|
::.Soft pass words are the worst thing you can do always do your best to protect your work and fun use long pass words 10 characters
or more !
Beginners
General
Setups for Zone Alarm on 98/ME NT 2000 These are just
some of the things you can do to protect your self with zone alarm . To get started off with
you will need to get "Zone
alarm" Download it first the free version then You will be able to Secure your home or office
today with ZoneAlarm DOWNLOAD NOW www.zonelabs.com
. Its FREE . For Beginners this is first you should do them after you are more
familiar with your computer you can do a in-depth number of
things look thought this page and see if you already know about some of this . If you
are not at your computer turn it off you cant hack a turned off computer .
After you install zone alarm here are some Zone Alarm Basic's. You will
need to teach zone alarm what programs are permitted example I would never want
Explorer.exe to have out side access and others that might give other remote
access. Then as you use things "programs" and it ask you if a program
is to be add to the allow list just press yes and that is how easy it is. After you teach Zone alarm you can trick it out to be a very
strong fire wall .
To Trick out your
Zonealarm here are some cool tips. There are 65000 ports to block you can leave the basic's
21,53,80,110,443 and block all the rest this is a simple example block for
incoming TCP & UPD port are 1-20,22-52,54-79,81-109,111-65500 if you just do that zone alarm can work well
turn on your email quarantines .Games and some other programs may ask to use
ports you have blocked you will need to modify the block TCP/UPD ports so if you
need 27345 for a game split the numbers to accept it like this
1-20,22-52,54-79,81-109,111-27340,27380
-65500 .Then if you have the pro version you can out block IP's whole
country's . The professional strength version zone alarm pro is awesome worth
every penny. HACKERS
PORT LIST
Home network Systems
are at risk
Too ! Yes
they are Very High risk for attacks. With a Firewall For home your systems you can put zone alarm on all your computers and use one as a ICS
gateway for your network .This requires two network cards in one pc for IP
sharing proxy type of internet connection that also protects dialup and
DSL , Cable. Home systems/networks Are often used by hackers to attack other computer systems . Once the hacker has
access to your computer the first thing is to get all your personal information
credit cards user password accounts to things you use on the web then the hacker
uses your home or office computer as one of many bases of operation for attacks
on bigger company's to hide his or hers tracks . Then when the hacker is basically
done with you they share the information about you and your system to
there friends . The further use covers the tracks of the original hacker
with many IP's and a ton of newer information . Then when you try to find out even the
simplest bit of reverse tracking information its all most impossible if your not
a expert Internet person "IT" . Good reporting go's a long way and your computers logs your ability to send
them is critical for the experts to stop and trace the hackers or virus.
Prosicutoin and actual arrest can result from computer logs alone
Xp NT,2000
Running IIS
Web Servers Start
with upgrades for WIN2000/NT/98ME ® IISservers and Personal Web Server "a
mini IIS server " get the
service packs #2 plus one's for your Front page © and Internet Explorer © and
critical update patches from Microsoft's ® at http://windowsupdate.microsoft.com/
then check every week for new one's . Updates can be very harmful if you don't know what was updated so when you do update read and keep track of them this way
you can uninstall a single update . IIS is a server with its unusual exploits
some of these are TFTP.EXE and CMD.EXE are in every NT 2000 and XP system these
two programs can destroy your computer so get rid of them .You can disable these by removing all
Right's to these in your C:\WINNT\system32
folder .Then in your control panel go to Administrative Tools and open Services
. Disable all of the services you don't use Example " Remote
Registry Service Allows remote registry manipulation. Started Automatic Local System". Then double click on it and disable and stop that service .In
your log file you will see the reason for all this work . In IIS look in C:\WINNT\system32\LogFiles
then in Internet Services Manager open properties move to web sites then open
log properties an set for hourly .The header Exploits are usually from a infected server's
or PC's there are so many different port 80 exploits. You need to keep up
or get hacked Here are a few example's from our logs
New
"FREE" Firewall Products
Sygate Personal Firewall 5.x
FREE for personal use, Sygate Personal Firewall 5.x provides best of breed
security in a user friendly interface, protecting your PC from hackers, Trojans
and DoS attacks. New features include full-ICS support, protocol driver level
protection, enhanced logging, and more. Sygate Personal Firewall is the first
FREE personal firewall to offer protection from malicious code intrusions,
keeping the information on your PC safe and private. Sygate Personal Firewall is
FREE for personal use and business licenses are $19.95. For multiple seat
licenses or advanced users, our Award-winning Sygate Personal Firewall PRO is
strongly recommended. www.sygate.com
WyvernWorks Firewall is a
security tool that protects your PC from access via open ports. It's very easy
to use .You can add as many ports to the firewall protection list as you like.
