Initial intrusion detection
上一篇我们谈到了Win2000 Server的安全配置,经过精心配置的Win2000服务器可以防御90%以上的入侵和渗透,但是,就象上一章结束时我所提到的:系统安全是一个连续的过程,随着新漏洞的出现和服务器应用的变化,系统的安全状况也在不断变化着;同时由于攻防是矛盾的统一体,道消魔长和魔消道长也在不断的转换中,因此,再高明的系统管理员也不能保证一台正在提供服务的服务器长时间绝对不被入侵。 We talked on a Win2000 Server security configuration, has been carefully configured Win2000 server defense more than 90% of the invasion and penetration, but, as I mentioned at the end of the previous chapter: the system security is a continuous process, With the emergence of new vulnerabilities and server application changes, the system's security situation are constantly changing; both offense and defense are opposites because, said consumer magic and magic cancellation Road length has also been a long transition, and therefore, again clever system administrator can not guarantee a long time the server is providing service absolutely not be invaded.
所以,安全配置服务器并不是安全工作的结束,相反却是漫长乏味的安全工作的开始,本文我们将初步探讨Win2000服务器入侵检测的初步技巧,希望能帮助您长期维护服务器的安全。 Therefore, the security configuration server is not the end of the work safety, but is rather long and tedious security work, the initial article we will discuss the preliminary Win2000 server intrusion detection techniques, hoping to help you maintain long-term security of the server.
本文中所说的入侵检测指的是利用Win2000 Server自身的功能及系统管理员自己编写的软件/脚本进行的检测,使用防火墙(Firewall)或入侵监测系统(IDS)的技巧并不在本文的讨论范围之内。 Mentioned in this article refers to the use of intrusion detection Win2000 Server's own capabilities and system administrators to write your own software / scripts for testing, using a firewall (Firewall) or Intrusion Detection System (IDS) of the techniques are not in the scope of this article within.
现在假定:我们有一台Win2000 Now assume that: We have a Win2000
Server的服务器,并且经过了初步的安全配置(关于安全配置的详情可以参阅Win2000 Server安全配置入门<一>),在这种情况下,大部分的入侵者将被拒之门外。 Server-based server, and after the initial security configuration (for details on security configuration can see the Win2000 Server security configuration entry <1>), in this case, most of the intruders will be shut out. (哈哈,我管理员可以回家睡大觉去了)慢着,我说的是大部分,不是全部,经过初步安全配置的服务器虽然可以防御绝大多数的Script kid(脚本族-只会用别人写的程序入侵服务器的人),遇到了真正的高手,还是不堪一击的。 (Ha ha, I can go home to sleep the administrator to go) Hold on, I said most, not all, after an initial security configuration of the server can be defensive though the vast majority of Script kid (script family - only use program written by someone else who invaded server), met the real master, or vulnerable. 虽然说真正的高手不会随便进入别人的服务器,但是也难保有几个品行不端的邪派高手看上了你的服务器。 Although the true master does not freely enter someone else's server, but there is no guarantee misbehavior of a few fancy your Xiepai master server. (我真的这么衰么?)而且,在漏洞的发现与补丁的发布之间往往有一段时间的真空,任何知道漏洞资料的人都可以乘虚而入,这时,入侵检测技术就显得非常的重要。 (What I really so bad?) And, in the discovery of vulnerabilities and patches are often released some time between the vacuum and any known vulnerability information people can take advantage of this time, intrusion detection technology becomes very important.
