station, as long as the network connected with all the network devices are the recipient object. But this is only possible on the regional network because there are few machines on the regional network (compared to the Internet). If you want to have tens of millions of of hosts on the internet, it is impossible to implement data broadcasts (as for IP
Multi cast is a kind of limited broadcast restricted
Broadcast, only the designated machine will receive, other computers on the Internet will not receive it. If you can implement unqualified broadcasts on the internet, would a random person send out a broadcast message and the world's computers will be affected by it? As a result, routers in any regional network or similar network devices do not transfer broadcast messages from their own regional networks. In case of a WAN
The port receives a broadcast message and does not go into its own LAN port.

And since the Internet has a letter station and receiving station, used to indicate the sender of information and the recipient of the information, unless the other party to use some special encapsulation method or use a firewall external connection, so long as someone and your host to communicate (mail or Telnet, ftp come over all) you should know each other's, If the other person uses a firewall to communicate with you, you can at least know the location of the firewall. Also because as long as someone and you connect, you can know each other's position, then do not want to know the location of the other is to do not to do the problem. If the other side is connected to you through a UNIX host, you can find out who is connecting to you through ident.


On computers that implement TCP/IP communication protocols, it is usually possible to use the Netstat command to see the current wiring status. (You can try Win95, Novell, and Unix), in the following wiring situation, the Netstat instructions are implemented on the Win95, you can see your current machine (local
Address) Telnet Port has a host workstation.variox.int by the remote (Foreign
Address) wired in and matched to TCP port 1029th. The CCUNIX1 host also FTP
Port connects to Workstation.variox.int. All the wiring is clearly visible. (e.g. A, B)

A. See Netstat on UNIX hosts (Ccunix1.variox.int)
B. At the other end of the Windows95 (workstation.variox.int) Look netstat
Although it is a different operating system, but Netstat is not look like it?


Record setting for the communication process
Of course, if you want to record the Internet connection record, you can use Crontable to run regularly:
Netstat>>filename

But Unix systems have already taken this requirement into account, so there is a daemon:syslogd in the system for recording system events, and there should be a lot of readers who know that there are two system record files under/var/adm UNIX systems: Syslog and messages, One is the record of the general system and one is the core record. But where do these two files come from and how are they set?


The system's records are basically made up of syslogd (Systems Kernel Log
Daemon) to produce, and syslogd control is done by/etc/syslog.conf. SYSLOG.CONF determines which things to record and where to record them in two fields. The following is a syslog.conf file attached to a Linux system, which is also one of the most standard syslog.conf formulations:


The format is like this, the first column is "Under what circumstances" and "what degree". Then use the TAB key to jump to the next column and continue to write "what to do after qualifying." The author of this syslog.conf file is honest and tells you that you can only use tab to separate the fields (although it seems as though he doesn't know why).


The first column contains the circumstances and degrees, separated by the median decimal point. In addition, the asterisk represents all of the options in a particular detail. The detailed setting is as follows:


1. In what circumstances: the various situations are determined by the following string.

Auth about system safety and user authentication
Cron about system automatic scheduling (crontable)
Daemon about background execution programs
Kern about the core aspects of the system
LPR about the printing machine aspect
Mail about e-mail
News about the press discussion area
Syslog regarding the system record itself
User-related aspects of the consumer
UUCP about UNIX interlock (UUCP)


The above is the case for most Unix systems, and some UNIX systems may be able to separate projects.

2. To what extent records: The following is a variety of system status, according to the order of priorities.

None do not record this item
Debug program or system itself error message
Info General Information
Notice Reminder Attention Sex
Err has an error
Warning Warning Sex
Crit a more serious warning
Alert a little more serious warning
Emerg is already very serious.


Similarly, various Unix systems may have different degrees of representation. Some systems do not differentiate between crit and alert, and there are more kinds of systems that vary in degree. At the time of recording, the SYSLOGD will automatically record both the level you set and the amount you have on it.


For example, if you want the system to record info level events, then notice, err.warning, crit, alert, Emerg, etc. above the info level will also be recorded. Combining the 1 and 2 above with a decimal point is a complete "What to record" writing. For example, Mail.info represents a general message about an e-mail delivery system. Auth.emerg is a very serious message about system security. Lpr.none means not to record information about a list machine (usually used in combination when there are multiple record conditions). There are also three special symbols to apply:


1. asterisk (*)

The asterisk represents all items in a specific item. For example, Mail.* said that as long as the mail, regardless of the extent to be recorded. And *.info will record all the events for info.

2. Equal sign (=)

The equal sign indicates that only the current level is recorded and the rank on it is not recorded. For example, just the example, usually write down the info level, will also be located in the info level above the notice, err.warning, crit, Alert, Emerg and other grades also recorded. But if you write =info, you only have to record the info level.