WyvernWorks Firewall runs silently from the system tray, effectively blocking
all inbound and outbound traffic . Intrusion attempts produce a warning that
includes the IP address of the intruder www.wyvernworks.com
NetBSD/i386 Firewall is a free
firewall solution for people with a permanent Internet connection. This includes
most users of cable or ADSL services, but also businesses with leased lines.
Turn an old PC into a fully functioning firewall and share your connection among
all your computers." Dubbele.com
Home network Systems
are at risk
Too ! Yes
they are Very High risk for attacks. With a Firewall For home your systems you can put zone alarm on all your computers and use one as a ICS
gateway for your network .This requires two network cards in one pc for IP
sharing proxy type of internet connection that also protects dialup and
DSL , Cable. Home systems/networks Are often used by hackers to attack other computer systems . Once the hacker has
access to your computer the first thing is to get all your personal information
credit cards user password accounts to things you use on the web then the hacker
uses your home or office computer as one of many bases of operation for attacks
on bigger company's to hide his or hers tracks . Then when the hacker is basically
done with you they share the information about you and your system to
there friends . The further use covers the tracks of the original hacker
with many IP's and a ton of newer information . Then when you try to find out even the
simplest bit of reverse tracking information its all most impossible if your not
a expert Internet person "IT" .Good reporting go's a long way and your computers logs your ability to send
them is critical for the experts to stop and trace the hackers or virus.
Prosicutoin and actual arrest can result from computer logs alone
On
NT,2000 AND IIS
Web Servers Start
with upgrades for WIN2000/NT/98ME ® IISservers and Personal Web Server "a
mini IIS server " get the
service packs #2 plus one's for your Front page © and Internet Explorer © and
critical update patches from Microsoft's ® at http://windowsupdate.microsoft.com/
then check every week for new one's . Updates can be very harmful if you don't know what was updated so when you do update read and keep track of them this way
you can uninstall a single update . IIS is a server with its unusual exploits
some of these are TFTP.EXE and CMD.EXE are in every NT 2000 and XP system these
two programs can destroy your computer so get rid of them .You can disable these by removing all
Right's to these in your C:\WINNT\system32
folder .Then in your control panel go to Administrative Tools and open Services
. Disable all of the services you don't use Example " Remote
Registry Service Allows remote registry manipulation. Started Automatic Local System". Then double click on it and disable and stop that service .In
your log file you will see the reason for all this work . In IIS look in C:\WINNT\system32\LogFiles
then in Internet Services Manager open properties move to web sites then open
log properties an set for hourly .The header Exploits are usually from a infected server's
or PC's there are so many different port 80 exploits. You need to keep up
or get hacked Here are a few example's from our logs . Shown
Below
Tips from Eeye.com Protect your self Against Web Application Brute Force Attacks and
Buffer Overflows
The Black Hat conference featured several sessions on web
application attack techniques. One of the more interesting techniques discussed
was the practice of brute forcing another person's session ID based on analysis
of the URL.
A attack Based on a URL, is that can detect certain patterns in the
creation scheme and then guess what other likely session IDs are being used.
