Overflow is a problem caused by the deficiencies in the design of the program designer. Overflow is also a permanent pain for the operating system and application software. Today, when hackers frequently attack and system vulnerabilities emerge in an endless stream, no one can guarantee that the operating system and applications will not overflow. Since overflow is inevitable and the threshold for using overflow attacks is low, people with certain computer bases can use tools to complete an overflow attack. In this way, the computer system is at risk of being overflows at any time, especially if the server that bears the heavy responsibility is infiltrated by overflow, the consequences will be unimaginable. We can't sit still. As a network manager, we should take measures to minimize the possibility of Server Overflow.
1. What is overflow:
Overflow is a vulnerability in the operating system used by hackers. A program is specially developed. After running the program with corresponding parameters, you can gain control of your computer as an administrator, everything you can run on your computer can be done by him. It means that your computer is yours.
How to Prevent Server Overflow:
1. Patch required:
Patches for system vulnerabilities are completed to the maximum extent possible. servers of the Microsoft Windows Server series can enable the automatic update service, then, the server is automatically connected to the Microsoft Update Website for patch updates within a specified period of time. If the server prohibits External Internet connections for security reasons, you can use the Microsoft WSUS service to upgrade the internet.
2. minimal service:
The minimum number of services is equal to the maximum security. All unwanted system services and applications are stopped to minimize the attack factor on the server. For example, the NDS overflow caused many servers to crash. In fact, if a WEB server does not use the DNS service at all, you can stop the DNS service so that DNS overflow does not pose any threat to your server.
3. Port Filtering:
Enable TCP/IP port filtering and only open common TCP ports such as 21, 80, 25, 110, and 3389 on the server. If the security requirement is higher, you can disable the UDP port, of course, if this problem occurs, it is inconvenient to connect to the external server. We recommend that you use IPSec to block UDP. In protocol filtering, only TCP, UDP, and RDP protocols are allowed. Other useless protocols are not enabled.
4. system firewall:
Enable the IPSec Policy, perform security authentication for the server connection, and add double insurance to the server. Block some dangerous ports, such as 135 145 139 445 and UDP external connections, and encrypt and communicate with only trusted IP addresses or networks. Using IPSec to prohibit external access to UDP or TCP ports that are not commonly used can effectively prevent bounce Trojans.
5. System Command Defense:
Delete, move, rename, or use the Access Control table column Access Control Lists (ACLs) to Control key system files, commands, and folders:
And regedit.exe1_regsvr32.exe to further control the server. Such as adding accounts and cloning administrators. We can delete or rename these command programs. 4 t (B + L/O-y.
Tip: Stop the File Replication Service (FR) or delete or rename the corresponding file under % windir % system32dllcache. I love the computer technology community-creating the best power
(22.16.pdf) also moves the. exe file to the specified folder, which is also convenient for later use by the Administrator.
(3) access control table column ACLS control:
Hacker files commonly used by hackers are defined in "properties" → "security" for the ACLs users they access, for example, only the administrator has the right to access, if you need to prevent overflow attacks and illegal exploitation of these files after the overflow is successful, you only need to deny access to the system users in ACLs.
(4)、if you think it is too annoying to use the system command cacls.exeto edit and modify the Acls of the. exe file, or write it as a bat batch file to execute and modify the commands.
(5) It is also necessary to set ACLS for disks such as C, D, E, and F in terms of overall security, in addition, especially for Windows, WinntSystem, Document and Setting and other folders.
(6) Group Policy Configuration:
Disable cmd.exe, Run "Start> Run", enter gpedit. msc to open the Group Policy, select "user configuration> management template> System", and run "blocked access command prompt"
Set to "enable ". Similarly, you can use group policies to prohibit other dangerous applications.
(7) Service downgrade:
Downgrade some System services that run with the System permission. For example, replace a series of services or applications running with System permissions, such as Serv-U, Imail, IIS, Php, Mssql, and Mysql, with the permissions of other administrators or even users, this makes it much safer. However, the premise is that you need to have a better understanding of these basic running statuses and calling APIs.
Summary: in fact, in addition to using the above methods to prevent Overflow attacks such as Overflow, there are also many methods: for example, using the registry to create and set the corresponding key values; the write protection filtering program uses DLL to load windows to related SHell and dynamic link programs. Of course, writing code for verification and encryption requires a deep Win32 programming Foundation and a lot of research on Shellcode.
3. How to prevent overflow and further system intrusion after obtaining Shell
1. After completing the above work in step 1, it is basically possible to prevent the hacker from getting the shell after the Overflow, because even if the Overflow overflows successfully, however, it gets stuck when calling mongoshell and external connections. (Why, because: 1.overflow is beyond the control of the program, and then the access to mongoshllhas been banned from systemw.cmd.exe. 2. After the overflow, the external IP address cannot be connected when the bounce occurs. Therefore, it is more difficult to bounce the shell through the system permission ...)
2. Of course, there is no absolute security in the world. Let's say what the intruders do after they get the user's shell? Generally, after obtaining the shell, intruders can further control the server by transmitting files through tftp, ftp, and vbs using system commands and accounts. Here, we use the above method to restrict the command. The intruders cannot transmit files through tftp or ftp, but they can still write the batch through echo, use batchcompute scripts such as BAT, VBS, and VBA to download files from the WEB and modify files of other disks. Therefore, you need to restrict the echo command and the permission to write and modify files on other disks. Disable or restrict the running right of the system by using VBS/VBA scripts and XMLhttp components. In this way, other users will not be able to delete the files on the server and control the system for step-by-step operations; and Local Elevation of Privilege will reverse the Shell.
Server Security is a system engineering. Any minor negligence can cause the loss of the server. "Defense" is always better than "complementing". The Administrator "defense" minimizes the risk of being attacked before the overflow. This is the real way to server security.
Overflow is a problem caused by the deficiencies in the design of the program designer. Overflow is also a permanent pain for the operating system and application software. Today, when hackers frequently attack and system vulnerabilities emerge in an endless stream, no one can guarantee that the operating system and applications will not overflow. Since overflow is inevitable and the threshold for using overflow attacks is low, people with certain computer bases can use tools to complete an overflow attack. In this way, the computer system is at risk of being overflows at any time, especially if the server that bears the heavy responsibility is infiltrated by overflow, the consequences will be unimaginable. We can't sit still. As a network manager, we should take measures to minimize the possibility of Server Overflow.
- Recommended virtualization software servers to meet technical trends (1)
- Domestic server acceleration virtualization Popularization
- What is Microsoft's server Hyper-V technology?