【 Weak current College 】 ADSL is intrusion prevention tips

With the ADSL network throughout the development, implementation of persistent connections, at any time online is no longer a distant dream, however, we must understand that permanently attached to the Internet also means suffered greatly increasing the possibility of invasion. Mutual understanding, to the victory, let us look at hackers ADSL users of methods and means of prevention.

Hackers ADSL user methods

In many places are monthly, so, hackers can be used for a longer time to port and vulnerability scans, even using online brute force way to steal your password, or use a sniffer tools like passive wait for each other automatically sends the user name and password.

To complete a successful network attack, generally have the following step. The first step is to collect various information aim, in order to carry out a thorough analysis of the target, it must be possible to collect large numbers of targeted and effective information so that the final analysis are the target of vulnerability list. The results of the analysis include: operating system type, OS version, open services, open the service's version, network topology, network equipment, firewalls.

Hackers scan using mainly TCP/IP stack fingerprinting approach. Implementation of means primarily:

1.TCPISN sampling: searching for the initialization sequence length with a specific OS match.

2.FIN detection: sends a FIN packet – or any no ACK or SYN flag packages to the destination of an open port, and then wait for a response. Many of the system will return a RESET-Reset tag.

3. the use of BOGUS markup: by sending a SYN packet, which contains no definition of the TCP header TCP flags, use systems, two different reactions to the tag, you can differentiate between some of the operating system.

4. the use of TCP initialization window: simply check return bag contains the length of the window, depending on the size of only confirm that the operating system.

Scan the techniques though many, but the principle is very simple. Here briefly scan tool Nmap – this is known as Networkmapper, is currently the best scanning tools, powerful, versatile, supporting a variety of platforms, flexible, easy-to-use, portable, very few remaining track; not only can scan a TCP/UDP ports, can also be used to scan/detect large networks.

Note that uses some of the real domain name, this allows scanning behavior seems to be more specific. You can use your own name instead of the network in which the addresses/names. You'd better get allows for scanning, otherwise the consequences can be your own responsibility.

nmap-vtarget.example.com

This command on all reservations on target.example.com TCP port did a scan,-v using the verbose mode.

nmap-sS-Otarget.example.com/24

This command will start a SYN scan of half-open, target is target.example.com is class c subnets, it also tries to determine the target operating system is running. This command requires administrator privileges, because the half open scanning and detection system.

Attack of the second step is to establish a connection with each other, find the logon information. Now suppose through scan found each other machines with IPC $. IPC $ share "named pipes" resource for communication between the program is very important, in the remote management computer and view the computer's shared resources are used. Use IPC $, hackers and other established a null connection (without a user name and password), and the use of the empty connection, you can access each other's user list.

The third step, use the appropriate tools software login. Open a command-line window, type the command: netuse222.222.222.222ipc $ "administrator"/user: 123456

Here we assume that the administrator password is 123456. If you don't know the administrator password, you also need to find other password cracking tools help. To log in, all things are under the control of hackers.

Prevention methods

Because ADSL user General online a long time, so be sure to enhance security awareness. Spends over ten hours or even overnight power alone, but also have their own machine into a Web or ftp server for others to access. Day-to-day prevention work in General can be divided into the following steps to make.

Step one, make sure that the Guest account disabled. Many intrusions are further through the account administrator password or permission. If you do not want to put your computer to others when toy, it was banned. Open Control Panel, double-click the "user and password", select "Advanced" tab. Click the "Advanced" button to eject the local users and groups window. In the right click Guest account above, select Properties, in the "General" page select "account is disabled".

Step two, stop sharing. After installing Windows2000, the system creates some hidden shares. Click Start → run → cmd, and then on the command line by typing the command "netshare" you can view them. Online there are a lot of articles about the IPC's invasion, utilizes a default share a connection. To prevent these shared, open administrative tools → computer management → shared folders → sharedIn the shared folder on the desktop, point to "stop sharing".

Step three, try to shut down unnecessary services, such as TerminalServices, IIS – if you don't have to use your own machine for Web server-, RAS – remote access service. There is also a very annoying Messenger service also must turn off, otherwise there's always someone with a message sent by the network advertising services. Open administrative tools → computer management → services and applications → service, see the turn off useless.

Step four, prohibits the establishment of air connections. By default, any user can connect through the air on the server, the account number and password guessing enumeration. We must prevent the establishment of an empty connection method has the following two ways:

(1) to modify the registry:

HKEY_Local_MachineSystemCurrent-ControlSetControlLSA, DWORD RestrictAnonymous key value to 1.

(2) modify the Windows2000 of local security policy:

Set "local security policy → local policies → options" RestrictAnonymous – additional restrictions for anonymous connections to the "do not allow enumeration of SAM accounts and shares".

Step 5, if you open a Web service, you also need to configure IIS for security services:

(1) change the home directory of the Web service. Right-click "default Web site → properties → main menu → local path", "local path" links to other directory.

(2) delete the original default Inetpub directory is installed.

(3) delete the following virtual directories: _vti_bin, IISSamples, IISAdmin, IIShelp, Scripts, MSADC, IIShelp.

(4) delete unnecessary IIS extension mapping. Right-clicking the "default Web site → properties → main menu → configuration", open the application window, remove the unnecessary application mappings. If no other mapping, .asp, .asa reservations only.

(5) back up the IIS configuration. You can use the IIS backup feature that will set all the backup of the IIS configuration, so you can always restore the IIS security configuration.

Do not think that this is at peace, Microsoft operating systems we are not that many do not know, bug, so be sure to call the Microsoft patch.

Finally, it is recommended that you select a practical firewall. Such as BlackICE NetworkICECorporation company produces. Its installation and operation is very simple, even for not too familiar with network security and no relationship, use the default configuration will be able to detect most types of hacker attacks. For experienced users, you can also select the "Tools" in the "AdvancedFirewallSettings" for a specific IP address or a specific UDP port for accepting or rejecting configuration to achievespecific effects of Defense.