Use IPS to track intruders in security device User Guide

For small and medium-sized enterprises, the virus problem and hacker problems are getting more and more annoying to network administrators. The network is filled with simple and easy-to-use hacker attacks, many people use vulnerability scanning tools to attack computers and servers in the enterprise. Even some inner users will be able to scan Intranet segments with scanners to access others' privacy. At present, IPS intrusion defense systems can effectively track the footprints of intruders. As a coincidence, my company purchased a high-price IPS intrusion defense hardware system, next, I will write down several real hacker tracking experiences in my daily maintenance and management process to share with readers of IT168 security channel.

　　I. device introduction:

IPS is also called an intrusion defense system. With IPS, we can immediately discover intruders and defend against and block them based on their information, so as to avoid attacks by hackers or vulnerability viruses on Intranet computers, the product used by the author is the Tippingpoint 400 intrusion defense system of Huawei 3COM. It allows a network with a maximum bandwidth of Mbps and supports connection to four CIDR blocks, supports 10/100/1000BaseT cables and SX or LX cables. (1)

 

600) this. width = 600; ">

 

 

　　2. Use IPS to track intruders:

The following is an example of discovering intruders and using the IPS intrusion defense system to prevent intrusion attacks.

Step 1: access the IPS management interface with the management address, correct user name, and password.

Step 2: This article mainly explains how to use IPS to find attack intruders. Therefore, we will first search for the clues in the LOG record-log summary. The author chooses audit log (logon record ). (2)

 

600) this. width = 600; ">

 

　TIPS:

No matter what attacks the Intranet suffers, as long as our IPS work properly and the filtering rules are properly configured, it can basically effectively prevent the corresponding intrusion, therefore, the security of IPS is often a topic of concern to network administrators. Attackers often use some tools to launch attacks on IPS devices, after all, IPS can be used as a stepping stone to attack other network devices in the intranet.

Step 3: In the audit log logon information record log, we can clearly see the number of successful logins and incorrect password verification times, the username field used during logon can also be displayed on the right side. The user's access method, IP address, and access time are all displayed. (3)

 

600) this. width = 600; ">

 

Step 4: After analysis, we found that some of the following IP addresses have scanned IPS recently, which indicates that these IP addresses are attacking IPS -- 17:36:35

206.186.79.97, 2008-09-03 12:36:35 203.189.89.116, 2008-09-02 20:13:59 85.17.137.5. These attackers use CLI command line access, which is SSH or telnet in combination with IPS.

Step 5: The author saves the log information to the local hard disk through the log backup function of IPS and downloads it through the Download button. (4)

 

600) this. width = 600; ">

 

Step 6: by default, IPS will automatically open an IE browser window, which details the basic information of each login. We can directly save it as a text file in TXT format, then, the attacker's IP address and other basic information can be quickly located through statistical tools or simple search functions. (5)

 

600) this. width = 600; ">

 

Step 7: After statistics, we found that the IP addresses mentioned above triggered logon with multiple different user names in a short period of time. For example, we attempted to include ben, robert, several hundred usernames, such as ronald. (6)

 

600) this. width = 600; ">

 

Step 8: of course, in the logon log record list, this information is not only recorded but also saved in the log record. (7)

 

600) this. width = 600; ">

 

Step 9: by analyzing the log record information, we can find out which IP addresses often attack our IPS. Then, we can use the IP address lookup tool in the network to search for the corresponding geographical location of the IP address, analyzes the address location. (8)

 

600) this. width = 600; ">

 

Step 10: after knowing the attacker's IP address, we can directly exclude the attacker's IP address information on IPS or external route exchange devices through the access control list or the filtering function of the device, deny access to the Intranet and IPS devices to prevent them from trying the password again using brute force.