入侵的检测主要还是根据应用来进行,提供了相应的服务就应该有相应的检测分析系统来进行保护,对于一般的主机来说,主要应该注意以下几个方面: Intrusion detection is mainly carried out according to the application, providing the corresponding service should have a corresponding analysis system to be protected, for the average host, should pay attention to the following main aspects:
1、 基于80端口入侵的检测 1, 80 port-based intrusion detection
WWW服务大概是最常见的服务之一了,而且由于这个服务面对广大用户,服务的流量和复杂度都很高,所以针对这个服务的漏洞和入侵技巧也最多。 WWW service is probably one of the most common services, and because this service is now facing the majority of users, services, traffic and complexity are high, so for this service vulnerability and intrusion techniques are up to. 对于NT来说,IIS一直是系统管理员比较头疼的一部分(恨不得关了80端口),不过好在IIS自带的日志功能从某种程度上可以成为入侵检测的得力帮手。 For NT,, IIS has always been a troublesome part of the system administrator (wait off port 80), but the good news comes with IIS logging to some extent can be effective intrusion detection helper. IIS自带的日志文件默认存放在System32/LogFiles目录下,一般是按24小时滚动的,在IIS管理器中可以对它进行详细的配置。 IIS comes with the default log file stored in System32/LogFiles directory, typically by 24-hour rolling, in the IIS Manager you can configure it in detail. (具体怎么配我不管你,不过你要是不详细记录,回头查不到入侵者的IP可不要哭) (Specifically with how I do not care, but if you do not record in detail, finding out the intruder's IP back from time to cry)
现在我们再假设(怎么老是假设呀,烦不烦?)别急呀,我不能为了写这篇文章真的去黑掉一台主机,所以只好假设了,我们假设一台WEB服务器,开放了WWW服务,你是这台服务器的系统管理员,已经小心地配置了IIS,使用W3C扩展的日志格式,并至少记录了时间(Time)、客户端IP(Client IP)、方法(Method)、URI资源(URI Stem)、URI查询(URI Query),协议状态(Protocol Status),我们用最近比较流行的Unicode漏洞来进行分析:打开IE的窗口,在地址栏输入:127.0.0.1/scripts/..%c1 %1c../winnt/system32/cmd.exe?/c+dir默认的情况下你可以看到目录列表(什么?你已经做过安全配置了,看不到?恢复默认安装,我们要做个实验),让我们来看看IIS的日志都记录了些什么,打开Ex010318.log(Ex代表W3C扩展格式,后面的一串数字代表日志的记录日期):07:42:58 127.0.0.1 GET /scripts/..\../winnt/system32\cmd.exe /c+dir 200上面这行日志表示在格林威治时间07:42:58(就是北京时间23:42:58),有一个家伙(入侵者)从127.0.0.1的IP在你的机器上利用Unicode漏洞(%c1%1c被解码为"\",实际的情况会因为Windows语言版本的不同而有略微的差别)运行了cmd.exe,参数是/c dir,运行结果成功(HTTP 200代表正确返回)。 Now let us assume that (always assuming how ah, do not trouble trouble?) Do not worry Yeah, I can not really go to write this article out of a black host, so I had assumed, and we assume a WEB server, open the WWW service, you are the server's system administrator, has been carefully configured IIS, use the W3C extended log format, and at least record the time (Time), the client IP (Client IP), method (Method), URI Resource (URI Stem), URI query (URI Query), protocol state (Protocol Status), we use the recently popular Unicode loopholes for analysis: open IE window, in the address bar: 127.0.0.1/scripts / .. % c1% 1c../winnt/system32/cmd.exe? / c + dir by default you can see the directory listing (what? security configuration you have done, and do not see? restore the default installation, we an experiment), let us look at the IIS logs record what open Ex010318.log (Ex behalf of the W3C Extended format, followed by a string of numbers represent the log of the record date): 07:42:58 127.0.0.1 GET / scripts / .. \ ../winnt/system32 \ cmd.exe / c + dir 200 logs above this line indicates GMT 07:42:58 (Beijing time is 23:42:58), there is a guy (intruder) the IP from 127.0.0.1 to your machine using Unicode vulnerability (% c1% 1c is decoded as "\", the actual situation because of the different language versions of Windows have slight differences) run cmd . exe, parameter is the / c dir, run and succeeded (HTTP 200 on behalf of the right to return). (哇,记录得可真够全的,以后不敢随便乱玩Unicode了) (Wow, can be really recorded all of the future not just a random play Unicode)