Based on that information it is possible, within some web applications, to
retrieve information from other users.
This becomes a serious concern for home-grown web applications housing sensitive
financial, medical, and legal information. We have already received reports of
users from an unnamed medical site accidentally being able to pull up another
patient's records. This particular incident was not an intentional misdirection,
but with a little manipulation it is quite possible that every patient record
could have been compromised from anywhere on the Internet.
The good news is that detecting this type of attack is fairly easy. The attack
method is similar in nature to a port scan of a computer, which attempts to try
every door until it finds one it can access, since a brute force attack of
session IDs uses the same logic. For example, the following are valid session
IDs within a URL – referred to as a URL space:
cgi-bin/session.cgi?sessargs=ae555YFrBTdYExs=
cgi-bin/session.cgi?sessargs=ae555GjXifhgYExs=
cgi-bin/session.cgi?sessargs=ae555EdasddkYExs=
cgi-bin/session.cgi?sessargs=ae555JeasklskYExs=
cgi-bin/session.cgi?sessargs=ae555GalslkekYExs=
From the above data, an attacker would attempt to brute force a key by repeating
this typed in to a browser.
When administrators understand the logic of the brute force URL space hack, the
best method of detection is to set up booby-trapped IDs which will trigger an
alarm. Most web applications have functions that will generate these IDs, and
creating booby-trapped IDs is simply a matter of creating an exception list
inside of the application. This exception list would contain IDs that would
never generate data and upon attempted use, and that would alert the
administrator that someone is attempting to brute force a web application.
Another way to simply prevent a brute force attack from occurring is to use IIS application firewall (such as eEye's
SecureIIS) which has an automated alerting mechanism for this type of attack
built in.
Similar to the methodology used by an attacker, administrators would analyze
what the patterns are and create an algorithm to guess the unknown parts within
the URL space (referred to as "fuzzing"). As administrators, guessing
isn't necessary since in this scenario the code generation algorithms are at our
disposal. Looking at the session arguments listed above (sessargs), we can see
that the attacker will most likely fuzz inside the "=ae555" and "YExs="
boundaries.
Fuzzers are meticulous -- they usually try every possible combination within
reason. This works to an administrator's advantage since we can be fairly
certain that obvious IDs will be used such as:
cgi-bin/session.cgi?sessargs=ae555AAAAAAYExs=
cgi-bin/session.cgi?sessargs=ae555BBBBBBYExs=
cgi-bin/session.cgi?sessargs=ae555CCCCCCYExs=
cgi-bin/session.cgi?sessargs=ae555DDDDDDYExs=
Adding these obviously illicit session IDs to a keyword list within the
application firewall and to an exception list within the web application code
itself will allow administrators to monitor how many attempts are being made and
also to drop those malicious requests before they can steal any vital
information through the web application.
Thus, with a bit of investigation about how your web applications expose
information in URLs, and a few customized changes to sidestep any possible
fuzzers, your web application content can be more secured from unauthorized
users.
EXAMPLES These are also brute force
attacks from our own logs.
1# /scripts/root.exe /c+dir
/MSADC/root.exe /c+dir
2#/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
3#/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe
/c+dir
4#-/scripts/winnt/system32/cmd.exe
/c+dir
5#
NNNNNNNNNNNNNNNNNNNNNNN%U9090%U6858%UCBD3%U7801%U9090%U6858%UCB
D3%U7801%U9090%U6858%UCBD3%U7801%U9090%U9090%U8190%U00C3%U0003%U8B00%U531B%U53FF%U0078%U0000%U00=A
SecureIIS
© Web will pick up all the above get your demo today @ www.eeye.com
®
These
are just a few examples buffer over flows to brute force attack's . So read your logs Watch your system just not for you for
everybody else .You can help Everybody just by putting up zonealarm © ask any one
who uses it.
