Table of Contents
How Machines are Compromised or "Hacked"
Network Sweeps are generally employed across a broad range of IP addresses to "ping" large numbers of computers. Crackers who find live addresses will attempt more in-depth exploration known as scanning. Port scans determine a number of things about a computer, including the operating system, what "ports" (or communications channels) are open, and what services are running on those open ports.
Once machines are located with vulnerable ports and/or services, exploits are employed to gain access to the computers. Exploits generally consist of two parts: service exploits and "root" kits. Service exploits use flaws in programming (buffer overflow, privilege misconfiguration) to gain access to a command prompt. "Root" kits run from the command prompt and look for ways to gain administrative access to a machine. In combination, these provide an outside intruder instant access to anything desired on the victim's computer.
Conquered machines can be used for many purposes. Among the most common are: denial of service (DOS) attacks, further scanning for more conquests, and production of unauthorized services such as warez distribution and illegal file servers.
Preventing Compromise
The type of defense depends on the use of the computer.
| Purpose | Security Method |
|---|---|
| My machine does not need to be network visible. | This helps you dodge scans, and crackers will never even know that your machine is there! This is probably the most fool-proof way to stop crackers. |
| My machine needs to be visible - but isn't really running any of the common services that get exploited. | Close all unused ports - a cracker seeing all common ports listed as "closed" or "filtered" will probably be discouraged and ignore your machine |
| My machine needs to be visible, and has a specific purpose (for example, a Web server). | Turn off all of the unused services that you can, leaving only mission-critical ones. This will revert your machine more closely to the rule above, and make it less appealing to crackers. |
| My machine needs to be visible and runs lots of services. |
It is a production level server. Keep your machine patched. Make sure that you are running the latest version of all applicable programs. Most exploits are corrected once they are publicized, so newer programs are more likely to be immune to hacking. Use IPSec (Windows) or IPChains (linux) to set port-level access policies. |
Windows PC Firewalls
Windows XP has a built-in software firewall that is suitable for simple use. It is an acceptable first line of defense, and is built into XP. If you choose to install another firewall application, however, be sure that XP's built-in firewall is turned off. Also, note that U.Va.'s VPN client does not work with the XP firewall. Instructions for use are here.
The Cisco VPN Client also contains a firewall that is simple but effective. If you use the Cisco VPN client you can turn on the Stateful Firewall (see instructions here). When it is turned on it will function even when the VPN client is not running. If you use the Cisco VPN Client and wish to have another firewall on your machine, please read the caveats about firewalls here.
Computers which function as servers often require a level of access control that is more configurable than what is provided by a personal software firewall. Those types of machines need port-level access configurability. Windows IPSec is described on the Microsoft site. This is a very clear and complete description of the application.
UNIX/Linux Firewalls
ITC's UNIX Systems group maintains a website that addresses security for the Linux and UNIX platforms.
Linux IPChains is fully documented on the Linux Documentation Project site.
Macintosh Firewalls
Starting with Mac OS X, the operating system has been based on UNIX. Firewall functionality is built in. Internet Protocol Fire Wall (ipfw) has had a GUI (graphical user interface) since version 10.2. In earlier versions, and to set controls beyond the basic ones provided in the GUI, the command line interface can be used. The O'Reilly Mac Dev Center has a good document that addresses use of the command line interface for this purpose.
There are commercial applications that will support previous (non-UNIX)versions of the operating system, as well as commercial applications that will run on the current UNIX-based operating system. These have not been reviewed locally, however.
- Norton Personal Firewall 3.0 for Macintosh
- Intego NetBarrier (a suite that includes a personal firewall)
- IPNetSentry