Initial Network Intrusion Detection Method

The well-configured Win2000 Server can defend against more than 90% of intrusions and infiltration. However, as mentioned at the end of the previous chapter, system security is a continuous process, with the emergence of new vulnerabilities and changes in server applications, the security status of the system is constantly changing. At the same time, because the attack and defense are the unity of contradictions, the Director and the Director are constantly changing. Therefore, a brilliant system administrator cannot guarantee that a server providing services will never be intruded for a long time.

Therefore, Security Configuration of servers is not the end of security work [/size], but it is the beginning of a long and tedious security work. This article will discuss the preliminary techniques of Win2000 Server intrusion detection, we hope to help you maintain server security for a long time.

Intrusion detection is mainly based on applications. When providing corresponding services, a corresponding detection and analysis system should be provided for protection. For general hosts, pay attention to the following aspects:

　　1. Port 80 Intrusion Detection

The WWW Service is probably one of the most common services. In addition, due to the high traffic and complexity of the services, the WWW Service has the most vulnerabilities and intrusion skills for this service. For NT, IIS has always been a headache for system administrators. However, the log function provided by IIS can be a good helper for intrusion detection to some extent. By default, IIS log files are stored in the System32/LogFiles Directory, which is generally rolled around for 24 hours. You can configure them in the IIS manager.

Let's assume that a WEB Server opens the WWW Service. You are the system administrator of this server and have carefully configured IIS to use the W3C extended log format, at least Time, Client IP, Method, URI Stem, and URI Query are recorded ), the Protocol Status is analyzed by comparing the [/size] popular Unicode vulnerabilities: Open the IE window and enter 127.0.0.1/scripts/in the address bar /.. % c1 % 1c .. /winnt/system32/cmd.exe? /C + dir by default, you can see the directory list. Let's take a look at what IIS logs record and open Ex010318.log (Ex stands for W3C extension format, the following string of numbers indicates the log record date): 07: 42: 58 127.0.0.1 GET/scripts /.... /winnt/system3220..exe/c + dir 200 the above line of log indicates that at 07:42:58 GMT (that is, 23:42:58 Beijing time), the parameter is/c dir, the running result is successful (HTTP 200 indicates that the result is returned correctly ).

In most cases, IIS logs faithfully record any requests it receives (there are also special attacks not recorded by IIS, which we will discuss later ). However, if IIS logs are frequently sent to dozens of megabytes or even dozens of Gbit/s of traffic, manual check is almost impossible. The only option is to use the log analysis software, writing a log analysis software (text filter) in any language is very simple.

Let us know a simple method. For example, you want to know if anyone tries to obtain your Global address from port 80. asa file, you can use the following command: find "Global. asa "ex010318.log/I. This command uses the find.exe tool provided by ntauto. You can easily find the string you want to filter from text files, "Global. asa is the string to be queried. ex010318.log is the text file to be filtered, And/I indicates case-insensitive. For more information about how to use ghost, see the Win2000 help file.

By filtering out this constantly updated string table, you can understand the actions of intruders as soon as possible.

It should be noted that using any log analysis software will occupy certain system resources. Therefore, it is appropriate to automatically execute low-priority tasks such as IIS log analysis during idle hours at night, if you write another script to send the filtered suspicious text to the system administrator, it will be more perfect. At the same time, if the sensitive string table is large and the filtering policy is complicated, it is more cost-effective to use C to write a special program.

　　2. Security Log-based detection

Through IIS log-Based Intrusion monitoring, we can know the whereabouts of the hacker in advance (if you are not doing well, the hacker will become an intruder at any time), but IIS logs are not omnipotent, in some cases, it cannot even record the intrusion from port 80. According to my analysis on the IIS log system, IIS will write logs only after a request is completed. In other words, if a request fails midway through, there will be no trace of it in the log file (here the midway through failure does not refer to the case where an HTTP400 error occurs, instead, HTTP requests are not completed on the TCP layer, for example, an exception is interrupted when a large amount of data is POST. For intruders, it is possible to bypass the log system to complete a large number of activities.

Moreover, for non-80-Only hosts, intruders can also access the server from other services. Therefore, it is necessary to establish a complete security monitoring system.

