We're not talking about
script-kiddies here. You
know, the
fourteen-year-old kids
who can slip little
programs into you server
that leave obscene
messages on your web
site?
We're talking about
dedicated criminals,
mean-spirited
ex-employees, organized
crime - these guys are
going after the big
enchilada. They want to
take down defense
systems, banks,
brokerages, and
corporations. These are
the kind of guys that
hacked Amazon and
Microsoft.
They're also the kind of
characters that divert
electronic funds
transfers.
Or maybe they work on a
smaller scale. Maybe
they just go after small
business. If they go
after enough of them,
then they make money.
One thing they all have
in common is patience.
In this article, I'll
try to explain briefly (
a few sentences) how
various hacking methods
work so that you can
learn to recognize them.
For the more
technically-minded, I've
included several web
references that contain
more detailed
explanations. Please
remember that the
methods you use to
locate hacking attempts
on your system are
similar or, in some
cases, identical to the
methods used by the
hackers themselves. But
that's how you catch the
crooks sometimes:
determine what their
methods are, and then
proceed logically as
they would,
step-by-step.
Sources of Information:
So how do you defend
yourself against such
attacks as Denial of
Service, spoofing,
sniffing, and password
theft. This article is
intended as a guideline
to several methods of
protecting your servers.
There are other more
detailed sources, such
as "Counter Hack", an
excellent manual on
hacker defense
strategies by Ed Skoudis,
as well as the following
websites:
www.sans.orgwww.eeye.com
www.securify.comwww.atomictangerine.comwww.cert.org
I've tried to limit the
site references to
"safe" ones. There are
numerous sites on the
'net, set up by and for
hackers. Professional
security experts often
visit these sites to
download hacker
software. Don't do this
unless you have taken a
number of precautions.
Many of these sites will
record the IP addresses
of all visitors, and
these aren't the kind of
people who should have
that kind of
information! If you're
interested in
investigating these
sites, or even
downloading their
software to become
familiar with hacking
methods, set up a
separate "lab" network
and use a different ISP
than you use for your
professional network.
Let's now discuss the
number one defense
against hackers:
Plug up Those Ports!
We all know what ports
are, right? Those spaces
in computer programs set
aside for input and
output of data. The
operating systems
Windows NT and 2000, for
example, each have
65,535 ports. They are
used by Windows to
perform numerous tasks,
most of them invisible
to the user. Some of the
ports however, are
visible to the user, and
are called "well-known"
ports. For example, the
default port for the
HTTP protocol is 80. For
example, if you're
running MS Internet
Information Server as
your web server (or, for
that matter, Apache),
then you will probably
use port 80 for the
input and output of data
to your site.
Now, there's nothing
that says some hacker
couldn't use that same
port for input and
output of data, only in
the hacker's case, the
data could be a virus or
a Trojan Horse. (We'll
discuss the ways that
this can be done later.)
One defense against
someone entering your
server through port 80
is to run your web site
from a port that is not
"well-known", like, say,
port 5555. If you do
this however you will
have to notify your
visitors to enter your
site through that port.
So the URL would look
something like this:
www.yoursite.com:5555
Now suppose you aren't
running a site on your
server; i.e., you're
just using it for a
gateway. In that case,
there's no need to have
either port 80 or the
HTTP service running at
all! So, just shut it
off. The same goes for
FTP, Telnet or any other
service that you don't
really use.
Protect Passwords, Logs
and Accounting Files
If hackers can reach the
files and folders
containing your users'
passwords they can be
copied (by FTP or
Telnet, for example) to
the hacker's PC and then
decoded. A similar
situation exists with
accounting files in
which file permissions
are set (give name of
file in UNIX and
Windows), and logs which
record the files that
users access or services
that the server runs.
All of these tidbits are
pieces of a puzzle to
the hacker, enabling him
to build a total picture
of your network.
This defense here
consists of initiating a
strong password policy
for your users and
making sure, via memo or
email, that users are
aware of the dangers of
password cracking and
should follow the policy
to the closest letter.
The more sensitive the
information the users
work with, the more
stringent the policy
should be.
Hide the password
database:
This is located in the
\SYSTEM32\CONFIG
directory of the Windows
2000 server. In UNIX or
Linux it is in
/etc/groups or /etc/passwd.
Conduct your own
password - cracking
tests with software like
L0phtCrack. This can be
purchased at the
following site:
http://www.sunbelt-software.com/
Other authentication
methods, like voice
recognition or security
cards, can be used for
highly confidential
information. Or you can
store your password
files and logs on
write-once CD-ROMs.
Make your important
files difficult to find,
using the .htaccess
directory. (UNIX
machines do not see
files or directories
preceded by a dot.)
(Hiding files works both
way, of course. Both the
attackers and the
attacked can hide files.
If you think that
hackers have left hidden
files on your servers,
use file-integrity
checking software to
locate hidden files.)
Windows' checks and
balances:
Like the US legal
system, Windows NT/2000
security is based on a
system of checks and
balances. NTFS file
properties, user
properties and account
properties can override
each other, if not set
properly. This can
create confusion in the
mind of the systems
administrator: "Why am I
denied access to this
file, when I know it's
part of the
Administrator group?"
Well, it's because the
file properties
themselves are set to
"Access Denied", and
that overrides
everything else. "But
how did THAT happen??"
Well, someone hacked
into your system and
changed the permissions!
Conclusion: Permissions
for Users and
Permissions for
Processes must both be
monitored.
Beware of Denial of
Service (DoS) attacks!
Denial of Service
attacks have become very
popular with hackers
during the past few
years. They're
relatively easy to
perform, for one thing.
The most basic kind of
attack consists of
repeatedly pinging a
server's IP address,
until the server stops
under the burden of
having to reply to so
many requests.
A more sophisticated
form of this attack
includes the creation of
"zombies." These are
servers or workstations
that have had special
communications software
installed on them, by
stealth. The software
enables the hacker to
communicate with machine
and order it to begin
executing pings to a
specific server.
Let's suppose that the
hacker has created a
team of zombies by
installing his
communications software
on eight servers,
located on the internet.
He now has eight servers
at his command, and when
he executes his order to
each server to begin
pinging, say, a server
or servers on a large
corporate network, you
can bet that they will
come down very swiftly!
And, because the
attacker has used
servers randomly located
on the 'net, it will be
difficult to find the
perpetrator of this
attack.
There are several lines
of defense against DoS
attacks, but they can be
expensive. You can
purchase wider bandwidth
from your ISP. This can
extend the length of
time it takes for your
server to crash during
an attack. Or, you can
sign up with multiple
ISPs and create
redundant paths to them
from your server(s).
The second line of
defense is simply to
have a rapid incident
response set up with
your ISP. This way, you
can notify your ISP
immediately when any
server slowdown or other
intrusion is detected.
Copyright 2002 (c) Roy
Troxel, All rights
Reserved. Roy is
webmaster of
Cyber-Routes, an online
newsletter for Internet
professionals,
specializing in issues
about web design and web
security. You can also
receive Cyber-Routes
weekly by email by
subscribing from our
home page at
http://www.cyber-routes.com
This and many other
articles can be found
at:
http://www.davidbartosik.com