大多数情况下,IIS的日志会忠实地记录它接收到的任何请求(也有特殊的不被IIS记录的攻击,这个我们以后再讨论),所以,一个优秀的系统管理员应该擅长利用这点来发现入侵的企图,从而保护自己的系统。 In most cases, IIS log it would be a faithful record of any request received (and not a special attack IIS logs, which we discuss later), so a good system administrator should be good to use this that intrusion attempts to protect their systems. 但是,IIS的日志动辄数十兆、流量大的网站甚至数十G,人工检查几乎没有可能,唯一的选择就是使用日志分析软件,用任何语言编写一个日志分析软件(其实就是文本过滤器)都非常简单,不过考虑到一些实际情况(比如管理员不会写程序,或者服务器上一时找不到日志分析软件),我可以告诉大家一个简单的方法,比方说你想知道有没有人从80端口上试图取得你的Global.asa文件,可以使用以下的CMD命令:find However, IIS log easily tens of megabytes, or even dozens of high traffic sites G, manual inspection is almost impossible, the only option is to use a log analysis software, in any language write a log analysis software (in fact, text filters) are very simple, but consider some of the actual situation (such as administrators do not write programs, or the server can not find a log analysis software), I can tell you a simple way, for example, you want to know that no one from the 80 port on trying to get your Global.asa file, you can use the following CMD command: find
"Global.asa" ex010318.log/i这个命令使用的是NT自带的find.exe工具(所以不怕紧急情况找不着),可以轻松的从文本文件中找到你想过滤的字符串,"Global.asa"是需要查询的字符串,ex010318.log是待过滤的文本文件,/i代表忽略大小写。 "Global.asa" ex010318.log / i command using NT comes find.exe tools (so afraid of emergency could not find), you can easily find from the text file you want to filter the string, "Global. asa "is the need to query string, ex010318.log is a text file to be filtered, / i ignore case on behalf of. 因为我无意把这篇文章写成微软的Help文档,所以关于这个命令的其他参数以及它的增强版FindStr.exe的用法请去查看Win2000的帮助文件。 Because I do not want to write this article, Microsoft's Help documentation, so the other parameters on this command and its use of an enhanced version of FindStr.exe Win2000, please go see the help file.
无论是基于日志分析软件或者是Find命令,你都可以建立一张敏感字符串列表,包含已有的IIS漏洞(比如"+.htr")以及未来将要出现的漏洞可能会调用的资源(比如Global.asa或者cmd.exe),通过过滤这张不断更新的字符串表,一定可以尽早了解入侵者的行动。 Whether it is based on log analysis software or the Find command, you can create a list of sensitive string, containing the existing IIS vulnerability (such as "+. Htr") and in the future will be loopholes might call resources (such as the Global . asa or cmd.exe), this continuously updated by filtering the string table, the intruder will be able to understand the action as soon as possible.
需要提醒的是,使用任何日志分析软件都会占用一定的系统资源,因此,对于IIS日志分析这样低优先级的任务,放在夜里空闲时自动执行会比较合适,如果再写一段脚本把过滤后的可疑文本发送给系统管理员,那就更加完美了。 Need to be reminded that the use of any log analysis software will take up some system resources, therefore, IIS log analysis for such a low-priority tasks, on the night will be automatically executed when idle more appropriate to write a script if the filtered suspicious text sent to the system administrator, would be more perfect. 同时,如果敏感字符串表较大,过滤策略复杂,我建议还是用C写一个专用程序会比较合算。 Also, if sensitive string table large, complex filtering strategy, I suggest or write a special program in C would be more cost-effective.
2、 基于安全日志的检测 2, the detection based on security log
通过基于IIS日志的入侵监测,我们能提前知道窥伺者的行踪(如果你处理失当,窥伺者随时会变成入侵者),但是IIS日志不是万能的,它在某种情况下甚至不能记录来自80端口的入侵,根据我对IIS日志系统的分析,IIS只有在一个请求完成后才会写入日志,换言之,如果一个请求中途失败,日志文件中是不会有它的踪影的(这里的中途失败并不是指发生HTTP400错误这样的情况,而是从TCP层上没有完成HTTP请求,例如在POST大量数据时异常中断),对于入侵者来说,就有可能绕过日志系统完成大量的活动。 IIS log based intrusion detection, we can know in advance the movements of those watching (if you're dealing with misconduct, watching for intruders who at any time become), but the IIS log is not a panacea, even in some cases it can not record from 80 port of the invasion, according to my analysis of IIS log system, IIS only after a request will be written to the log, in other words, if a request is aborted, the log file is no trace of it (where the half-way Failure does not mean that such a situation occurred HTTP400 error, but did not complete the TCP layer from the HTTP request, for example, when large amounts of data in the POST abort), for the intruder, it is possible to bypass the log system to complete a large number of activities.
而且,对于非80 Only的主机,入侵者也可以从其它的服务进入服务器,因此,建立一套完整的安全监测系统是非常必要的。 Moreover, for non-80 Only the host, the intruder can access the server from other services, the establishment of a comprehensive safety monitoring system is necessary.
