On Thu, 7 Dec 2000, meganet DOMAINREG wrote:
> What types of attacks, what specific ports, what patterns should a
> [intrusion detection/monitoring] system like this be watching for. What
> is the most common in attack seen today.
Note: I'm no expert on this and, the little knowledge I possess on the
subject is mainly thanks to my keen interest in keeping my home system
intact.
Logically, the first step in trying to break into any system one doesn't
have physical access to, is to find out what types - and versions - of
services the target system is running, since the net is full of already
made exploits for buggy software. So, the first warning of a potential
intrusion attempt is port scanning. Specifically (from personal
experience) ports 21 (ftp), 23 (telnet), 25 (smtp), 80 (http), 113
(auth) and 1080 (socks). On my computer, also ports 22 (ssh), 6000-6063
(x11), 12345 (NetBus) and 31337 (Back-Orifice) have sometimes been
scanned.
If and when an intrusion happens, I suppose the most common actions are
(not necessarily all of them or, in listed order):
1. install exploit(s) and backdoor(s)
2. create an inconspicuous user account
3. find out as much about the system as possible (intrusion detection
systems and such)
(4. install more exploits and backdoors, if more buggy software is
found)
5. wipe tracks as well as possible and leave
6. keep the unauthorized visits short and well-timed.
Once an intrusion has been detected, my agenda to fix the situation
would be to:
1. isolate the system from the network
2. close down unauthorized (or even all) user accounts, with a message
to contact the system administration to get them reinstated
3. change root password and run a password cracker software to make sure
valid users have proper passwords and not something like "brian1",
"1q2w3e" or, "sAmuEls" (supposing the user's name is Brian Samuels)
4. re-install and upgrade all critical binaries (or even the whole OS)
5. get myself 50 lashes for being sloppy
6. bring the system back on-line and pay extra close attention to its
network traffic logs for some time
7. do my best to trace the attacker and contact my lawyers for legal
actions.
HTH,
.pi.
--
Petteri Lyytinen - [EMAIL PROTECTED] - http://www.students.tut.fi/~typo/
+ Watashi no chikara de susumu +
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
