Windows 2000 Server intrusion precursor detection techniques

Intrusion detection System (IDS) is a reasonable complement to the firewall, which helps the security system to detect possible intrusion precursors and deal with network attacks. The intrusion detection system can monitor the network without affecting the performance of the network, provides real-time protection against internal attacks, external attacks, and misoperation, and can extend the security management capabilities of system administrators (including security audits, monitoring, attack identification and response), and improve the integrity of the information security infrastructure. However, the intrusion detection system is not omnipotent, the high price also let people retreat, and a single server or small network configuration intrusion detection system or firewalls, such as too much investment.

I. Precursor detection for WWW service intrusion

WWW service is one of the most common services for open servers on the network. 80-Port based intrusion is also the most common. Many sceipt kids are very enthusiastic about modifying Web pages. WWW service face more users, traffic is relatively high, while the WWW service vulnerabilities and the corresponding intrusion methods and techniques are also very many, and relatively easy, many "hackers" using the vulnerability scanner can scan 80 of ports of various vulnerabilities, such as Wwwscan, X-scanner, There are even vulnerability scanners that are only for port 80. IIS, which provides WWW services on Windows systems, has also been a persistent vulnerability and is part of a headache for system administrators.

Although 80-port intrusion and scanning a lot, but 80 port logging is also very easy. IIS provides logging capabilities that are powerful for logging. The site properties can enable logging in Internet Services Manager. By default, logs are stored in%windir%system32logfiles, and are stored in exyymmdd.log files every day. These can be configured appropriately, including the contents of the log record.

When you configure IIS, you should keep the IIS logs as detailed as possible and help with intrusion assessment and analysis. Now we're going to use these logs to detect the intrusion precursor, or to discover if the server is being scanned. With the log file open, we can get a scan record like this (example of a Unicode vulnerability):