In the first chapter of the Intrusion Test, we talked about the security configuration of Win2000 Server. After careful-configured Win2000 servers, it can defend more than 90% of the invasion and penetration, but I mentioned like the end of the previous chapter: System security is a Continuous process, with the emergence of new vulnerabilities and changes in server applications, the system's security status is constantly changing; at the same time, due to the offensive and defense is the unity of contradictions, the Demonius and the magic of the magic are also constantly converting. Therefore, the higher system administrator does not guarantee that the server that is providing service is absolutely not invaded. Therefore, the security configuration server is not the end of the security work, but the opposite is the beginning of a long-boring security, this article we will initially explore the preliminary skill of Win2000 server intrusion detection, hoping to help you maintain the safety of the server for a long time. The intrusion detection referred to herein refers to the use of the software / script that Win2000 Server's own function and system administrator's own software / script that uses the firewall or invasive monitoring system (IDS) is not discussed herein. within. Now, we have a Win2000 Server server, and after a preliminary security configuration (for details on security configuration) Outside the door. (Haha, my administrator can go home to sleep, I went to sleep) slowly, I am talking about the large part, not all, the server after initially safe configuration, although the most Script Kid (script) is only used Others write the program invading the server), encountered a real master, or not hit. Although it is said that the real master will not enter the server, but it is difficult to keep a few practical evil masters look your server. (I really so bad?) Moreover, there is often a vacuum between the discovery and patch release of the vulnerability, anyone who knows the vulnerability information can take advantage of it. At this time, intrusion detection technology is very very important. The detection of invasion is mainly based on the application, providing the corresponding service should have a corresponding detection and analysis system to protect, for a general host, mainly pay attention to the following aspects: 1, based on 80-port intrusion WWW services are probably one of the most common services, and because this service is facing the vast and complexity of the service, the loopholes and intrusion skills of this service are also the most. For NT, IIS has always been part of the system administrator's headache (hate does not have to shut 200 ports), but it is good to have the roof of the IIS to a certain extent. IIS comes with the log files stored by default in the System32 / Logfiles directory, typically scrolling 24 hours, and can be detailed in the IIS Manager.
(How do I match you, but if you don't record in detail, I can't find the invader's IP, don't cry. Now we have a reappearance (how to make it, I am not annoying?) Don't worry, I can't Write this article really going to black down a host, so I have to assume that we have a web server, open WWW service, you are the system administrator of this server, have been carefully configured, using W3C extension Log format, and at least time (TIME), client IP (Client IP), method (Method), URI STEM, URI Query, protocol status, we have recently Comparative popular Unicode vulnerability to analyze: Open IE window, enter: 127.0.0.1/scripts /..% C1% 1c ../ WinNT / System32 / cmd.exe? / C DIR default You can see the directory list (what? You have been safe configuration, can you see? Restore the default installation, let's make an experiment), let's take a look at the IIS log, open EX010318.log (EX represents W3C extension format, behind a string of digital representative logs record date): 07: 42: 58 127.0.0.1 get /scripts/../../winnt/system32/cmd.exe / c DIR 200 above This line of logs indicated in Greenwich time 07:42:58 (that is, 23:42:58, there is a guy (intruder) from 127.0.0.1 IP uses Unicode vulnerability on your machine (% C1%) 1C is decoded as "/", the actual situation will run the cmd.exe because the Windows language version is slightly different), and the parameters are / c DIR, and the operation results are successful (HTTP 200 represents correctly). (Wow, you can really have a good time, I don't dare to play Unicode.) In most cases, IIS's log will faithfully record any request it receives (there are also special attacks that are recorded by IIS, this We will discuss it later), so an excellent system administrator should be good at using this to discover the invasive attempt, so that it protects its own system.
