Some techniques to prevent ADSL from being invaded

With the rapid development of ADSL networks around the world, it is no longer a distant dream to achieve permanent connectivity and online, but we must understand that a permanent connection to the Internet also means that the likelihood of being invaded is greatly increased. Know the enemy, can win, let us understand the hacker intrusion ADSL user methods and precautions.





Hacker invades ADSL user's method





in many places are monthly, so that hackers can use a longer time to scan the ports and vulnerabilities, and even the use of online violence to steal passwords, or use sniffer tools waiting for the other party to automatically send the user name and password to the doorstep.





to complete a successful network attack, there are generally the following steps. The first step is to collect the information of the target, in order to thoroughly analyze the target, we must collect as much effective information as possible to the target, in order to finally analyze the target vulnerability list. The analysis results include: Operating system type, operating system version, open service, open service version, network topology, network device, firewall.





Hacker Scan uses the method of TCP/IP stack fingerprint mainly. The means of implementation are mainly three kinds:





1.TCPISN Sampling: Find the initialization sequence to match the specified length with the specific OS.





2.FIN probe: Send a FIN packet – or any packet without an ACK or SYN tag to an open port on the target, and wait for a response. Many systems return a reset– reset tag.





3. Use the bogus tag: by sending a SYN packet, it contains a TCP header with no defined TCP tags, and can differentiate some operating systems by using the system's different responses to tags.





4. Initialize windows with TCP: simply check the length of the window contained in the return package and uniquely confirm each operating system by size.




Although many
scanning technology, the principle is very simple. Here is a brief introduction to the scanning Tool nmap–networkmapper, which is known as the best scanning tool, powerful, versatile, support a variety of platforms, flexible, easy to use, strong portability, very few traces of trace; not only can scan the TCP/UDP port, but also can be used for scanning/ Detect large networks.





Note that some real domain names are used here to make the scan behavior look more specific. You can use the name in your own network instead of the addresses/names. You'd better scan after you get permission, otherwise you will have to bear the consequences.





nmap-vtarget.example.com





This command scans all reserved TCP ports on the target.example.com, and-V indicates verbose mode.





nmap-ss-otarget.example.com/24





This command will begin a SYN-scan, targeting the C-class subnet where target.example.com is located, and trying to determine what operating system is running on the target. This command requires administrator privileges because half-open scans and system detection are used.




The second step in
's attack is to establish a connection with the other person to find the login information. Now assume that by scanning the other side of the machine is built with ipc$. Ipc$ is a resource that shares named Pipes, which is important for communication between programs, and is used when you are managing computers remotely and viewing your computer's shared resources. With ipc$, a hacker can establish an empty connection (without a username and password) and use this null connection to obtain a user list of each other.





third step, log in using the appropriate tool software. Open the Command Line window and type the command: netuse222.222.222.222ipc$ "Administrator"/user:123456





Here we assume that the password for the administrator is 123456. If you do not know the administrator password, you will need to find other password tools to help. After logging in, everything is under the control of the hacker.





Prevention Method





because ADSL users generally online time is relatively long, so safety protection awareness must be strengthened. More than 10 hours a day on the internet, or even an overnight boot of a few people, but also someone to make their own machine into the Web or FTP server for other people to visit. Routine preventive work can generally be divided into the following steps.





Step one, be sure to disable the Guest account. There are a lot of intrusions through this account to further obtain the administrator password or permissions. If you don't want to give your computer to others as a toy, it's a good ban. Open Control Panel, double-click Users and Passwords, and select the Advanced tab. Click the Advanced button to eject the Local Users and Groups window. Right-click on the Guest account, select Properties, and in the General page, choose "Account deactivated."





step two to stop sharing. After the Windows2000 is installed, some hidden shares are created. Click start → run →cmd, and then type the command "NetShare" on the command line to view them. There are many articles on the internet about IPC intrusion, all of which use the default shared connection. To disable these shares, open administrative tools → Computer Management → shared folders → shares, right-click the corresponding shared folder, and click "Stop Sharing" on the line.





step three, try to shut down unnecessary services, such as TerminalServices, iis– if you do not use your own machine as a Web server-ras– remote Access service. There is also a very annoying messenger service to turn off, otherwise there will always be a message service sent online ads. Open management tools → Computer management → services and applications → service, turn it off when you see the useless.





step Four, prohibit the establishment of an empty connection. By default, any user can connect to the server via a null connection, enumerate the accounts, and guess the password. We must prohibit the establishment of an empty connection, the following two kinds of methods:





(1) Modify the registry:





Hkey_local_machinesystemcurrent-controlsetcontrollsa, change the key value of the DWORD value RestrictAnonymous to 1.





(2) Modify the local Security policy for Windows2000:





set the additional limit for restrictanonymous– anonymous connections in local security policy → local policies → options to "do not allow enumeration of SAM accounts and shares."





Step Five, if the Web service is open, you also need to configure the IIS service securely:





(1) Change the Web service home directory. Right-click the default Web site → properties → home directory → Local Path, and point the local path to a different directory.





(2) deletes the original default installed Inetpub directory.





(3) Delete the following virtual directories: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.





(4) Remove unnecessary IIS extension mappings. Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. If no other mappings are required, only. asp,. ASA is reserved.





(5) Backs up the IIS configuration. You can use the Backup feature of IIS to back up all of your configured IIS configurations so that the security configuration of IIS is restored at any time.





don't think this is all right, Microsoft's operating system we do not know, the number of bugs, so be sure to the Microsoft's patch dozen.





Finally, we recommend that you choose a practical firewall. For example, Networkicecorporation company produced BlackICE. Its installation and operation is very simple, even if the network security is not familiar with the relationship, using the default configuration can detect most types of hacker attacks. For experienced users, you can also choose "advancedfirewallsettings" in "Tools" to accept or reject configurations for specific IP addresses or specific ports on UDP to achieve specific defensive effects.