The Intranet intrusion detection system (hereinafter referred to as the "IDS system") can promptly discover and effectively handle high-risk events such as network viruses, system vulnerabilities, and abnormal attacks on the Intranet, this enhances the security of the Intranet and effectively ensures the normal operation of important business systems. In order to effectively strengthen the Intranet management and give full play to the role of the "IDS system", I will analyze the problems and propose countermeasures based on the high-risk events of Security Monitoring for your reference.
Event 1 Windows 2000/xp rpc Remote Denial of Service Attack
Vulnerability exists in the DCE-RPC stack implementation of Windows system, remote attackers can connect to TCP port 135, send malformed data, can cause the RPC service to be closed, disabling the RPC service can cause the system to stop responding to new RPC requests and cause a denial of service.
[Countermeasure]
1. Temporary handling method: Use the firewall or the built-in TCP/IP filter mechanism of windows to restrict the connection of TCP port 135 to external untrusted hosts.
2. Complete Solution: install security patches.
Event 2 msblast (shock wave) Worm Propagation in Windows
Computers infected with worms attempt to scan and infect other hosts on the network, consuming resources of hosts and a large amount of network bandwidth, resulting in a sharp decline in network access capabilities.
[Countermeasure]
1. After downloading the patch, disconnect the network and then install the patch.
2. Clear the worm.
Event 3 Sasser (shock wave) Worm Propagation in Windows
Worm attacks will leave a backdoor on the system and may cause Windows 2000/XP to restart the operating system. When worms spread, the system performance of infected hosts may be seriously degraded and the infected network bandwidth may be heavily occupied.
[Countermeasure]
1. First disconnect the computer network.
2. Then, use the kill tool to check for viruses.
3. patch the system.
Event 4 Telnet brute force password Prediction
Telnet is a common remote logon simulation service. You can use Telnet to remotely log on to the system and execute any command. This event is an attack on obtaining permissions. Attackers may be trying to guess the valid Telnet service username and password. If successful, attackers can log on to the system to execute various commands or even fully control the system.
[Countermeasure]
Pay close attention to the further activities of the attack source. If you find it necessary to block access to the server.
Event 5 Telnet service user authentication failed
The Telnet service is often one of the channels through which attackers intrude into the system. In most cases, valid users will successfully authenticate the logon through Telnet. If the user name or password is invalid, the telnet server will fail the authentication. If the logon username is a Super User, pay more attention to it and check whether the access source is valid. If a large number of Telnet AUTHENTICATION failure responses occur in a short time, it indicates that the host may be under brute force attack.
[Countermeasure]
1. Check whether the access source IP address, authentication username, and password comply with the security policy.
2. pay close attention to the activity of a large number of source addresses that fail to be authenticated on the FTP client. If necessary, access to the source IP address of the client can be temporarily prohibited.
Event 6 weak password authentication for Telnet service users
Attackers may exploit the scanning software or manually guess the weak password of the Telnet service to illegally obtain access to the FTP service. They may also exploit other vulnerabilities on the Telnet server to obtain control of the host.
[Countermeasure]
1. Remind or force the relevant Telnet service user to set a complex password.
2. Set security policies to force users to change their passwords on a regular basis.
Event 7 Microsoft SQL client SA user default null password connection
By default, Microsoft SQL database has an issue where the SA user password is empty during installation. Remote attackers may exploit this vulnerability to log on to the database server and perform arbitrary operations on the database. What's more dangerous is that the installation of most MS-SQL is integrated with Windows system authentication, remote attackers use a blank password to log on to the SQL server, some dump processes of the MS-SQL, such as xp_cmdshell, can be used to execute arbitrary commands on the host with LocalSystem privileges, thus obtaining full control of the host.
[Countermeasure]
1. Try to use the "Windows NT only" mode in the system's security mode so that only trusted computers can connect to the database.
2. Set a strong password for the SA account;
3. Use other network protocols instead of the TCP/IP network protocol.
4. If you use the TCP/IP network protocol, it is best to change the default port 1433 to another port, so that attackers cannot easily scan it with a scanner.
Event 8 POP3 brute force password attack
POP3 is a common network mail receiving protocol.
If a large number of POP3 logon failures are detected, attackers may be trying to guess the valid POP3 Service username and password, attackers may exploit POP3 service vulnerabilities or exploit vulnerabilities related to other services to further infringe on the system, or read users' emails, resulting in sensitive information leakage.
[Countermeasure]
Pay close attention to the further activities of the attack source. If you find it necessary to block access to the server.
Event 9 POP3 Service receives Suspicious virus emails
Currently, viruses and worms spread by mail are becoming increasingly popular. Some mail viruses induce users to click execute to spread by sending executable attachments. Common Virus Attachment names are suffixed :. PIF ,. SCR ,. bat ,. CMD ,. com. emails with these suffixes and file name attachments are usually virus emails disguised as common emails.
After an email is infected with a host, it usually sends the same virus email to other user email addresses saved in the mail client to expand the infected area.
This event indicates that IDS detects the operation to receive emails with suspicious virus attachments. The recipient of the email is likely to be infected with a mail virus and needs to be processed immediately.
[Countermeasure]
1. Notification isolation checks the host that sends the virus mail, and uses anti-virus software to remove viruses from the system.
2. Install the virus Email filtering software on the mail server and remove it before the user receives the mail.
Event 10 Microsoft Windows LSA Remote Buffer Overflow Attack
Microsoft Windows LSA is a local Security Authorization Service (lsasrv. dll ).
The Microsoft Active Directory Service exported at the end of lsass dce/RPC has a buffer overflow. Remote attackers can exploit this vulnerability to execute arbitrary commands on the system with the system permission.
[Countermeasure]
1. temporary solution: Use the firewall to filter UDP ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593.
2. Patch and upgrade the system.