引诱黑客的方法其实再简单不过,就好像我们捕捉动物。 Lure hackers are in fact simple, and if we catch animals. 当一个黑客入侵者开始搜索网络的时候,他会惊讶地发现一个非常易于攻击的数据服务器。 When a hacker intruder began to search the web, he will be surprised to find a very easy to attack the data server. 但在他准备进入这个服务器系统的时候,网络管理员正好也在跟踪他的行踪,就好像“螳螂捕蝉,黄雀在后”。 But he was prepared to enter the server system, the network administrator to track his whereabouts are just, like, "mantis stalks the cicada, oriole in the post." 这个入侵者就是被“诱饵”服务器所引诱,这些“诱饵”服务器正是为了发现这些入侵者而专门设计的。 The intruder is to be "bait" to lure the server, these "bait" to find the server is designed specifically to these invaders.
■“诱饵”服务器的特点 ■ "bait" server features
由于数据服务器的数据量很大,因此一般要从大量的数据当中分离出恶意攻击是比较困难的。 Because a large amount of data the data server, it is generally isolated from a large amount of data which is more difficult to malicious attacks. 因此,我们有必要设计这些专门引诱黑客的“诱饵”服务器,以保证数据服务器正常工作。 Therefore, we need to design these special lure hackers "bait" server, data server in order to ensure normal operation.
“诱饵”服务器的主要目的是模仿数据服务器,同时对于黑客行为进行报警和记录。 "Bait" the main purpose is to imitate the server data server, while the alarm for hacking and records. 通过下面列举的特点,我们就不难得出“诱饵”服务器是如何完成这项功能的。 By the characteristics listed below, we is not hard to "bait" server is how to accomplish this function.
a.“诱饵”服务器模仿真正的数据服务器,并有其正常工作的一面; a. "bait" server imitate real data server, and a side of their normal work;
b.“诱饵”服务器提供一些网络资源和用户账号,引起黑客的注意; b. "bait" to provide some server resources and network user accounts, caused by hacker's attention;
c.“诱饵”服务器表现它脆弱的一面,引诱黑客对它展开恶意的攻击; c. "bait" the performance of its fragile server side, it started to lure malicious hacker attacks;
d.“诱饵”服务器有着非常强大并且完全的入侵报警和记录机制。 d. "bait" the server has a very powerful and complete intrusion alarm and logging mechanism.
■如何打造“诱饵” ■ How to create "decoy"
1. 1. 端口重定向 Port redirection
利用能够重定向的路由器或者防火墙,将数据服务器上的一些服务重新映射至“诱饵”服务器上,例如,将端口为80的Web服务保留,但将端口为25的SMTP服务和端口为23的Telnet服务映射至“诱饵”服务器。 Use a router or firewall to redirect the data server to re-map some of the services to "bait" on the server, for example, port 80 for Web services to retain, but the port 25 SMTP service and port 23 for Telnet service mapping to "bait" server. 此时,一旦对于SMTP和Telnet发生入侵的行为,系统便能够报警和记录。 At this point, SMTP and Telnet once for the behavior of the invasion, the system will be able to police and recorded.
但同时,我们仍需要监视Web服务,因为对它的数据访问并不是在“诱饵”服务器上记录的,所以在Web服务上仍需要安装相应的入侵监视系统。 At the same time, we still need to monitor Web services, data access because it is not in the "bait" recorded on the server, so the Web service still need to install the appropriate intrusion monitoring system. 由于重定向的服务没有入侵监视系统,所以黑客更容易去访问这些服务。 No invasion because of a redirect service monitoring system, so hackers easier to access these services.
2. 2. 构建“诱饵”服务器 Construct "bait" server
另一种方法是将“诱饵”服务器放置于数据服务器的中间,例如,数据服务器的地址为2、3、5,而“诱饵”服务器的地址为4,也可以利用给IP起别名的方法,给“诱饵”服务器更多的IP地址。 Another method is to "bait" server placed in the middle of the data server, for example, the address data server 2,3,5, and the "bait" the server's address is 4, can also be used to alias the IP method, to the "bait" the IP address of the server more.
