Several methods of server Intrusion Prevention and Reinforcement

Whether it's about technology preferences, money temptations, or political interests, the hacker's main intrusion and attack technologies are obviously accelerating their development. Security manufacturers seem to work very hard, but they always walk around in their own sales interests, from the original three (firewall FW, intrusion detection IDS, anti-virus AV ), up to now, the Unified Security Gateway (UTM), vulnerability scanning, behavior auditing, identity authentication, transmission encryption (VPN), Web Application Firewall (WAF), and virtual browsers... Security Products are dazzling, but the reinforcement of the server itself is ignored, because the data and services to be protected are all here, which is also the ultimate goal of hacker intrusion. All information security personnel have a mantra: there is no absolute security, and there is only the basic bottom line of security protection. What is the bottom line? For most information security supervisors, I can't help but let you attack, but I can't let you control me. You can interrupt services on my servers, but you cannot turn my servers into your tools and serve as a springboard for attacking others, at the minimum, I will not be your accomplice. Server Security reinforcement is not just a new concept. The early intrusion detection IDS was born on servers, but it was only later developed into a popular network intrusion detection. 1. Different security ideas: we all know that server security comes first from operating system (OS) security, which is the first line of defense against intrusion. If the operating system is very secure, there will be no subsequent problems. However, the popular operating systems such as Windows and Linux on desktops, Unix and Aix on workstations, embedded vxWorks, and Android on mobile phones... Many vulnerabilities are exposed every day. The key is that the so-called "0-day" that is not open is growing. The country owns the vulnerabilities because of the needs of the Internet war, and the security companies possess the vulnerabilities because of the competitive needs, hackers possess the benefits... The published vulnerabilities are only a small part. Server reinforcement is to introduce a "third-party" mechanism for operating system security, and add monitoring measures for hacker intrusion channels. Hackers generally aim at operating system vulnerabilities and bypass the operating system's own security mechanisms, however, hackers do not know the "third-party" mechanism on the server, and intrusion is not so easy. For example, buffer overflow is a common method of Elevation of Privilege. After successful access, a backdoor is usually created immediately to provide convenience for you. common actions include opening a remote control window, upgrade Yourself To an administrator, upload a Trojan to replace the system driver file... Hackers can operate your server at will because the administrator privilege is used to bypass the permission management mechanism of the operating system; however, third-party reinforcement can prevent these "abnormal" operations, even if you are an administrator. If the intruders cannot complete the above actions, the overflow attack succeeds, but they cannot carry out subsequent attack methods. They can only cause a process to exit unexpectedly for the system. The "third-party" mechanism can also infer the location of vulnerabilities in the system by detecting the exit of these exceptions, so as to determine that these vulnerabilities have been noticed by intruders and can be exploited directly to produce adverse consequences. Is this the same effect as penetration testing. 2. Several Ideas of security reinforcement: the idea of server security reinforcement (also known as server anti-intrusion reinforcement) is gradually established in the Process of defending against hacker intrusion. So far, it should be said that it has gone through three stages of development: configuration reinforcement stage, compliance reinforcement stage, anti-control reinforcement stage, and configuration reinforcement stage. The so-called configuration reinforcement is to reinforce and upgrade the security configurations of the operating system, improve the security protection level of the server. The following are common practices: 1) limiting the number of consecutive logon attempts with incorrect passwords is an important means to combat brute-force password cracking; 2) splitting system administrator permissions and canceling super administrators, this restricts the permissions of intruders to obtain administrator accounts. 3) Delete unnecessary accounts to avoid being exploited by attackers. 4) disable unnecessary service ports, first, reduce the intrusion points of attackers, and second, avoid being exploited by intruders as backdoors; 5) restrict the permissions of remote attackers, especially System Management permissions; 6 )... Configuration reinforcement mainly improves static security policies. After intruders intrude into the system, you can enable or modify these configurations. This type of reinforcement is generally a regular manual inspection and reinforcement, leaving a relatively large "window" for intruders, or after the intruders complete their latent, they can also restore your configuration and keep managers in the dark. The Host IDS can dynamically monitor the preceding security configurations, trigger alarms when exceptions are detected, or actively check the "user" behavior to promptly trigger alarms when exceptions are detected. You can also use your own attack feature library, when malicious code is detected, an alarm is triggered immediately... To some extent, this causes trouble for intruders. However, the Host IDS has a high false positive rate, which makes it difficult for managers to get bored. When there are more alarms, the number of users is getting fewer and fewer. In addition, many normal