Intranet intrusion detection system (hereinafter referred to as "IDS system") can find some time within the cluster, the network virus, vulnerabilities, attacks on high-risk abnormal events and effective disposal, thus increasing the security of the Intranet, and effectively protect the various important business systems up and running. In order to strengthen management within the network, give full play to "IDS system" role, following the author under the safety monitoring of high-risk events to analyze problems, propose a solution for your reference.
Event 1, Windows 2000/XP RPC Service Remote Denial of Service Attack
Vulnerability exists in the Windows system, DCE-RPC stack implementation, a remote attacker can connect to TCP 135 port, sending abnormal data, can lead to close the RPC service, close the RPC service can cause the system to stop the new RPC request to respond, resulting in denial of service .
[Strategy]
1, temporary treatment: Use a firewall or Windows system comes with TCP / IP filtering on the TCP 135 port limits of the external host connection can not be trusted.
2, complete solution: security fixes.
Event 2, Windows systems MSBLAST (Blaster) worm spread
Worm infected computers on the network trying to scan other hosts, the host of their own resources and consume a lot of network bandwidth, causing a sharp decline in network access capabilities.
[Strategy]
1, after downloading the patch and then disconnected from the network to install patches.
2, remove the worm.
Event 3, Windows systems Sasser (Sasser) worm propagation
Worm attack will leave a backdoor in the system and may result in Win 2000/XP operating system reboot, the worm propagation may lead to serious infection down the host system performance and network bandwidth to be infected a large number of occupation.
[Strategy]
1, first disconnect the computer network.
2, then check with Zhuanshagongju virus.
3, the final patch to play the system
Event 4, TELNET service user authentication failure
TELNET service is often the attacker in the system one of the channels. In most cases, the legitimate user authentication TELNET logon process will succeed. If the user name or password is invalid, etc., TELNET server, authentication will fail. If the super user logged-on user name, even more attention should be paid to check the legality of access to the source. If authentication fails a short time large numbers of TELNET response, the host may explain violence guessing attack.
[Strategy]
1, check the access source IP, user name and password authentication security policy compliance.
2, close attention to a large number of failed authentication FTP client source address of the activity, if felt necessary, a temporary ban this client source IP address of the visit.
Event 5, TELNET service users weak password authentication
An attacker may use scanning software or TELNET service manual guess weak passwords to illegally obtain access to FTP services may also be combined with other vulnerabilities TELNET server's local host access control.
[Strategy]
1, to remind or compulsory service user settings related to TELNET complex password.
2, set the security policy, force users to regularly change their password.
Event 6, Microsoft SQL client default blank password to connect user SA
The default installation of Microsoft SQL database, there sa password is blank problems, remote attacker could exploit the vulnerability on the database to log on to the database server can do anything. Even more dangerous is that most MS-SQL from the installation of the system using the integrated Windows authentication mode, a remote attacker to use an empty password to log on to SQL server, you can use some of the dump MS-SQL and other processes such as xp_cmdshell permission to LocalSystem to execute arbitrary commands on the host, to obtain full control of the host.
[Strategy]
1, the system's security model to make use of "Windows NT only" mode, so that only trusted computer to connect to the database.
2, for the sa account to set a strong password;
3, do not use TCP / IP network protocol, use other network protocols.
4, if you use TCP / IP network protocol, preferably to the default port 1433 to other port, so an attacker to use the scanner is not easy to sweep.
Event 7, POP3 service password guessing attacks of violence
POP3 e-mail collection service is a common network protocol.
Found a large number of POP3 logon failure events, an attacker may be trying to guess a valid POP3 service user name and password, if successful, an attacker might use POP3 service itself or in conjunction with other service-related vulnerabilities vulnerability to further abuse the system, the user may read e-mail, resulting in leakage of sensitive information.
[Strategy]
Pay close attention to attack the source of further activities, if feel the need to block access to its connection to the server.
Event 8, POP3 services, receiving a suspicious e-mail virus
Current spread through e-mail viruses, worms growing popularity, some of them by sending e-mail virus attachments with executable to entice users to click on the implementation of the spread of the virus attachment common name suffix has:. Pif,. Scr,. Bat,. Cmd ,. com, with the attachment file name suffixes are often disguised as ordinary mail virus messages.
Mail virus infection after the host will usually mail client software to save other users the same e-mail address to send the message to expand the transmission of the virus surface.
This event that IDS detects suspicious virus attachment received the message with the operation, the message recipient is likely to be infected with some kind of email virus, need to be addressed immediately.
[Strategy]
1, notify the quarantine check the mail host to send viruses, use antivirus software to kill the virus infection than the system.
2, the mail server virus mail filtering software installed, the user receives before the addition of kill.
Event 9, Microsoft Windows LSA service remote buffer overflow attacks
Microsoft Windows LSA is the Local Security Authority Service (LSASRV.DLL).
LSASS DCE / RPC end of the export of Microsoft Active Directory services, there is a buffer overflow, a remote attacker could exploit this loophole in the system with SYSTEM privileges to execute arbitrary commands.
[Strategy]
1, temporary treatment: Use a firewall on UDP port and TCP port 135,139,445,593 135,137,138,445 filter.
2 dozen system patches, upgrades.