the creature

[wo1men5iuw]

,健康シューズ mbt

| Back to logs list

816984 2010 年 06 月 17 日 19:43 Reading (loading. ..) Comments (1) Category: Personal Diary
network is a big stage, the arena security staff are not only composed of elements are also hackers. Attack and defense naturally become the subject of debate between the two. For some important sectors, once the network attack, how to trace network attacks, traced to the attacker and bring them to justice, it is very necessary. The following article sub-network of local tracking and tracing of two parts.
local tracing method
tracking network attacks is to find the source of the incident. It has two meanings: First, the IP address found, MAC address authentication or host name; the second is to determine the identity of the attacker. Attacks in the implementation of the attack or after, will inevitably leave some clues, such as registry records, and changes the file permissions for the virtual evidence, how to handle the virtual evidence is the biggest challenge to track network attacks.
attacks in the tracking network to another issue to consider is: IP address is a virtual address rather than a physical address, IP address can easily be forged, most of the network IP address spoofing by the attacker techniques. To trace the source of attacks that is not correct. Making the IP address of the base to find the attacker more difficult. Therefore, we must use some method to see through the deception the attacker to find the real IP address of attack source.
netstat command to look at the text ---- real blow,
use the netstat command to test the host connection access to all Internet users IP address. Windows family,Mood Diary - Qzone log, Unix series, Linux and other commonly used network operating systems can use the
use the To do this, you can use Scheduler to create a schedule to arrange the system at regular intervals using a Tracking the use of network attacks.
log data - the most detailed records of attacks
system log data provided detailed user login information. In tracing network attacks, these data are the most direct and effective evidence. However, some system log data is imperfect, the network attacker will often log their own activities removed from the system. Therefore, the need to take remedial measures to ensure the integrity of log data.
Unix and Linux, the log
Unix and Linux, more detailed log file records the user's various activities, such as the login ID of the user name, user IP address, port number, log in and out of time and last login time for each ID, login terminal, perform the command, the user ID of the account information. This information can be provided by ttyname (terminal number) and the source address is the most important attacks to track the data.
Most of those attacks
will record their activities deleted from the diary,mbt 健康シューズ 激安, and UOP and X Windows-based activities are often not recorded, to the tracker difficult. To solve this problem, you can run the wrapper in the system tool that records the user's service request and all the activities, and not susceptible to network attacks are found that can effectively prevent network attacks to eliminate the record of their activities.
Windows NT and Windows 2000 log
Windows NT and Windows 2000 are the system logs,2010-12-12 - Qzone日记, security logs and application logs three logs, and security-related data included in the security log. Security log records the login information of users. Security log data is determined by the configuration. Therefore, it should be configured according to security needs and reasonable in order to be assured that the data necessary for system security.
However, Windows NT and Windows 2000 security log there are significant flaws, it does not record the source of the event can not be based on the data in the security log to track the attacker's source address. To solve this problem, you can install a third party to complete the recording of audit data tools.
firewall logs
as a network system in the Therefore, the firewall log data is not relatively easy to modify, its log data to provide the best information on the source address of attack source.
However, the firewall is not impossible to break through, it's log may also be removed and modified. An attacker can launch denial of service attacks to the firewall, the firewall or at least reduce the rate of paralysis makes it difficult to make a timely response to events, thereby undermining the integrity of the firewall log. Therefore, the use of firewall logs, you should run the special tool to check the integrity of the firewall log, to prevent incomplete data obtained, thereby adversely affecting the tracking time.
network intrusion tracking method
intruder tracking (Intruder Tracing) in the local network you may have heard the so-called is prepared to receive the object.
intruder tracking (Intruder Tracing) in the local network you may have heard the so-called is prepared to receive the object. But this is only on the local network can be implemented, because the few machines on the local network (and Internet than up). If, as is the tens of millions of hosts on the Internet, the data broadcasting can not be implemented (as to be regarded as a limited type IP Multicast broadcast Restricted Broadcast, only the designated machine will receive, Internet or other computers will not be received) . Can be implemented on the assumption of non-qualified Internet radio, it simply an issue a broadcast message, the world's computers are affected, would not the world chaos? Therefore, any local area network within a network router or similar equipment will not within their local network broadcast message transfer out. WAN Port event received in the broadcast message, it will not turn into its own in the LAN Port. And since the network Jieyou letter station and receiver station to mark the message sender and message receiver, unless the other side of the packet is encapsulated using some special way or use a firewall's external connections, so as long as people and your host communication (send a letter or telnet, ftp over are considered) you should know each other's address, if the other party to use a firewall to communicate with you, you should at least be able to know the location of the firewall. It is because if someone with your connection, you will be able to know each other's address, then the position to know each other but do not do the question. If the person is through a UNIX host and your connection, then you can also be found through the ident who is connected with you. In the implementation of TCP / IP protocol on the computer, you can usually use the netstat command to see the current status of the connection. (Our friends in the win95, Novell, and UNIX try (note a), in the following, the connection of the, netstat command is implemented on win95 to see the current own machine (Local Address department) has a host telnetport workstation.variox.int by remote (Foreign Address Service) connection with the 1029 numbers came in and tcp port. but also ftpport cc unix1 host connected to the workstation.variox.int go. all clearly see the connection status . (such as A, B)
A. In the UNIX host (ccunix1.variox.int) see netstat
B. the other end of the Windows95 (workstation.variox.int) see netstat,
course, if you want to record for the network connection
recorded, you can use to run a regular cron table:
netstat>> filename, but UNIX systems already take into account this requirement, so there is a full-time in the system log system events Daemon: syslogd, there should be a lot of friends all know that in the UNIX system, / var / adm below two systems log file: syslog and messages, one is the general system of records, one is the core of the record. But these two files come from which side, but also how to set it?