operations also generate a large number of intrusion alarms, just as when we installed anti-virus software and installed other software, there were too many prompts that people did not know how to do it. Compliance reinforcement stage: people who work on information security are familiar with the word mandatory access control. That is to say, when a user accesses data, the user not only checks the identity of the visitor, confirms his access permissions, but also checks whether the security level of the accessed data matches the security level of the visitor, if it does not comply with the security policy, access is also rejected. For example, each user can change the password of his/her account. Therefore, he/she should be able to read/write the system file that stores the user password, but there are other users' passwords in the system, so you can only read one record of this file, not all of it. In this case, you need to compare the security grade of the user who views the password file, and treat it differently. Most of the current operating systems implement autonomous access control (the new version of Windows has mandatory access control capabilities, but does not seem to provide the Chinese market). Therefore, from the perspective of complying with national classified protection, the operating system must be reinforced. Compliance reinforcement provides users with a platform for security grade management of accounts and data files, as well as access control mechanisms. In a broad sense, mandatory access not only includes files and data, it also includes processes, memory, and network connections. Compliance reinforcement is not only mandatory access control, but also implements many security policies, such as separation of three powers. The current operating system has a super Administrator with the highest permissions, which is also the main target of hacker attacks. From the perspective of security management, permission assignment is required: 2. System Administrator: responsible for system maintenance, such as Account Activation, data backup, and application installation; 2. System Security Officer: Responsible for system security operations, such as permission assignment, password repair, and log management; 2. Security Auditor: audits the behaviors of system administrators and security personnel. The identities of the three Members must be separated, especially the security officer and the auditor cannot serve as roles. Compliance reinforcement not only meets the requirements of national standards, but also improves the security level of the operating system and enhances access control for sensitive data. Therefore, the execution of some system commands is relatively rigorous. For hackers, breaking through the operating system is just a preliminary step. Even if they gain system administrator privileges, they cannot fully occupy your servers. Anti-control reinforcement stage: anti-control is a clear requirement on the server's management right, that is, the security bottom line. Anti-control has several meanings: 1) Master Control: the control over the server allows you to control the resources of the Service to meet your own needs, such as installing a scanner, scan vulnerabilities of other computers in the network. For example, install attack tools to directly attack other targets. Server Control generally involves several important steps: a) Administrator Account Logon: various services can be deployed directly; B) Remote Desktop process: Remote direct management server control; c) upload tool software: without these tools, hackers are like tigers without teeth. installing various tools and software on the server is a necessary stage to turn the server into an attack tool. 2) Hidden hacker: to control the server, the hacker must try to hide himself. Once the hacker is found, the administrator can immediately clear the server, and all the hacker's efforts will be exhausted. There are many ways to hide yourself. Common examples are: a) process injection: hiding in system processes makes it difficult for users to identify; B) not starting: the number of files in the server is as high as 100,000, it is easy to hide. If it is not started, you cannot easily grasp it. Of course, by means of timed or remote calls, the attacker's intention can be completed at startup as needed; c) Rootkit: replaces the system driver, and of course hides the code to activate itself, or monitoring code. 3) cut-off: intrusion is different from viruses. Intruders need to contact their "boss" to control your server, receive commands, send back information, control its "home connection" and cut off the control channel of intruders, so that the hidden persons can become uncontrolled "Dummies ". There are many technologies for going home, which are common: a) secretly accessing its "home" website while you are surfing the internet; B) disguising it as a variety of software (such as anti-virus) of course, first check whether the software is installed; c) send emails; d) mobile media ferry; e) backdoor service; 4) Monitoring OPERATOR: No matter how tricky the intruders are, always run its "malicious code", otherwise nothing will happen. Therefore, monitoring various key processes and important operations in the system is the key to ensuring control. For example, the following important operations: a) account operations; B) install software and patch; c) Open console processes, such as desktop windows, shells, and webshells; d) activate or stop services; 3. Conclusion: A Clean network environment should be established to allow hackers to stay safe. We have always been eager to have a "secure" operating system, but in reality it is always so far away from us. The network is the neural transmission system of the information society. We cannot leave our daily life and work. We cannot abandon communication because of safety; in the absence of security operating system protection, server security reinforcement is a good choice.