However, IIS's logs dozens of megabytes, and the traffic is very unobstructed. The only choice is to use the log analysis software, write a log analysis software in any language (in fact, the text filter) Very simple, but considering some actual conditions (such as administrators do not write programs, or if the server can't find the log analysis software), I can tell you a simple way, I want to know if anyone has from 80 port. Trying to get your global.asa file, you can use the following cmd commands: find "global.asa" eX010318.log / i this command is used by NT self-contained Find.exe tool (so not afraid of emergency sitting), You can easily find the string you want to filter from the text file, "Global.asa" is a string that you need to query, EX010318.log is the text file to be filtered, / i represents ignore the case. Because I accidentally write this article into Microsoft's Help document, other parameters of this command and its enhanced version of FindStr.exe please visit the Win2000 help file. Whether it is log analysis software or a find command, you can create a list of sensitive strings, including existing IIS vulnerabilities (such as " .htr") and resources that will appear in the future may be called (such as Global) .asa or cmd.exe, by filtering this constantly updated string table, you can understand the invaders as soon as possible. What needs to be reminded is that using any log analysis software will occupy certain system resources, so for the IIS log analysis such a low-priority task, the automatic execution will be appropriate when I idle, if you write a script, after it is filtered Suspicious text is sent to the system administrator, then it is more perfect. At the same time, if the sensitive string is large, the filtering strategy is complicated, I suggest whether to write a private program with C will comply. 2. Detection based on security logs By based on the invasion monitoring of IIS logs, we can know the whereabouts of servants (if you deal with the loss, you will become invaders at any time), but the IIS log is not universal, it is in some In the case, it cannot be recorded from the 80-port invading. According to my analysis of the IIS log system, IIS will only write the log after a request is completed, in other words, if a request fails, there will be it in the log file. Trace (failure here does not point to the case where HTTP400 error occurs, but does not complete HTTP requests from the TCP layer, such as abnormal interruption when POST is large), and for intruders, it is possible to bypass the log. The system completes a lot of activities. Moreover, for non-80 ONLY hosts, intruders can also enter the server from other services, so it is necessary to establish a complete set of secure monitoring systems. Win2000 has a considerable security log system, which has a very detailed record from the user's login to privilege. Unfortunately, the security audit is closed by default, so that some hosts are faded after being black. By. Therefore, the first step we have to do is to manage tool-local security policies-local policy -The review policies, in general, login events and account management is our most concerned, while opening success and failure The audit is very necessary, and other reviews should also open the failure audit, which makes the invaders step by step, and will reveal the horse foot.
Only open the security audit is not completely solved, and if there is no good configuration of the security log size and override, an old invader can cover the true whereabouts of his true trails through the flooding counterfeit request. Typically, the size of the security log is specified as 50MB and only the logs overwriting 7 days ago can avoid the above situation. Setting the security log but does not check with no setting security logs is almost as bad (the only advantage is that the intruder can be traced after being black), so it is also very important to develop a security log, as a safety log, recommended The inspection time is every morning, this is because the invaders like night action (fast, if you invade half, you can't even get over, but crying can't cry) the first thing to go to work. Look at the log, you can do anything else. If you like, you can also write scripts to send the security log as a message every day (Don't believe this, if you go to change your script, send "safe" ...) In addition to the safety log, system log And application logs are also very good auxiliary monitoring tools. In general, intruders have left traces in the security log (if he got an admin privilege, then he will definitely remove traces), in the system and application log There will be a spider silk, as a system administrator, there must be no abnormal attitude, so that invaders are difficult to hide their whereabouts. 3. File Access Logs and Key File Protect In addition to the system default security audit, for critical files, we also add file access logs to record their access. File access There are a lot of options: access, modification, execution, new, property change ... General, pay attention to access and modification can play a lot of monitoring. For example, if we monitor the modification of the system directory, create, even some important files (for example, cmd.exe, net.exe, system32 directory), then intruders are difficult to place the back door without causing us to pay attention, Note that the key files and projects of the monitors cannot be too much, otherwise not only increase the system burden, will still disrupt the daily log monitoring work (which system administrator is patiently watching four, five thousand garbage logs?) Key files not only Refers to system files, including any files that may be harmful to system administrators / other users, such as system administrators, desktop files, etc. These are likely to steal system administrator data / passwords. . 4, the process monitoring process monitoring technology is another powerful weapon tracking the back door of the Trojan, and more than 90% of the Trojans and the back door are in the form of a process (there are also Trojans in other forms. See "Uncovering the mystery of Trojans). As the system administrator, understand each process running on the server is one of the responsibilities (otherwise not to say security, even the system optimization does not have a way), making a list of each server running process is very necessary, can help management At a glance, I found an intrusion process, an abnormal user process or an abnormal resource occupancy may be illegal process. In addition to the processes, DLL is also dangerous, such as rewrite the Trojans originally EXE type to DLL, using Rundll32 to run more confusing. 5. Registration verification generally, Trojans or backmen will use the registry to run ourselves again, so the check registry to find that the invasion is also one of the common methods.