Buffer
Overflows can be regulated in linux and all windows system . SecureIIS is the
best for windows systems . It comes with a buffer overflow protection ready to go the stock
setting are good but as you read the logs you will find that some good Headers
are blocked because of its size don't get to crazy and just leave them open just
increases the size allowed from 254 up to what you need and no more .
If have
recently used McaFee Fire wall this is a fine product designed to auto block
ip's and prevent IIS exploits . Again this product takes some time to teach and
figure out what runs through it and what does not . In the end if you did it Wright
you protection will be increased 70% . Now add this with SecureIIS and you have
a firewall that Microsoft should have made.
STEPS TO REMOVE
ALL SHARING & NetBEUI ON WINDOWS ®
IMPORTANT !!!! Before you start
You will need your 95/98/2000 windows or
a restore disc for some re-installations of protocol changes, as windows
will build a new driver data base. Before your start write down every
thing you see in your net work neighborhood so re-installation will be
done correctly.
In your control panel open up your network . You
will see a list of items in the configuration tab 1 a client for Microsoft networks and others the ones that put you at risk are
NetBEUI or IPX . If you have your NetBEUI or IPX in your network neighborhood your at risk and will
see a check box for file and printer sharing. If you are not connected to a network
in your home or office disable by removing the protocols in network neighborhood
properties . On cable it's like sharing your computer with every customer on
line you don't want that . On windows 98/me you will need to remove them and for
win NT/2000 just un check those boxes .All 95/98/me users (See the steps below) on how to remove these
protocols' .
If you are connected
to other computer's on a LAN office multi station system with file sharing up and running you can use 12 character passwords
on drives. And on each shared drives properties of your A,C, D,E,F, drives etc, and yes even your
CD-ROM you should put passwords for each drive for read and right properties. Plus on any
PC that starts up there should be a login screen to set a profile and its security if it
does not follow steps .below You will need 95/98/2000 windows disc for some
re-installations just to update the network files.
If
you are not connected You will need to remove Microsoft's client for networks in your network neighborhood and
all others so right down everything in network right down your DNS numbers your
gateway note what type your network card is make and model all you see in
neighborhood so you will be able to fix and setup your network with this information .Then
after you reinstall and restart you will be prompted for a new user and password and make
it at least 10 (1b3m5b6k1j) characters long its your life !!! RIGHT IT DOWN
In an emergency with
out windows or restore disk, you can direct it a c:\windows
and c:\windows\system; on
win 2000 its c:\winnt and c:\winnt\system
your old drivers will be found and used .If not found in one type in the other
as above .
LINKS FOR OTHER SECURITY HELP
There are Proxy server's for (PC) that provide great fire wall type port protections.
These servers programs that run fire wall type that are Excellent. TRY
WinProxy,
proxy+2.3, Microsoft Proxy server 3.0 at www.download.com Questions send to abuse@beyondinfinity.net
VIRUS
TIP'S , run McAfee daily for new bugs . If you find one you can not repair or
remove you can delete it manually . First check to see where that file is located in your
PC with find off your start button .If the file belongs to a program you use and do not
have backups then you will loose the program it may not function correctly it might need
to be reinstalled so if its ok to get rid of this bug just right "click"
the file and delete it . Empty your trash too running two virus software is better than
one what McAfee cant find Norton can and vise versa. For all you curious people who look for hacking type programs remember this you will
install a program written by hackers case in point backdoor orifice or sub sevens can be
someone's way in your PC if your not a programmer don't go there its for a long healthy PC
life. Yours.