1. the circumstances: a variety of different circumstances to the following string to decide.
auth system security and user authentication on the side
cron scheduled to run automatically on the system (CronTable) area
daemon program on the background area
kern on the core aspects of the system
lpr on the printer side
mail on the e-mail,
news on the News Forum aspects
syslog record on the system per se
user on the user side
uucp on UNIX each copy (UUCP) area
above is most UNIX systems will in some cases, and some UNIX systems may further separate the different items out.
2. what extent was recorded:
Here are a variety of system conditions the degree of order in accordance with priorities.
none Do not record this one
debug a program or system itself debug message
info General Information
notice to draw attention to ######
err errors
warning warning
crit more serious warning
alert warning that further serious
emerg have been very serious
Similarly, a variety of UNIX systems may have different degree of representation. Some systems do not crit and alert other distinguish the difference, and some degree of the system will have a greater variety of changes. In the records, syslogd will automatically set the level you are on it and be recorded. For example,mbt 激安 m.walk, you want the system to record the info level event, the notice, err.warning, crit, alert, emerg, etc. in the info will be more than one level was recorded. 1,2 items to the above written together with the decimal point is the complete For example, on the e-mail system mail.info said the general message. auth.emerg is serious about the security aspects of the message.
lpr.none that do not record the message on the printer (usually used in a number of conditions combined record). In addition, there are three special symbols available in:
1. star (*)
asterisks represent a breakdown of all items. For example, that as long as the mail .* mail, no matter what degree have recorded. The *. info for the info will all levels of events to record.
2. equal (=)
equal sign indicates that only the level of the current record, not its level on record. For example, just an example, write down the info usual level, it will also put in the info above the level of notice, err.warning, crit, alert, emerg, and other levels are also recorded. But if you write = info info is to only record the level of the.
3. exclamation (!)
exclamation point that is currently not recorded on this level as well as its level.
syslogd
offer the following general pipeline system for your records what happened:
1. General file
This is the most common way. You can specify the file path and file name of good, but it must be the directory symbol For example, / var / adm / maillog says to log into / var / adm following called maillog file. If you have not this file, the system will automatically generate a.
2. specified terminal or other equipment
the system you can record or write a terminal device. If the system records written to the terminal, the terminal is currently being used directly on the screen the user will see the system messages (such as / dev / console or / dev/tty1. You can get a special screen to display system messages). If the system writes records printer, then you will have a long record of printing paper over the system (such as / dev/lp0).
3. specified user
here you can also list a bunch of user names,Women must see before going to bed Yoga - Qzone log, those user if just on the line, they would see in his terminal system message (such as root, note the user name when writing Do not front together with other words).
4. specified remote host
The wording is not connected to the system log messages on the local machine, and recorded in the other host. In some cases the system encountered a disk error, or if the host was down, broke the hard disk, you get the system to record, to which side it? The network card as long as you do not break it, should be much more than the hard drive ruggedness. So if you feel some cases no way to record into the hard drive storage, you can throw the system records the other host. If you do this, you can write down the host name, host name and then adding
e-mail tracking method
In all of these records
the way, do not email this. Because e-mail recipients to wait to see prepared to receive it, in some cases may be very urgent, can not wait for you to get the letter of view (BSD's Manual Page says .. These are the syslog level of the record and written record of the way, you readers can record their own needs in accordance with his own need. But these records are been piled up, and unless you delete the file itself, otherwise these files will be increasing. Some people may syslogd.conf to write :*.*/ var / log / everything, If so, of course, all cases have been recorded by you. However, if the system is really an accident, you may want dozens or even hundreds of MB MB to find the text of a problem in the end is which, so you may be a little help at all. Therefore, the following points can help you quickly find important records of the content:
1. periodic inspection records
develop a weekly (or shorter time, if you have free time) to see a log file of the habit. If you need to back up the old log files, you can cploglog.1, cploglog.2 ... or cploglog.971013, cploglog.980101 ... etc,
log files will expire in accordance with the serial number or date of deposit together is easier when the next inspection.
2. only records the useful things
do not like the previous example, record *.*. And then placed in a file. Such an outcome would lead file is too large, could not immediately find information to find out. Internet communication was in the record, even he who is going to ping the host are recorded. Unless the system has been a great threat, nothing was like trying to get into your system,MBTシューズ Chapa, or such trivial matters can not record. Can improve system efficiency and reduce a little hard usage (of course save you time.) How to find out the tracking geographic location of the intruder? Just look at IP addresses may not see it,high top nike dunks, but you always look at it, you will find will find the law. Solid fit in the network environment, network intruders, and providers must have a close relationship. Because the assumption is that local area network, then a few kilometers away from the absolute no. Even dial-up well, and few people would spend large sums of money allocated to other counties or even dial-up servers overseas. Therefore,mbtシューズ, as long as the identified line unit, the intruder must not far away from the connection unit.
dial-up network is more cause for headache. There are many ISP in order to attract customers, get a lot of what the network card. User here as long as you buy a fixed number of hours, no need to apply separately to the ISP side,MBTシューズ lami, follow the instructions on the card in their own dial-up Internet access. This course can attract customers, but the ISP to do not know who is using their network. In other words, although the network card and dial-up users of dial-up service to bring considerable convenience, but it is the enemy of security, network administrators nightmare. If the people invading your network card to use the Internet, and that ... ..., from dial-up locations check it? Intruders can not use their home phone online.
Editor's Note:
for veteran hackers, tracking will be very difficult, because the decision of victory or defeat in the network technologies, hackers have a good technology veteran and long-term flight experience. For newbie, it sometimes logs and common practices not necessarily useful, but this view makes the reader understand the basic routines to track hackers, and network for future work can bring life to help