Win2000 comes with a very powerful Security Log System, which has detailed records from user logon to privileged usage. Unfortunately, the security audit is disabled by default, as a result, some hosts cannot be traced to intruders after being hacked. Therefore, the first step is to open the necessary review in the management tool-Local Security Policy-local policy-Audit Policy. Generally, login Events and account management are the most important events for us. It is necessary to enable both successful and failed reviews. Other reviews should also enable failed reviews, which can make intruders struggle step by step, accidentally exposed. Opening the Security Audit does not completely solve the problem. If the Security Log Size and coverage method are not configured properly, A sophisticated intruder can overwrite his real whereabouts with flood-like forged intrusion requests. Generally, you can set the Security Log Size to 50 MB and only cover the logs seven days ago.

Apart from security logs, system logs and application logs are also good auxiliary monitoring tools. In general, intruders leave traces in security logs (if they get the Admin permission, then he will certainly clear the traces), and will also leave clues in the system and application logs. As a system administrator, you must have a bad attitude, in this way, it is difficult for intruders to hide their whereabouts.

　　3. File Access logs and key file protection

In addition to the system's default security audit, we also need to add file access logs to record access to key files.

There are many options for file access: Access, modification, execution, new, and attribute change ...... In general, focusing on access and modification can play a very important role in monitoring.

For example, if we create a modified directory of the system directory and specify the directories with major files (such as the. exe,net.exe and system32 directories), it is difficult for intruders to place backdoors without attracting our attention. Note that the number of key files and projects to be monitored cannot be too large. Otherwise, it will not only increase the burden on the system, but also disrupt the daily log monitoring work. Key Files refer not only to system files, but also to any files that may cause harm to system administrators and other users, such as system administrator configuration and desktop files, these may be used to steal System Administrator information and passwords.

　　4. Process Monitoring

Process Monitoring technology is another powerful weapon for tracking Trojans and backdoors. More than 90% of Trojans and backdoors exist in the form of processes. As a system administrator, it is one of the responsibilities to understand every process running on the server (otherwise, do not say it is secure and there is no way to optimize the system ). It is necessary to make a list of processes running on each server. This helps administrators detect processes at a Glance. Abnormal user processes or abnormal resource usage may be illegal processes. In addition to processes, dll is also a dangerous thing. For example, if you rewrite a trojan of the original exe type as a dll, running it with rundll32 is quite confusing.

5. Registry Verification

Generally, Trojans or backdoors use the registry to run themselves again. Therefore, verifying the Registry to detect intrusions is also a common method. Generally, if an intruder only knows how to use popular Trojans, it is relatively easy to search because common trojans can only write specific key values (such as Run and Runonce, however, for those who can write or rewrite Trojans by themselves, the registry can be hidden anywhere, and it is impossible to find Trojans by hand. The solution is to monitor any changes to the Registry. In this way, there is no way for the Trojan to rewrite the registry. There are a lot of software for monitoring the Registry. Many software for tracing Trojans have such a function. A monitoring software, coupled with regular backup of the Registry, should the Registry be modified without authorization, the system administrator can recover the data in the shortest time.

　　6. Port Monitoring

Although Trojans that do not use ports already appear, most backdoors and Trojans still use TCP connections, monitoring port status is very important for hosts that cannot block ports for various reasons. For system administrators, understanding the ports opened on their servers is even more important than monitoring processes. It is a good habit to use netstat to view the port status of the servers, however, it cannot be done 24 hours a day, and NT Security logs have a defect. You like to record machine names rather than IP addresses. If you neither have a firewall nor intrusion detection software, however, you can use the script to record IP logs. Look at this command: netstat-n-p tcp 10> Netstat. log, this command automatically checks the TCP connection status every 10 seconds. Based on this command, we create a Netlog. bat file: time/t> Netstat. log Netstat-n-p tcp 10> Netstat. log. This script will automatically record the time and TCP connection status. Note that if the website traffic is large, such operations will consume a certain amount of CPU time, in addition, log files will become larger and larger, so be cautious.

Once an abnormal port is found, you can use a special program to associate the port, executable file, and process (such as inzider has such a function, it can discover the server listening port and find the file associated with the port, inzider can download from the http://www.nttoolbox.com), so that both TCP and UDP Trojans are hidden.

　　7. log monitoring of Terminal Services

There is a reason to separate the log monitoring of the Terminal Service (Terminal Service). The Terminal Service provided by Microsoft Win2000 Server is a tool based on the Remote Desktop Protocol (RDP, it is fast and stable, and can be a good remote management software, but it is also very dangerous because it is powerful and only protected by passwords, once an attacker has an administrator password, the attacker can operate the remote server just like the local host. Although many people are using terminal services for remote connection