3. Exclamation point (!) )

An exclamation point indicates that you do not record the current level and the level on it.


Where are we going to record it?
The general SYSLOGD provides the following pipelines for you to record what happened to the system:

1. General Archives
This is the most common way. You can specify the file path and file name, but you must start with the directory symbol "/", and the system will know that this is a file. For example,/var/adm/maillog indicates that a file called Maillog is to be recorded under/var/adm. If this file is not previously, the system will automatically generate one.


2. Designated terminals or other equipment
You can also write the system records to a terminal or device. If the system record is written to the terminal, the user who is currently using the terminal will see the system message (such as/dev/console or/dev/tty1) directly on the screen. You can use a screen to display the system information specifically. If you write a system record to a printer, you will have a strip of paper (such as/DEV/LP0) full of system records.


3. The specified user
You can also list a bunch of user names here, and if they're on line, they'll see the system on his terminal (for example, root, and don't add other words in front of the user name when you write).


4. The specified remote host
This type of writing does not record system messages on the attached local machine, but on other hosts. In some cases the system is encountering a hard disk error, or in the event that someone pushes the mainframe down and the hard drive breaks, where do you go to get the system records? and network Luca as long as you do not break it, it should be more than HDD resistance to fall more. Therefore, if you feel that some circumstances may not be able to record the memory into the hard drive, you can put the system record on other hosts. If you want to do this, you can write down the host name and then add the "@" symbol (for example, @ccunix1.variox.int) to the host name, but you must have SYSLOGD on the host you specify.


In all of the above records, there is no e-mail. Because the electronic mail to wait for the recipient to receive a letter to see, some circumstances may be very urgent, there is no way to wait for you to take the letter to see (BSD manual
Page says "when you got Mail,it ' s already too late..."@@facesymbol@@).

The above is the record level of the syslog and record way of writing, readers can according to their own needs to record the content they need. But these records are piled up all the time, unless you delete the files themselves, the files will be larger and bigger. Some people may write in syslogd.conf:


*.*/var/log/everything

If so, of course all the circumstances are recorded by you. But if something really happens to the system, you might want to find out which side of the problem is on the dozens of MB or even hundreds of MB of text, which may not help you at all. Therefore, the following two points can help you quickly find important record content:



1. Periodic inspection Records
Get into the habit of looking at a log once a week (or less, if you're free). If you need to back up the old log files, you can cploglog.1,cploglog.2 ... Or cploglog.971013,cploglog.980101 ... And so on, the expiration of the record file according to the serial number or date to save, the future study is also easier.


2. Record only what is useful
Never, as in the previous example, record the *.* and put it in a file. This results in a file that is too large to be found at once when looking for information. When someone is recording a network communication, the person who ping his host is logged. Unless the system has been a big threat, there are people who like to try to enter your system, otherwise this trivial matter can not be recorded. Improves system efficiency and reduces disk usage (and saves you time, of course).


The location of the tracking
How do I find out the location of intruders? IPAddress may not be able to see, but you often see, you will find that a lot of 140.xxx is the host of Taiwan Academic network, and 168.95.xxx.xxx must be hinet host (168.95.0 for HINETCLASSB network).


In a fixed-connection network environment, intruders must have a close relationship with the network provider. Because the assumption is the regional network, then the distance is not a few kilometers. Even if the dials are good, very few people will spend a lot of money to dial the Wei city or even foreign dial-up server. Therefore, as long as the identification of the unit, the intruder must be not far from the line unit.


The Dial-up network is a bit more of a headache. Before the author applied for Hinet's hntp2.hinet.net account, took his identity card and seal, ran to the Telecommunications Bureau to sign a pile of documents, after reading the network specification only hinet network can be used. After many years, now HNTP2 early, a lot of msxx.hinet.net and private ISP, there are many ISPs in order to attract customers, selling a lot of so-called hour cards, notes points card ... No need to apply, the account password is attached directly to the card above. User side as long as buy a fixed number of hours, do not need to be additional to the ISP to apply, you can follow the instructions on the card to dial the Internet. This can certainly attract customers, but ISPs simply don't know who is using their network.


In other words, although the use of the hour card to provide dial-in services to the Dial-in users a considerable convenience, but it is the enemy of system security, network administrator nightmare. If the intruder is using an hour card to surf the internet, what about the dial-up location? The author in previous installments of the system security column, said the intruder can not use their own home phone network. Whether it is stolen or robbed, or stolen 090 King eight machine, anyway, the source of the call is not the intruder's own phone.