Win2000自带了相当强大的安全日志系统,从用户登录到特权的使用都有非常详细的记录,可惜的是,默认安装下安全审核是关闭的,以至于一些主机被黑后根本没法追踪入侵者。 Win2000 comes with a very strong security log system privileges from a user logs on to have very detailed records of use, Unfortunately, the default installation safety audit is closed, so that some hosts simply can not be tracked after the invasion of the black who. 所以,我们要做的第一步是在管理工具-本地安全策略-本地策略-审核策略中打开必要的审核,一般来说,登录事件与账户管理是我们最关心的事件,同时打开成功和失败审核非常必要,其他的审核也要打开失败审核,这样可以使得入侵者步步维艰,一不小心就会露出马脚。 Therefore, we need to do the first step in management tools - Local Security Policy - Local Policies - Audit Policy is necessary to open the audit, in general, log events and account management is most concerned about the incident, while open audit success and failure very necessary, but also failed to open other audit review, so you can make an intruder step was hard, believe it eluded capture. 仅仅打开安全审核并没有完全解决问题,如果没有很好的配置安全日志的大小及覆盖方式,一个老练的入侵者就能够通过洪水般的伪造入侵请求覆盖掉他真正的行踪。 Just open the safety audit does not completely solve the problem, if not well configured security log size and overwrite mode, a sophisticated intruder can forge through the flood of requests override the invasion of his true whereabouts. 通常情况下,将安全日志的大小指定为50MB并且只允许覆盖7天前的日志可以避免上述情况的出现。 Typically, the security log size is 50MB, and only allow the specified coverage seven days before the log to avoid the above happening.
设置了安全日志却不去检查跟没有设置安全日志几乎一样糟糕(唯一的优点是被黑了以后可以追查入侵者),所以,制定一个安全日志的检查机制也是非常重要的,作为安全日志,推荐的检查时间是每天上午,这是因为,入侵者喜欢夜间行动(速度快呀,要不你入侵到一半的时候连不上了,那可是哭都哭不出来)上午上班第一件事正好看看日志有没有异常,然后就可以放心去做其他的事了。 Do not set the security log is not set to check the security log with almost as bad (the only advantage is you can trace the intruder after dark), so, to develop a security log of the inspection mechanism is also very important, as the security log, The recommended time is checked every morning, because, like the night intruder operations (speed Come on, or you half the time the invasion Rom, and that all but cry cry) at the first thing to go to work just look at the log there is no exception, and then you can rest assured that to do other things. 如果你喜欢,也可以编写脚本每天把安全日志作为邮件发送给你(别太相信这个了,要是哪个高手上去改了你的脚本,每天发送"平安无事"……) If you prefer, you can write a script every day to the security log as a mail sent to you (do not be too sure about this, what if the master up to change your script, sent daily, "without incident" ...)
除了安全日志,系统日志和应用程序日志也是非常好的辅助监测工具,一般来说,入侵者除了在安全日志中留下痕迹(如果他拿到了Admin权限,那么他一定会去清除痕迹的),在系统和应用程序日志中也会留下蛛丝马迹,作为系统管理员,要有不放过任何异常的态度,这样入侵者就很难隐藏他们的行踪。 In addition to security logs, system log and application log monitoring tools are also very good secondary, in general, in addition to the invaders left their mark in the security log (if he got the Admin rights, then he will go to remove traces), in the system and application logs will be left behind clues, as a system administrator, should not miss any unusual manner, so that the intruder is difficult to hide their whereabouts.
3、 文件访问日志与关键文件保护 3, the key file and log file access protection
除了系统默认的安全审核外,对于关键的文件,我们还要加设文件访问日志,记录对他们的访问。 In addition to the system default security audit, the key document, we have an additional file access logs, records of their visit.
文件访问有很多的选项:访问、修改、执行、新建、属性更改......一般来说,关注访问和修改就能起到很大的监视作用。 There are many options for file access: access, modify, perform, create, property changes ...... In general, attention to access and modify the monitor can play a significant role.
例如,如果我们监视了系统目录的修改、创建,甚至部分重要文件的访问(例如cmd.exe,net.exe,system32目录),那么,入侵者就很难安放后门而不引起我们的注意,要注意的是,监视的关键文件和项目不能太多,否则不仅增加系统负担,还会扰乱日常的日志监测工作(哪个系统管理员有耐心每天看四、五千条垃圾日志?) For example, if we monitor the changes to the system directory, create, and even access to some important documents (such as cmd.exe, net.exe, system32 directory), then the intruder is difficult to place the back door without our attention to Note that the key files and monitor the project can not be too much, it will not only increase the burden on the system, but also disrupt the daily log monitoring (which system administrators have the patience to read every day four or five thousand garbage log?)