当黑客在整个网络中寻找最容易击破的计算机时,很显然进入到“诱饵”服务器中。 When hackers across the network to find the most likely to break the computer, it is clear that access to the "bait" server. 但如果黑客避开了“诱饵”服务器,而直接攻击数据服务器,这种方法就变得无效了。 However, if the hacker to avoid the "bait" server, data server and direct attack, this approach becomes invalid. “诱饵”服务器最核心的策略是:到达“诱饵”服务器的数据都是可疑的。 "Bait" server core strategy: to reach the "bait" the server's data is suspect. 一旦黑客进入了服务器,他的一举一动都会被记录下来。 Once a hacker into the server, and his every move will be recorded.
当然,这两种方法都存在着失败的可能性,这主要取决于“诱饵”服务器是否能够被黑客所发现,“诱饵”服务器的脆弱性必须被黑客所了解,同时“诱饵”服务器在功能上与数据服务器也要尽可能的相像。 Of course, these two methods there is a possibility of failure, depending on the "bait" server can be discovered by hackers, "bait" the server's vulnerability must be understood by hackers, but "bait" function on the server also possible with similar data server.
尽管如此,由于“诱饵”服务器的数据量远小于数据服务器,因此使用“诱饵”服务器将管理员们从分析大量日志的工作中解脱出来,并且大大地提高了分析的准确性。 However, due to "bait" is far less than the amount of data the server data server, the use of "bait" server administrators who log a lot of work from the analysis freed, and greatly improved the accuracy of the analysis.
■确定诱饵还要注意 ■ determine the bait must pay attention
是否安装“诱饵”服务器还取决于下面的问题: To install the "bait" server also depends on the following issues:
1. 1. 你是否有足够的资源 Do you have sufficient resources
2. 2. 你是否能够一直监视系统的日志; You can continue to monitor the system log;
3. 3. 你是否打算起诉入侵者 Do you intend to sue the intruder
4. 4. 你是否具有应急处理突发事件的能力。 Do you have the ability to handle emergencies emergency.
如果你并不具备上述的条件,建议你不要安装“诱饵”服务器,推荐你使用更好、更稳定的服务器系统,以减少资金、设备、资源的占用率。 If you do not have the above conditions, I suggest you do not install the "bait" server, it is recommended you use a better, more stable server system, to reduce the funds, equipment, resources utilization.
有很多人也反对使用“诱饵”服务器,因为它使用一些假数据来引诱入侵者,而如果这些数据一旦给了合法的用户,造成的损失将是不可估量的。 There are many people against the use of "bait" server, because it uses some of the false data to lure the intruder, and if the data once to a legitimate user, resulting in the loss will be immeasurable. 由于“诱饵”服务器同时存在负面影响,所以用户在安装使用前,应权衡一下其利弊。 As the "bait" negative impact on the server simultaneously, so users in the installation, should weigh the pros and cons.
■现有诱饵软件 ■ Existing bait Software
Windows 操作系统:Infinitum的BackOfficer Friendly, Network Windows operating systems: Infinitum the BackOfficer Friendly, Network
Associates的CyberCop Sting和Specter。 Associates, CyberCop Sting, and Specter.
Unix操作系统:Fred Cohen & Associates 的Deception ToolKit Unix operating system: Fred Cohen & Associates of Deception ToolKit
(DTK)。 (DTK).
Solaris操作系统:Recourse Technologies的ManTrap 和GTE Solaris Operating System: Recourse Technologies and GTE's ManTrap
Technology的NetFacade。 Technology's NetFacade. (金石) (Stone)
(《中国计算机报》 第963期) ("China Computer News" section 963)
Tidak ada komentar:
Posting Komentar