Security for intrusion monitoring Windows Server 2000

In the previous chapter we talked about the security configuration of the Win2000 server, a carefully configured Win2000 server that defenses more than 90% intrusions and infiltration, but as I mentioned at the end of the previous chapter: System security is a continuous process, with the advent of new vulnerabilities and changes in server applications, The security situation of the system is also constantly changing, and because of the contradictory unity of attack and defense, the way to eliminate the magic long and magic is also in constant conversion, so the brilliant http://www.aliyun.com/zixun/aggregation/13879.html "> The system administrator cannot guarantee that a server that is providing a service is never invaded for long periods of time.

Therefore, the Security configuration server is not the end of security work, but it is the beginning of a long tedious security work, this article we will explore the initial Win2000 server intrusion detection techniques, hope to help you maintain the security of the server for a long time.

Intrusion detection, described in this article, refers to the use of Win2000 server itself and the software/scripts written by the system administrator itself, and the technique of using a firewall (Firewall) or intrusion monitoring System (IDS) is not covered in this article.

Now let's assume that we have a server with a Win2000 server and have a preliminary security configuration (see Win2000 Server Security Configuration for more information on security Configuration < a >), in which case most of the intruders will be shut out. (Haha, my manager can go home and sleep) Wait, I said most, not all, after the initial security configuration of the server, although it can defend the vast majority of script kid (scripting family-only use other people write the program to invade the server), met the real master, or vulnerable. Although the true master will not casually enter the other people's servers, but there are also a few misconduct of the evil experts have a crush on your server. (Do I really suck?) Moreover, the discovery of vulnerabilities and the release of patches often have a period of time between the vacuum, any person who knows the vulnerability information can be exploited, at this time, intrusion detection technology appears to be very important.

Intrusion detection is mainly based on the application, providing the corresponding services should have a corresponding detection and analysis system to protect, for the general host, the main attention should be paid to the following:

1, based on 80-port intrusion detection

WWW service is probably one of the most common services, and because of this service to the vast number of users, the service flow and complexity are very high, so for this service vulnerabilities and intrusion techniques are the most. For NT, IIS has always been a part of the system administrator's headache (80 ports are out of the way), but fortunately, the logging capabilities of IIS can be a powerful helper for intrusion detection. IIS's own log files are stored by default in the System32/logfiles directory and are typically scrolled by 24 hours, and can be configured in IIS Manager in detail. (specifically how to match I do not care about you, but if you do not detailed records, back to find the intruder IP can not cry)

Now let's assume (how can we always assume that it's annoying?) Don't worry, I can't really go black out a host to write this article, so let's assume that we assume a Web server, open the WWW service, you are the server's system administrator, have carefully configured IIS, use the expanded log format, and at least record the time, Client IP, method, URI resource (Uri Stem), URI lookup (URI query), protocol status (Kyoto status), We use the recent more popular Unicode Vulnerabilities for Analysis: open IE window, in the Address bar input: 127.0.0.1/scripts/. %c1% 1c. /winnt/system32/cmd.exe?/c+dir By default you can see the list of directories (what?) You've made a security configuration, you can't see it? To restore the default installation, let's take a look at what the IIS logs are all about, open Ex010318.log (ex on behalf of the expansion of the format, followed by a string of numbers representing the log date): 07:42:58 127.0.0.1 get/scripts/ .. \.. /winnt/system32\cmd.exe/c+dir 200 This line of log indicates that 07:42:58 GMT (is the 23:42:58), There's a guy (intruder) using a Unicode vulnerability (%c1%1c decoded to "\") from 127.0.0.1 IP on your machine, and the actual situation will be slightly different because of the language version of Windows. Cmd.exe, Parameter/C dir, The run result was successful (HTTP 200 represents the correct return). (Wow, the record is really full, and I don't dare to play Unicode any more)

In most cases, the IIS log will faithfully record any requests it receives (there are also special attacks that are not logged by IIS, which we will discuss later), so a good system administrator should be adept at exploiting this to discover an intrusion attempt to protect his system. However, IIS logs are dozens of megabytes, large traffic site even dozens of G, manual inspection is almost impossible, the only option is to use log analysis software, in any language to write a log analysis software (in fact, text filter) is very simple, but take into account some of the actual situation (such as administrators do not write programs, Or the server is unable to find log analysis software, I can tell you a simple way, for example, you want to know if anyone from the 80 port to try to get your Global.asa file, you can use the following cmd command: Find "Global.asa" ex010318.log/i This command uses the NT Find.exe tool (so not afraid to find the emergency), you can easily find the text file you want to filter the string, "Global.asa" is the need to query the string, Ex010318.log is a text file to be filtered, and/I represents ignoring case. Since I have no intention of writing this article as a Microsoft Help document, please check out the Win2000 assistance file for the other parameters of this command and the usage of its enhanced version FindStr.exe.

Either based on the log analysis software or the Find command, you can create a list of sensitive strings containing existing IIS vulnerabilities (such as "+.HTR" and future vulnerabilities that might be invoked (such as Global.asa or Cmd.exe), by filtering this constantly updated string table, you will be able to understand the intruder's actions as soon as possible.

To be reminded, using any log analysis software consumes a certain amount of system resources, therefore, for IIS log analysis of such low-priority tasks, it is more appropriate to put the automatic execution at night Idle, if a script to send the filtered suspicious text to the system administrator, it is even more perfect. At the same time, if the sensitive string table is large and the filtering strategy is complex, I suggest that it is more cost-effective to write a dedicated program in C.