关键文件不仅仅指的是系统文件,还包括有可能对系统管理员/其他用户构成危害的任何文件,例如系统管理员的配置、桌面文件等等,这些都是有可能用来窃取系统管理员资料/密码的。 Key file only refers to the system files, but also has the potential to system administrators / users to constitute a hazard to any other file, such as the system administrator's configuration, desktop files, etc., these are the system administrator may be used to steal information / password.
4、 进程监控 4, process monitoring
进程监控技术是追踪木马后门的另一个有力武器,90%以上的木马和后门是以进程的形式存在的(也有以其他形式存在的木马,参见《揭开木马的神秘面纱三》),作为系统管理员,了解服务器上运行的每个进程是职责之一(否则不要说安全,连系统优化都没有办法做),做一份每台服务器运行进程的列表非常必要,能帮助管理员一眼就发现入侵进程,异常的用户进程或者异常的资源占用都有可能是非法进程。 Process monitoring technology is tracking another powerful weapon backdoor Trojan, Trojan and more than 90% of the back door there is a form of the process (there are also other forms of Trojans, see "uncover the mystery of three Trojan horse"), as the system Administrator, to understand each process running on the server is one of the responsibilities (or do not say security, system optimization is no way to even do), do a list of processes running on each server is necessary to help administrators discovered a invasion process, abnormal or unusual user process resource consumption are likely to be illegal process. 除了进程外,DLL也是危险的东西,例如把原本是exe类型的木马改写为dll后,使用rundll32运行就比较具有迷惑性。 In addition to-process, DLL is a dangerous thing, for example, was originally a type of Trojan exe rewrite dll, use rundll32 to run is more deceptive.
5、 注册表校验 5, registry check
一般来说,木马或者后门都会利用注册表来再次运行自己,所以,校验注册表来发现入侵也是常用的手法之一。 In general, Trojan or backdoor will use the registry to run their own again, so check the registry to find one of the invasion is a common practice. 一般来说,如果一个入侵者只懂得使用流行的木马,那么由于普通木马只能写入特定的几个键值(比如Run、Runonce等等),查找起来是相对容易的,但是对于可以自己编写/改写木马的人来说,注册表的任何地方都可以藏身,靠手工查找就没有可能了。 Generally, if an intruder only know how to use the popular Trojan, Trojan can then be written as ordinary a few specific key (such as Run, Runonce, etc.), it is relatively easy to find, but you can write your own / overwrite people Trojans, registry anywhere to hide, it is not possible by hand to find a. (注册表藏身千变万化,例如需要特别提出来的FakeGina技术,这种利用WINNT外嵌登录DLL(Ginadll)来获得用户密码的方法最近比较流行,一旦中招,登录用户的密码就会被记录无遗,具体的预防方法我这里就不介绍了。)应对的方法是监控注册表的任何改动,这样改写注册表的木马就没有办法遁形了。 (The registry to hide the ever-changing, such as the need to highlight to the FakeGina technology, which use outside the embedded log WINNT DLL (Ginadll) method to obtain user passwords more popular recently, once caught, log records the user's password will be exhaustive, specific prevention methods I not presented here.) way is to monitor the response to any changes to the registry, so rewrite the registry is no way to hide a Trojan horse. 监控注册表的软件非常多,很多追查木马的软件都带有这样的功能,一个监控软件加上定期对注册表进行备份,万一注册表被非授权修改,系统管理员也能在最短的时间内恢复。 The software monitors the registry is very large, many trace the Trojan horse software with such features, a monitoring software coupled with regular backup of the registry, if the registry is not authorized to modify the system administrator can in the shortest possible time recovery.
