The Intranet Intrusion detection system ("IDs system") can find out some high risk events such as network virus, system vulnerability, abnormal attack and so on in time, which enhances the security of intranet, and effectively guarantees the normal operation of each important business system. In order to strengthen the management of intranet and give full play to the function of "IDs system", the author analyzes the problems and puts forward countermeasures according to the security monitoring high risk events to provide reference for everyone.
Event 1 Windows 2000/xp RPC Service remote denial of service attack
Vulnerabilities exist in the Windows system's DCE-RPC stack implementation, where remote attackers can connect TCP 135 ports and send malformed data, which can cause the RPC service to shut down, and shutting down the RPC service can cause the system to stop responding to new RPC requests and generate a denial of service.
Countermeasures
1, the temporary processing method: uses the firewall or the Windows system own TCP/IP filtering mechanism to restrict the TCP 135 port, limits the external untrusted host the connection.
2, the complete solution: dozen security patches.
Event 2 MSBlast (shockwave) worm propagation under Windows system
The worm-infected computer tries to scan other hosts on the network, consuming the host's own resources and a large amount of network bandwidth, resulting in a sharp drop in network access capabilities.
Countermeasures
1. After downloading the patch, disconnect the network and then install the patch.
2, remove worm virus.
Event 3 Sasser (Shock wave) worm propagation under Windows system
Worm attacks leave a backdoor on the system and can cause the win 2000/XP operating system to restart, which can cause severe degradation of the infected host system and heavy occupancy of the infected network bandwidth.
Countermeasures
1, first disconnect the computer network.
2, and then use special Kill tool killing poison.
3, the last dozen system patches.
Event 5 Telnet Service user authentication failed
The Telnet service is often one of the channels through which attackers invade the system. In most cases, legitimate users will authenticate successfully during the Telnet logon process. The Telnet server causes the authentication to fail if a username or password is not available. If the logged-on user name is Superuser, it should be more important to check to see if the access source is legitimate. If there is a large number of Telnet authentication failure responses in a short period of time, the host may be under a violent guess attack.
Countermeasures
1, check access to the source of IP, authentication username and password is consistent with the security policy.
2, pay close attention to the FTP client a large number of failed to authenticate the source address of the activity, if it is necessary, you can temporarily prohibit this client source IP address access.
Event 6 Telnet service user weak password authentication
An attacker could illegally obtain access to the FTP service by scanning the software or artificially guessing the weak password of the Telnet service, or it could take control of the host with the local other vulnerabilities of the Telnet server.
Countermeasures
1, reminding or forcing the relevant Telnet service user to set a complex password.
2, set the security policy, and periodically force users to change their password.
Event 7 Microsoft SQL client sa user default null password connection
A remote attacker may use this vulnerability to log on to the database server to perform any operation on the database when the Microsoft SQL database installation defaults to a null SA user password. More dangerous is the installation of most ms-sql with Integrated Windows system authentication, which allows remote attackers to log on to a SQL Server using a null password, and can take advantage of some of Ms-sql's dump processes such as xp_ Cmdshell, such as LocalSystem permissions on the host to execute arbitrary commands to obtain the full control of the host.
Countermeasures
1, the system security mode as far as possible using the "Windows NT only" mode, so that only trusted computers can connect to the database.
2, for the SA account set a strong password;
3, do not use TCP/IP network protocol, switch to other network protocols.
4, if using TCP/IP network protocol, it is best to change its default port 1433 to another port, so that the attacker with the scanner is not easy to sweep.
Event 8 POP3 Service violence guessing password attack
POP3 Service is a common network mail Collection protocol.
A large number of POP3 logon failure events were found, and an attacker might be trying to guess a valid POP3 service username and password, and if successful, the attacker could exploit the system either by exploiting the POP3 service itself or by combining other service-related vulnerabilities, or by reading the user's mail, causing sensitive information to leak.
Countermeasures
Keep an eye on further activity from the source of the attack, and if you feel the need to block its connection access to the server.
Event 9 POP3 service receives suspicious virus messages
Current mail-borne viruses, worms are increasingly popular, some of which mail viruses by sending with executable attachments to entice users to click Execution to propagate, the common virus attachment name suffixes are:. pif,. scr,. bat,. cmd,. com, Messages with these suffix file attachments are usually virus messages disguised as regular messages.
When a mail virus infects a host, it usually sends the same virus message to other user e-mail addresses saved in the mail client software to expand the infection surface.
This event indicates that IDs has detected an action to receive messages with suspicious virus attachments, and that the recipient of the message is likely to be infected with a mail virus that needs to be processed immediately.
Countermeasures
1, notify quarantine Check Send virus mail host, use anti-virus software to kill the virus infected with the system.
2, on the mail server to install virus mail filtering software, before the user received to kill.
Event Microsoft Windows LSA service remote buffer overflow attack
The Microsoft Windows LSA is a local security licensing service (LSASRV. DLL).
The Microsoft Active Directory service exported at the end of LSASS Dce/rpc has a buffer overflow that remote attackers can use to execute arbitrary instructions on the system with the privileges of the systems.
Countermeasures
1, the temporary processing method: uses the firewall to the UDP port 135, 137, 138, 445 and TCP port 135, 139, 445, 593 to filter.
2, play system patches, upgrades.