In general, if an intruder only knows the use of popular Trojans, since ordinary Trojans can only write specific key values (such as Run, Runonce, etc.), finding relatively easy, but for writing / Rewind Trojans, anywhere in the registry can be hidden, and it is not possible for manual search. (The registry is hidden thousands of tensiles, such as the specially proposed Fakegina technology, this way to get the user password to get the user password, which is used to get the user password, once the password of the login user will be recorded, Specific prevention methods I will not introduce it here.) The method of response is to monitor any changes to the registry, so that the Trojan who has rewritten the registry has no way. Monitoring the registry has a lot of software, many of the software that traces Trojans have such a function, and a monitoring software adds a registry to back up registry, in case the registry is modified by unauthorized modification, the system administrator can also in the shortest time Recovery. 6. Although port monitoring does not use the Trojan that does not use the port, most of the backdoors and Trojans are also use TCP connections, the condition of monitoring ports is very important for hosts that cannot block ports due to various reasons, we here Don't talk about Advanced programming of the NDIS NIC, for system administrators, understand the ports open on your server even more important, often using NetStat to view the port status of the server is a good habit, but Can not be done 24 hours, and the NT security log has a bad habit, like to record the machine name inside, not IP (do not know how the Bill cover is thinking), if you don't have a firewall, there is no intrusion detection software, you can use the script IP log record, look at this command: netstat -n -p TCP 10 >> NetStat.log, this command automatically views a TCP connection every 10 seconds, based on this command we do a Netlog.bat file: Time / T >> NetStat.lognetstat -n -p TCP 10 >> NetStat.log This script will automatically record the time and TCP connection status, you need to pay attention to: If the website has a large amount, this operation is to consume a certain CPU Time, and log files will be larger, so please caution. (If you do a script is perfect, who goes to buy a firewall? :) Once you find an exception port, you can use a special program to associate port, executable files, and processes (such as Inzider have such a function, it can find server monitors The port and find the file associated with the port, INZIDER can download from http://www.nttoolbox.com), so that the TCP is still hidden in the TCP or UDP.
7. Terminal Services Log Monitoring Separates Log Monitoring of Terminal Service, which is reasonable. The Terminal Services that comes from Microsoft Win2000 Server Edition is a tool based on Remote Desktop Protocol (RDP). Its speed is very fast, and it is also very stable. It can be a good remote management software, but because this software is powerful and only the password is protected, it is also very dangerous. Once the invaders have the administrator password, they can Operating the remote server like this machine (do not require a deep NT command line skills, do not need to write special scripts and programs, as long as you use the mouse to perform all system management operations, it is too convenient, it is too terrible) . Although many people are using terminal services to perform remote management, it is not that everyone knows how to review the terminal service, and most terminal servers do not open the terminal login, in fact, open log review is very easy. , Open the remote control service configuration (Terminal Service Configration), click "Connection", right-click the RDP service you want to configure (such as RDP-TCP (Microsoft RDP 5.0), select Bookmark "Permissions", click on the lower left corner "Advanced", see the "audit" above? Let's join an EveryOne group, which represents all users, then review his "Connect", "Disable", "Login" success and "login" And failure is enough, too much audit is not good, this review is recorded in the security log, you can view from Administrative Tools -> Log Viewer.
Now who will log in to me, I have a clear, but the beauty is not enough: this tattered play is actually not logging the client's IP (only the IP of online users), but what machine names of the Chinese, fell! If someone else got a PIG machine name, you have to be ridiculed by him. I don't know how Microsoft think. It seems that I can't stand it completely with Microsoft. Let's come here yourself? Write a program, everything is done, will you C? will not? What about VB? Not? Delphi? ……what? What programming languages do you have? I fell, after all, the system administrator is not a programmer, don't worry, I will find a way, let's create a BAT file called TSLog.bat, this file is used to record the login's IP, the content is as follows: Time / T >> TSLOG.LOGNETSTAT-N -P TCP | Find ": 3389" >> Tslog.logstart Explorer I explain the meaning of this file: The first line is the time to log in, Time / T means directly return System time (if not / t, the system will wait for your new time), then use the additional symbol ">>" to record this time into the time field of the log; the second line is the IP of the user Address, NetStat is used to display the current network connection status, -n means that the IP and ports are displayed instead of the domain name, the protocol, and -ptcp is only the TCP protocol, and then we use the pipe symbol "|" to output this command to the result of this command The Find command looks for rows that contain ": 3389" from the output (this is the line where our client's IP is located. If you change the port of the terminal service, this value also makes the corresponding changes), and finally we are the same Return this result to the log file tslog.log, so in the slog.log file, the record format is as follows: 22: 40tcp 192.168.12.28:3389 192.168.10.123:4903 Established 22: 54TCP 192.168.128:3389 192.168.12.29 : 1039 Established that is, as long as this TSLog.bat file is running, all IPs on the 3389 port will be recorded, so how to automatically run this batch file? We know that the terminal service allows us to customize the starting program for the user, in the terminal service configuration, we override the user's login script settings and specify the script that tslog.bat needs to open when logging in to the user, so each user is logged in. This script must be executed because the default script (equivalent to the shell environment) is Explorer (Explorer), so I add the command startexplorer of the boot Explorer at the last line of Tslog.bat, if not this line command, the user is There is no way to enter the desktop! Of course, if you only need to give users specific shells:, for example, cmd.exe or word.exe you can also replace Start Explorer to any shell. This script can also have other ways, as a system administrator, you can freely play your imagination, freely use your own resources, such as writing a script to send each login user's IP to your own mailbox for important servers It is also a good way.