Caller's phone detection (CallerID)
Do you have ISDN in your reader's home? If you've ever used ISDN caller,
ID function, will find it is really convenient, the other side of the number will be shown to you immediately see. When she saw her friend calling, she immediately picked up the phone, and when the magazine called for the draft, he turned on the answering machine and pretended not to be at home ...:-P. But caller
The ID still has the expiration time. This time I specially and Mr. Chen Guanyu (economist) did the following test to see caller
ID can show which numbers (the type of test machine is ZyXEL, the terminal uses Windows NT Hyper
Terminal): The prerequisite for showing the caller's number is that the other side must be on your side through a digital switch, and there are still mechanical switches in some parts of Taiwan, and if you have these mechanical switches in the switching path of your phone, you still won't be able to display the number. Too electricity and other private mobile phones because the author has no hand, so can not test. and international phone for a while unable to find foreign friends can cooperate with the test, so there is no way to the results to the reader report (if you have too much power at hand, remote transmission of these private mobile phone, you can contact the author to test).


How do you find the intruder location by IPAddress or DomainName?
Although the phone may not be able to find out, at least you will know his IP address. The use of IP address must be registered with the Inter NIC, while domain
Name is to be registered with the local network management center directly. There are three levels of network Management Center on the internet (the unit must be net):

1. International level
International level only Inter nic one, the world's Nic and Intercontinental Nic are managed by it. (http://www.internic.net).

2. Intercontinental Grade
InterNIC does not directly manage the entire Internet, and its network resources are partitioned again. such as Taiwan, Japan, Hong Kong and other Asia-Pacific countries, by the Asia-Pacific Intercontinental Network Management Center (asian-pacific
Nic,apnic, located in Japan) to manage, is not directly managed by Inter NIC (Http://www.apnic.net).

3. National level
Domain name does not hang country code is not by the Inter
Nic Management is managed by an intercontinental NIC, but the country's NIC is managed by the local country, with a two-bit code plus a NIC being the name of the country's NIC. For example, Taiwan's national code is TW, then Taiwan's Network Management Center for Twnic (Http://www.twnic.net), but due to inter
The NIC is located in the United States, so the domain name of the United States is inter
NIC territory. One special exception is hanging. Mil's U.S. military network is managed by Ddn.mil (US Military Defense Network), not managed by Inter NIC, when you get a domain
After name or IP address, you can use WHOIS to locate the data, which is the following syntax:


Whois-h<whois Server >< Query Object

For example, to Whois.internic.net query hp.com, you need to enter:

Whois-hwhois.internic.nethp.com

Whois may also use the following syntax:

Whois< Query Object >@<whois Server

For example, to whois.twnic.net query ntu.edu.tw need to enter:

Whoisntu.edu.tw@whois.twnic.net

The slackwarelinux attached in the current post.

Three cases of DomainName naming
Although the same is DomainName, you may encounter three different naming situations. In many countries *.edu.* are managed by units other than NICs (such as the Ministry of Education), and properties are not necessarily three letters or even attributes. When judging the nature of the unit, readers should pay more attention, so as not to find information.


1. Standard country code + three code attribute code (or no country code, only has the attribute code)
Widely used in Europe, the Americas and some Southeast Asian countries. such as Taiwan common *.edu.tw, *.com.tw, the United States of *.com, *.edu.

2. Standard country code + two Code Property code
Take the recent Japan, the People's Republic of China as an example, the company attribute is co, the Community attribute is or, and three code definitions of COM, org slightly different. such as Japan's homepage for the www.bandai.co.jp, if the reader to use the company name pieced together the full host name, note that Japan is only two yards of the attribute code area, or if the guess is that it is www.bandai.com.jp will have an error ( Note: In the example of international communication, whether it is radio communication, international foreign telephone, or even internet, Taiwan and China are divided into two different countries. The author of this special said that the People's Republic of China, in addition to highlighting this feature, there is no other meaning, readers do not have to speculate on other significance.


3. Only standard country code, no property code
If Australia's hosts are only *.au host name, no other COM, CO, or any other unit attribute code directly connected to the name of the unit.

Connection Unit data detected by domain name
On the Internet, it is customary for the WHOIS service to query the registration data for the connection unit, and WHOIS should be used to check someone's phone or other information (a bit like finger or a very popular search service now, like WhoWhere, Bigfoot, etc. Please go to the www.whowhere.com to find out, but in the NIC aspect is used to detect the connection Unit's telephone and address, technical contact person and so on. The unit data that matches the management rights of the NIC is stored in the WHOIS host of the unit, and is whois+nic name +net. For example, Asia Pacific Network Management Center Whoisserver for Whois.apnic.net, Taiwan Network Center whoisserver for Whois.twnic.net.