6、端口监控 6, port monitoring
虽然说不使用端口的木马已经出现,但是大部分的后门和木马还是使用TCP连接的,监控端口的状况对于由于种种原因不能封锁端口的主机来说就是非常重要的了,我们这里不谈使用NDIS网卡高级编程的IDS系统,对于系统管理员来说,了解自己服务器上开放的端口甚至比对进程的监控更加重要,常常使用 netstat查看服务器的端口状况是一个良好的习惯,但是并不能24小时这样做,而且NT的安全日志有一个坏习惯,喜欢记录机器名而不是IP(不知道比尔盖子怎么想的),如果你既没有防火墙又没有入侵检测软件,倒是可以用脚本来进行IP日志记录的,看着这个命令: Though not using the port Trojan has emerged, but most of the back doors and Trojan horses, or use TCP connections, monitoring the status of the port can not be blocked for various reasons is the host port is a very important, and we here talk about using NDIS advanced programming card IDS systems, for system administrators who understand their open ports on the server than even more important for process monitoring, and often use the netstat to view the server's port status is a good habit, but not 24 hours so do, and NT security log has a bad habit, like recording the machine name instead of IP (do not know how to think Bill lid), if you have neither a firewall nor intrusion detection software, it touches their feet have been recorded in the IP log , looking at this command:
netstat -n -p tcp netstat-n-p tcp
10>>Netstat.log,这个命令每10秒钟自动查看一次TCP的连接状况,基于这个命令我们做一个Netlog.bat文件: 10>> Netstat.log, this command automatically check every 10 seconds, a TCP connection status, based on this command us to do a Netlog.bat file:
time /t>>Netstat.log time / t>> Netstat.log
Netstat -n -p tcp 10>>Netstat.log Netstat-n-p tcp 10>> Netstat.log
这个脚本将会自动记录时间和TCP连接状态,需要注意的是:如果网站访问量比较大,这样的操作是需要消耗一定的CPU时间的,而且日志文件将越来越大,所以请慎之又慎。 The script will automatically record the time and the TCP connection state, note that: If the site access than larger, so operation is the need to consume some CPU time, and the log file will grow, so please be cautious . (要是做个脚本就完美无缺,谁去买防火墙?:) (If the script to be perfect, who buy a firewall?:)
一旦发现异常的端口,可以使用特殊的程序来关联端口、可执行文件和进程(如inzider就有这样的功能,它可以发现服务器监听的端口并找出与该端口关联的文件,inzider可以从http://www.nttoolbox.com下载到),这样无论是使用TCP还是UDP的木马都无处藏身。 Once the abnormal port, you can use a special program to associate a port, executable files and processes (such as inzider had this feature, it can find and identify the port the server listens on the port associated with the file, inzider from http : / / www.nttoolbox.com download), so either use TCP or UDP Trojans have no place to hide.
7、终端服务的日志监控 7, Terminal Services Log Monitoring
单独将终端服务(Terminal Separate Terminal Services (Terminal
Service)的日志监控分列出来是有原因的,微软Win2000服务器版中自带的终端服务Terminal Service是一个基于远程桌面协议(RDP)的工具,它的速度非常快,也很稳定,可以成为一个很好的远程管理软件,但是因为这个软件功能强大而且只受到密码的保护,所以也非常的危险,一旦入侵者拥有了管理员密码,就能够象本机一样操作远程服务器(不需要高深的NT命令行技巧,不需要编写特殊的脚本和程序,只要会用鼠标就能进行一切系统管理操作,实在是太方便、也实在是太可怕了)。 Service) log monitor points listed for a reason, Microsoft Win2000 Server Edition comes with Terminal Services Terminal Service is based on Remote Desktop Protocol (RDP) tool, it's very fast, very stable, can become a good remote management software, but because this software is powerful and only password protected, so it is very dangerous, once the intruder has the administrator password, the same as the machine can operate as a remote server (the NT does not require advanced Command-line tricks, no need to write special scripts and programs, just use a mouse to operate all system management, it is too easy, and it is terrible). 虽然很多人都在使用终端服务来进行远程管理,但是,并不是人人都知道如何对终端服务进行审核,大多数的终端服务器上并没有打开终端登录的日志,其实打开日志审核是很容易的,在管理工具中打开远程控制服务配置(Terminal Service Configration),点击"连接",右击你想配置的RDP服务(比如RDP-TCP(Microsoft RDP 5.0),选中书签"权限",点击左下角的"高级",看见上面那个"审核"了么?我们来加入一个Everyone组,这代表所有的用户,然后审核他的"连接"、"断开"、"注销"的成功和"登录"的成功和失败就足够了,审核太多了反而不好,这个审核是记录在安全日志中的,可以从"管理工具"->"日志查看器"中查看。现在什么人什么时候登录我都一清二楚了,可是美中不足的是:这个破烂玩艺居然不记录客户端的IP(只能查看在线用户的IP),而是华而不实的记录什么机器名,倒!