[Dshield] blocking the DSL hacker

INTERNET ABUSE TEAM abuse at allover.ca
Mon Jan 23 21:35:31 GMT 2006


First, I would like to say hello! This is my first post here, and I must say
I should have started long ago.

David is quite correct to mention that IPSEC is a very useful security tool
in WINDOWS XP or 2000. We have used it very successfully in the past to
create rules that either allow or deny access to services and the ports
associated with them.

When installing WINDOWS XP or 2000, you should always unplug the network
cable during the initial installation and then employ a IPSEC policy to stop
and network borne worms from getting you off on the wrong foot, before
re-connecting the cable and going online. I am sure there are other ways to
do this. Just make sure you think about it before installing Windows.

IPSEC can be time consuming to set up and is not flexible (it does not ask
you if you want to allow or deny connection) but it is very effective. It
requires research on your behalf, to see what ports you will be using and
integrate that into your IPSEC policy. 

We have run several server systems without any IDS (intrusion detection) to
speak of and used only IPSEC and PORT FILTERING to stop all the nasties. The
nice thing about IPSEC policies is you can save them as a REG file for use
on any XP or 2000 PC. This makes deployment across domains and networks as a
simple as a batch file.

Another trick to use for DSL security is to employ 2 routers. Set one router
to statically get it's address from the other - i.e. one router "WAN" is
connected to your modem. You then select a non-standard LAN addresses range
like 10.10.10.1 and turn off DHCP. 

You then connect the second router to any LAN port on the first one and set
it to get an IP statically from the first router i.e = 10.10.10.100 -
255.255.255.0 Gateway= 10.10.10.1. You can set the local address space of
the second router to another LAN range like 192.168.0.200. Now you connect
your PC to the second router and it gets the IP dynamically "192.168.0.2xx"
So you see who now a potential intruder will be confused if he tries to
weasel his way into your LAN through the WAN and cannot find any PC's.

Regards,
G. Bryce
Sys-Admin
KrogNetix/AllOver.ca
Vancouver Canada
-----------------

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Taylor
Sent: Monday, January 23, 2006 6:09 AM
To: 'General DShield Discussion List'
Subject: [ABUSE] Re: [Dshield] blocking the DSL hacker


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Others on the list have given some good advice.  Rebuilding a machine that
has been compromised by Internet based worms is your only option if you want
to regain the trust of the system.

Some have advised on using software/hardware based firewalls which is a
great added layer of security.  One other thing you might consider is using
IPSEC security policies as well to block evil inbound traffic.  There is
actually a lot you can do with IPSEC to control Internet traffic but in it's
simplest for you can block inbound traffic to the netbios ports.  I put
together a guide for this simple scenario if you want to take a look.  It
includes the most commonly attacked ports.

http://www.upenn.edu/computing/security/IPSEC.pdf


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security 
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities 
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshield
http://freenode.net/



- -----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Mel
Sent: Saturday, January 21, 2006 4:48 PM
To: list at lists.dshield.org
Subject: [Dshield] blocking the DSL hacker




My friends Earthlink DSL account has become useless lately.
 As soon as the computer is turned on a constant barrage begins coming from
diverse machines on the Verizon network.(70.20.x.x)  Most attempts seem to
be netBIOS in nature, but it isn't very long, maybe as short as ten minutes,
until my friends machine is full of viruses and begins acting very unstable.
We tried to get to the AVG website to update the anti-virus but always get
infected before we could wend our way to the AVG site in Germany.  We have a
linksys router on hand but don't know anything about putting it to use. I
remember reading on the Dshield forum that a router would be helpful in
stopping intrusions. We are using a Netopia modem.  Can someone please point
us in the right direction. Thanks many many in advance.
                                      Mel. 
 

This message was sent via the web forum at http://forum.dshield.org

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQ9Tjb6xTsMlIjlJcEQIOvgCeOktjXVqcFRDcBNXklPppoMUMzmIAoOaO
JgP388NUEGh4PkwEUmOj9R5S
=+Qrl
-----END PGP SIGNATURE-----

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list