When you know the domain of a host
After name, you can find the telephone address of the unit in the following order. The first step is to see if there is no country code. There is no country code, asked to Whois.internic.net, the country code, to whois. Country code Nic.net asked (ex.whois.twnic.net).

In addition, if you want to check the contact details of U.S. military units (if you find someone using the US Navy's network to invade your computer one day), you need to check with the Nic.ddn.mil to find the information. For example, the United States Army to find information: But the FBI and other investigative agencies are government units, non-military units, inquiries should be noted:


Data detected by domain name
If you can detect the FQDN of a ipaddress from the nslookup, you can identify the intruder network data directly to the local NIC:

1. An example of an invasion by the United States:
Xxx.aol.com intrusion by the host name found no country code, so directly to the inter NIC query. So we can find the America.
Online technical person and telephone, fax and other information, your system log ready, send a fax to tell the foreign-shaped bar!

2. Examples of invasion by Taiwan:
by Hope
NET intrusion (cded1.hope.com.tw) because the twnic current whois database somehow disappeared, so please change the name of hope.com.tw by dbms.seed.net.tw, and then call 104 to ask the company's phone! (Figure I) Now if this is done directly by the Whois.twnic.net query:


Only IPAddress.
If one day you find yourself invaded by 168.95.109.222, suppose you do not know that this is a hinet network, and this IP address does not have domain
Name, you must first rank the IPAddress and then query the InterNIC:
(The position of the example below is fictitious, and if it is identical, it is purely coincidental).

1. Examples of intrusions by 15.4.75.2:
This IPAddress is 15 beginning, for a ClassA network, so to InterNIC query 15.0: Detect this IP address for Hewlett-Packard Company All

2. Examples of intrusions by 140.111.32.53:
This IPAddress is CLASSB, need to inquire two times. First query to the InterNIC 140.111.0: Found to be all of the Ministry of Education of the Republic of China. Check back to Whois.twnic.net 140.111.32.0: Unfortunately, because the Twnic database is missing, you cannot know which academic unit this is. Excuse me, would you please call Twnic to ask?


3. An example of an invasion by 203.66.35.1
This is a classcip, so it must be queried at least two times, usually three times. The order for International-> Intercontinental-> belongs to the country. First check 203.0:
Come out a lot, how to do? Some cases had to ask again class B. Because the inter NIC gives some CLASSC to the Intercontinental authority for rationing, some class
C information will be at the Intercontinental Management Agency, at this time, first to the Inter NIC to identify the Intercontinental Management Agency (with class
b asked). Asked 203.66 for the Asia-Pacific Intercontinental Network, he asked Whois.apnic.net 203.66 35.0: After three times, finally found 203.66.35.0 as:
203.66.35.1 is found in a stack of data, this IP address is forwardness Technology
Co.Ltd. All, the telephone address also attached to the above (this is my friend opened the network company).
By the above search method, can be either a host name or IP
Address to find the Connection Network unit of information, if you find that the network unit subordinate host to your network attack behavior, please check the information to tell the other party's system administrator (the other side does not necessarily accept, the author has touched very bad system administrator!) )。

The following is the Hosts file for Windows 95: When you do not have DNS, you can take this to place domain Name <-> IP
Address of the corresponding work done well. Just like Unix. This hosts file in Microsoft is written for Chicago, which is the Windows
95 development code, see? (It appears that Microsoft was too Windows95, forgot to fix these little things), but the reader should note that the original Hosts file name is Hosts.sam, you have to change the file name to the hosts to use. (author E-mail:variox01@ms1.hinet.net)


Note one:
Almost all machines using TCP/IP communication protocols will have hosts, network and other files. This is a common practice for all TCP/IP systems (but only Microsoft's software experience has LMHOSTS to match Microsoft's own WINS domain Translation system). If the reader has noticed, you can find that the Novellnetware server also has a etc directory, as well as hosts and other files!


Note II:
The long-distance telephone number is 108, forwards the domestic long-distance call to use, and may request the other party to pay (just like the International station), because Taiwan early switch cannot let the user direct-dial Wei city phone, therefore needs the long-distance station manual transfer. Now have long-distance direct dialing, unless you need the other side to pay, otherwise you do not need to use the long-distance station, because manual transfer also need to pay additional manual transfer costs. When you make a domestic long distance call and have the demand of the other pay, you can call 108 and then ask the value machine staff to transfer you, and then by the recipient to pay the phone bill. This has no money on hand, but it works well when you want to use a public phone to make a long-distance call (and the recipient can also reject your request for payment). The other domestic artificial transfer Taiwan also has 103 vessels (forwarding the ship radio telephones, NAVTEX navigation information and telecommunications, etc.) and 100 international Taiwan.