要是别人起个PIG的机器名你只好受他的嘲弄了,不知道微软是怎么想的,看来还是不能完全依赖微软呀,我们自己来吧?写个程序,一切搞定,你会C么?不会?VB呢?也不会?Delphi?……什么?你什么编程语言都不会?我倒,毕竟系统管理员不是程序员呀,别急别急,我给你想办法,我们来建立一个bat文件,叫做TSLog.bat,这个文件用来记录登录者的IP,内容如下: Although many people are using Terminal Services for remote administration, but not everyone knows how to review Terminal Services, most of the terminal server and log in the log does not open the terminal, in fact, it is easy to open the audit log in the management tools to open the remote control service configuration (Terminal Service Configration), click "Connect", right-click the RDP service you want to configure (for example, RDP-TCP (Microsoft RDP 5.0), select the Bookmarks "Permissions", click on the lower left corner "Advanced", see above that the "audit" of it? Everyone we join a group, which represents all users, and then review his "connection", "off", "off", the success and the "Login" success and failure is sufficient, but too many bad review, this review is recorded in the Security log, from the "Administrative Tools" -> "Log Viewer" to view now who when I have a log Chu Ching two, but the fly in the ointment is: this stuff actually is not broken records client IP (Online users can only view the IP), but a slick record what the machine name back! If someone else's machine name from a PIG you have to by his mockery, and do not know how to think Microsoft is, it seems Microsoft can not rely entirely on Yeah, come on our own? write a program, and you're done, you will C it? not? VB it? not? Delphi? ... ... what? what programming language you would not? I would, after all, system administrators are not programmers Yeah, Do not worry, I'll give you think of a way, we create a bat file called TSLog.bat, this Log files are used to record the IP, as follows:
time /t >>TSLog.log time / t>> TSLog.log
netstat -n -p tcp | find ":3389">>TSLog.log netstat-n-p tcp | find ": 3389">> TSLog.log
start Explorer start Explorer
我来解释一下这个文件的含义: I explain the meaning of this file:
第一行是记录用户登录的时间,time/t的意思是直接返回系统时间(如果不加/t,系统会等待你输入新的时间),然后我们用追加符号">>"把这个时间记入TSLog.log作为日志的时间字段; The first line is a record of user login time, time / t means that the direct return system time (if not / t, the system will wait for you to enter a new time), then we append the symbol ">>" this time credited TSLog.log time field as a log;
第二行是记录用户的IP地址,netstat是用来显示当前网络连接状况的命令,-n表示显示IP和端口而不是域名、协议,-ptcp是只显示tcp协议,然后我们用管道符号"|"把这个命令的结果输出给find命令,从输出结果中查找包含":3389"的行(这就是我们要的客户的IP所在的行,如果你更改了终端服务的端口,这个数值也要作相应的更改),最后我们同样把这个结果重定向到日志文件TSLog.log中去,于是在SLog.log文件中,记录格式如下: The second line is the record the user's IP address, netstat is used to display the current network connection status of the command,-n that show the IP and port instead of the domain name, protocol,-ptcp is only tcp protocol, then we use the pipe symbol "| "The results of this command is output to the find command to find the output from": 3389 "line (which is what we want the line where the client's IP, if you change the Terminal Services port, this value should be consequential changes), and finally we also put this result to the log file TSLog.log to go, so in SLog.log file record format is as follows:
22:40 22:40
TCP 192.168.12.28:3389 192.168.10.123:4903 ESTABLISHED TCP 192.168.12.28:3389 192.168.10.123:4903 ESTABLISHED
22:54 22:54
TCP 192.168.12.28:3389 TCP 192.168.12.28:3389
192.168.12.29:1039 ESTABLISHED 192.168.12.29:1039 ESTABLISHED