McAFEE has a new version out 6.0 and up that is
great . looks for Trojans "back doors"
Nortron new version was just as good you choose
. Also looks for Trojans "back doors"
LINUX® TIPS
Soft Passwords are a killer use a minimum
of 10 (12345678910) no less always more Here are some basic LINUX security
Setup's
Linux is full of
holes it's like a house with all it's doors open . Just out of the box stock your running over 65000 +
ports and up to 200 different service's . So you go through the services
maneger and Stop the process where you turn off a few services at a time so if
you do some thing wrong you can undo your last two or three services .
linux 6.1 to 7.2 you still should modify your services file (example)
In older 4.2 to 5.2 versions of redhat in etc/inetd.conf You can turn off Telnet and Finger Tftp
. To add to that edit services in etc/services a file Linux uses to assign ports
in linux . To stop the service put a pound (#) sign in front of the
service listed . Stop all your unused
uucp,udp all netbios services then move on to "shell 514/tcp cmd # no passwords used" and other
shell services. So many of these port assignments are obsolete but are still in the services
files Rem all of them out . Test your new services by restarting inetd and if all is well go back
into the services file and keep working
at a stronger server by closing every service you can . Putting a pound # sign in front of those
lines to rem them out of all unused service's
A
Test Example of etc/services
"HERE"
Stopping un-used
programs is to further the
protection you need for a well rounded security plan . To disable the following .In
/usr/bin change Telnet
, Tftp , grep and pico and emacs to 644 so they are not executables or move
them ? . In
Linuxconf or file manager find file permissions and change /home/httpd to 715 and /etc to 711
/usr to 711 . Now all this still does not prevent all hack attack's but it
will slow them down . Then with Tripwire or Tri-sentry program's that tracks file changes
you can look at the most recently change . Hacker use a command in Vi that can copy
a file change it and then match its size ? yes matching the size so you wont
think it has been changed. this is where tripwire comes in . There are other
file checking programs you can use look at www.techtv.com
for good sound Linux security tips too.
After you have made
your changes as root use the SU command to change user to yourself if no
account existed make one then su from root to your self . Never leave your Linux
box running as root .
Use the information
at www.redhat.com updates and patches for
everything. .Sendmail and CGIs are at risk, if you allow CGIs to run Sendmail
with out restrictions on origin Masquerading .In the service file put a # sign
in front of every thing except 21 53 80 110 443 that's it.
Use Filters and as
fare as web servers are concern. Linux is the best and Red Hat has the
most complete packages and source code for every need . TIP.......... get
portsentry up first. Then in /etc/services turn down Telnet ,Tftp ,Shell
,rlogin and others you don't use . You do need ports 21 53 80 110 514 for
syslog theses are basic's.
Tri-sentry
is new Portsenty , Logsentry , Hostsentry all working Together
Get portsentry running ASAP ! !
Portsentry
provides three rule sets for port restrictions use rule set #2 and add 7
,137,111,513,514,1020,4480,1080, . You can down load it from your GNOpro
located in system menu .
Portsentry is a great
program that can prevent attacks .It is effective. Set your warn level to
0. This way your attacker gets logged in three files at one time and all you need is one
to stop him or her. When you create a third log file you name it something
that is not normal and its off the root path . When a Hacker is good that good
hacker can and will get you its only when
. How bad it is can be limited if you do as much as possible to upgrade patch
and respond to your logs. Try read only file systems or on /httpd and / with
no editing access this helps for private use.
Using PortSentry try
(Port rule Set #2) on both tcp/ip and upd ports to stop scans of your port. . Then check to see if your named services
are not running or odd or crashing the named daemons needs more child process
in your Linux conf .And for that hang-up Were working on a second
cache cleaning script. to post .And get Strobe" up and running to stop
runaway dot. comers! This will automatically adjust for the load of extra
traffic
After setting up
portsentry I change the locations of both file's to protect the log from
getting deleted by the hacker and to even further protection use different file names like
the bad ones. deny if you even change the directory's
they are in that is better than the stock setup. just make the file where you
what it then correct the path in
portsentry and httpd.conf this just adds to the make up of additional
firewalling .
Fire walling in Linux
is frustrating and time consuming so if you must start with blocking and add
one thing at a time for easy corrections . Start with Header rules and
more on to other packets filters. If you want to block IPs do it in etc/host.deny
. But if you put up portsentry that's automatic.
|
www.eeye.com