Intruders attack servers almost all starting from scanning. They first determine whether the server exists and then detect open ports and vulnerabilities, then, based on the scan results, the corresponding attack means are used to launch the attack. Therefore, anti-scan is very important for servers and the first step to prevent network intrusion.
I. scanning tools and defense principles
1. scanning tools
Attackers can scan remote computers by Using Ping, network neighbor, SuperScan, NMAP, NC, and other commands and tools. SuperScan is very fast, while NMAP is very professional. It not only has very few false positives, but also can scan a lot of information, including system vulnerabilities, shared passwords, and enabling services.
2. Defense principles
To prevent these scans, first prohibit ICMP responses. when the other party performs a scan, the scanner mistakenly believes that the host does not exist because it cannot receive an ICMP response, to protect yourself. In addition, the use of honeypot Technology for scanning spoofing is also a good method.
Ii. Preventive measures
1. Close the port
Disable idle and potentially dangerous ports. This method is relatively passive. Its essence is to disable all ports except the normal computer ports that the user needs. As far as hackers are concerned, all ports may become targets of attacks. It can be said that all the computer's external communication ports are potentially dangerous, and some necessary communication ports of the system, such as the HTTP (port 80) required to access the webpage; QQ (port 4000) and so on.
It is convenient to disable some idle ports in the Windows server system. You can use "Disable the port of the specified service in a targeted manner" (blacklist) and "open only allowed ports" (whitelist. Some network services of a computer have default ports allocated by the system. When idle services are disabled, the corresponding ports are also disabled.
Go to "Control Panel"> "Administrative Tools"> "services" and disable some unused services (such as FTP services, DNS services, and IIS Admin services) on the computer ), their corresponding ports are also disabled. As for the "open only allowed port mode", you can use the "TCP/IP filtering" function of the system, only allow the ports required for basic network communication. (Figure 1)
2. Blocked ports
Check the ports and immediately block the ports when there are symptoms of port scanning. This method of preventing port scanning is not possible manually by the user, or it is quite difficult to complete, and software is needed. These software are our commonly used network firewalls.
The working principle of the firewall is: first, check every packet that arrives at your computer. Before this packet is visible to any software running on your machine, the firewall has a full veto power, your computer is prohibited from receiving anything on the Internet. When the first request for a connection is sent to your computer, a "TCP/IP Port" is opened. When a port is scanned, the other computer continuously establishes a connection with the local computer, gradually open the "TCP/IP Port" and idle port corresponding to each service. Based on the built-in interception rules, the firewall can determine whether the other party is performing port scanning and intercept all the packets required for scanning sent by the other party.
Currently, almost all network firewalls on the market can defend against port scanning. After the default installation, check whether the port scanning rules intercepted by some firewalls are selected. Otherwise, the firewall will allow port scanning, but leave information in the log.
Iii. Defense tools
1. system firewall
Many firewalls now have settings to Disable ICMP, and Windows XP SP2's built-in firewall also includes this function. The setting for enabling this function is very simple: Execute "Control Panel" → "Windows Firewall", click the "advanced" tab, and select the Internet connection method (broadband connection) that has been established in the system ), click the "Settings" button next to it to open the "Advanced Settings" window, click the "ICMP" tab, confirm that "allow incoming echo requests" is not checked, and click "OK. (Figure 2)
In addition, through other professional firewall software, we can not only intercept various scanning intrusions from the LAN, but also view the data packet sources and intrusion methods from the software logs.
2. Third-party Firewall
Deploy third-party firewalls in the enterprise lan. These firewalls come with some default "rules" that can be easily applied or canceled. Of course, you can also create firewall rules as needed to effectively prevent malicious scanning by attackers.
For example, if you use Skynet firewall as an example: first run Skynet firewall, click "IP rule management" in the operation interface to bring up the "custom IP rule" window, remove the "allow LAN machines to use the ping command to detect" option, and click "Save rules" to save. For example, if you create a rule to prevent host ping in Ineternet, you can click the "add rule" button and enter the relevant parameters to create the rule, then, select and save the rule to prevent hosts on the network from maliciously scanning the LAN. (Figure 3)
3. Honeypot Technology
There are many honeypot tools, which are similar in principle. It virtualizes a "defective" server and waits for malicious attackers to hook up. In the hacker's opinion, the host to be scanned seems to have opened the corresponding port, but it cannot implement tools to protect the real server. This can also be said to be an alternative anti-scanning method.
For example, Defnet HoneyPot 2004 is a famous "HoneyPot" virtual system. The system virtualized through Defnet HoneyPot is no different from the real system, but it is a trap for malicious attackers. However, this trap deceives a malicious attacker and records the commands, operations, and malicious attack tools that he has executed. Through the logging of traps, attackers can learn about their habits, obtain sufficient evidence of attacks, and even attack counterattacks. Using this tool to deploy a honeypot system is very simple. Open the software and enter the relevant parameters. Then it will start at random, and it will be recorded if there is a malicious scan. (Figure 4)
Summary: Today's hacking tools are widely used, and their operations are getting dumbfounded, with a low intrusion threshold. An attacker with a preliminary or intermediate computer level can use a scanner to scan at will to complete an intrusion. By taking anti-scanning measures, the server will be able to prevent harassment from these intruders to a large extent, which is also the majority of network intrusions. Imagine if the server is attacked like this, it would be too much.