也就是说只要这个TSLog.bat文件一运行,所有连在3389端口上的IP都会被记录,那么如何让这个批处理文件自动运行呢? That is as long as the TSLog.bat file for a run, all connected to the 3389 port on the IP will be recorded, how to make this batch file to automatically run it? 我们知道,终端服务允许我们为用户自定义起始的程序,在终端服务配置中,我们覆盖用户的登录脚本设置并指定TSLog.bat为用户登录时需要打开的脚本,这样每个用户登录后都必须执行这个脚本,因为默认的脚本(相当于shell环境)是Explorer(资源管理器),所以我在TSLog.bat的最后一行加上了启动Explorer的命令startExplorer,如果不加这一行命令,用户是没有办法进入桌面的! We know that Terminal Services allows us to start the user-defined procedures, in the Terminal Services configuration, we override the user's login script for users to set and specify TSLog.bat need to open the login script, so that each user after they login must execute this script, because the default script (equivalent to the shell environment) is the Explorer (Explorer), so I added the last line TSLog.bat start Explorer command startExplorer, if you do not add this line command, the user is not enter the desktop! 当然,如果你只需要给用户特定的Shell: Of course, if you just give the user a particular Shell:
例如cmd.exe或者word.exe你也可以把start Such as cmd.exe or word.exe you can start
Explorer替换成任意的shell。 Replace any Explorer shell. 这个脚本也可以有其他的写法,作为系统管理员,你完全可以自由发挥你的想象力、自由利用自己的资源,例如写一个脚本把每个登录用户的IP发送到自己的信箱对于重要的服务器也是一个很好的方法。 This script can also have other writing, as a system administrator, you can free your imagination, freedom to use their own resources, for example, log in to write a script to each user's IP sent to your mail server for the important is also a good way. 正常情况下一般的用户没有查看终端服务设置的权限,所以他不会知道你对登录进行了IP审核,只要把TSLog.bat文件和TSLog.log文件放在比较隐蔽的目录里就足够了,不过需要注意的是这只是一个简单的终端服务日志策略,并没有太多的安全保障措施和权限机制,如果服务器有更高的安全要求,那还是需要通过编程或购买入侵监测软件来完成的。 Under normal circumstances average user does not have permission to see the Terminal Services settings, so he will not know your login to an IP audit, as long as the TSLog.bat files and TSLog.log file directory on the more subtle enough, but Note that this is a simple strategy for Terminal Services logs, and there is not much security measures and access mechanisms, if the server has a higher security requirements, and that still need to be programmed or purchase intrusion detection software to complete.
8、陷阱技术 8, trap technology
早期的陷阱技术只是一个伪装的端口服务用来监测扫描,随着矛和盾的不断升级,现在的陷阱服务或者陷阱主机已经越来越完善,越来越象真正的服务,不仅能截获半开式扫描,还能伪装服务的回应并记录入侵者的行为,从而帮助判断入侵者的身份。 Early trap technology is only a disguise used to monitor the scanning of port services, with spear and shield, escalating, and now hosts the trap or trap service has become more perfect, more like a real service, not only intercepted the half-open scanning, but also to camouflage service response and record the intruder's behavior to help determine the intruder's identity.
我本人对于陷阱技术并不是非常感兴趣,一来从技术人员角度来说,低调行事更符合安全的原则;二来陷阱主机反而成为入侵者跳板的情况并不仅仅出现在小说中,在现实生活中也屡见不鲜,如果架设了陷阱反而被用来入侵,那真是偷鸡不成了。 I am not very interested in technology for the trap, the one from a technical point of view, low profile more in line with the principles of safety; two to trap intruders has become a springboard for the host is not only in fiction, in real life also not uncommon, but if you set up a trap to be used to invade, then it does not slip into.
记得CoolFire说过一句话,可以用来作为对陷阱技术介绍的一个结束:在不了解情况时,不要随便进入别人的系统,因为你永远不能事先知道系统管理员是真的白痴或者伪装成白痴的天才...... I remember CoolFire said a word, can be used as an introduction to the technical end of the trap: do not understand the situation, it should not enter someone else's system, because you never know in advance that the system administrator is really an idiot or disguised as idiots genius ......
入侵监测的初步介绍就到这里,在实际运用中,系统管理员对基础知识掌握的情况直接关系到他的安全敏感度,只有身经百战而又知识丰富、仔细小心的系统管理员才能从一点点的蛛丝马迹中发现入侵者的影子,未雨绸缪,扼杀入侵的行动。 Intrusion Detection initial introduction on here, in practice, the system administrator to master the basics of the case is directly related to the safety of his sensitivity, but only experienced and knowledgeable, careful careful system administrator can a little bit of clues found in the shadow of an intruder, plan ahead, kill the invading action.
Tidak ada komentar:
Posting Komentar