Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 538
  • Last Modified:

Steps to be taken once Hacking is detected .

Hi all ,
  I would like to know what steps we need to take if we detect an port scan or intrusion attempts on our network . I can find the IP address of the originating m/c , but this is usually spoofed , so blocking the IP may not me a good solution . What would be the best way to block any further packets from them .
  We r behind a firewall .
   This is just for information purpose . Any links  on this would also be good .

Regards

Anup
0
anupnellip
Asked:
anupnellip
  • 3
  • 3
  • 2
  • +5
3 Solutions
 
Cyber-DudeCommented:
All you need to do is to shut down any ICMP service running, you can do this via Firewall... in case you have port scan and any ICMP service is down, it is very hard for the intruder to get any information on your machine.

What Firewall software you use?

Also, you may use a good spyware remover other than the AV/Firewall software...


Cyber
0
 
anupnellipAuthor Commented:
I think ICMP only prevents ping responce or other messages   , but I dont think it prevents connection to ports .
0
 
martinseegerCommented:
Hi,

ithere are several things that can be done:

a) Inform the provider of the originating address. Perhaps he has been hacked too. Use
    "whois" to get the email address.

b) Check if the attacker gained access to your system. On which ports did/could he get
    through the firewall.  Are you vulnerable on this ports?

c) If the attacker gained access to your systems: re-install them. Never try just to
    clean the system.

d) Check out the attack: What did he try? Is it a new attack? Do you need to update
    your firewall? Sometimes a newwer version has special features to stop attacks
    (e.g. SmartDefense from Check Point).

e) If you're curious, nasty and have a lot of time: set up a honeypot system.
    See http://www.tracking-hackers.com/papers/honeypots.html for more info.

Regards,
   Martin

P.S. This are just very general recommendations. Can't say more without knowing more
       about the attack.



0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
anupnellipAuthor Commented:
Hiii ,  
 Thanks for the response . Well , I do not want to wait till the attacker gets into my system .  I know that some one is trying to port scan on my network . Now I wint to block all access to this person . How do I do it . I can do it by blocking the originating IP address , but as you know most of the hackers use spoofed IP address so thre is no use blocking them .
 I have not been hacked , but I can daily c port scanned on my firewall log . I would like to block them from any access in the future . Is it possible ??
0
 
martinseegerCommented:
Hi,

> I know that some one is trying to port scan on my network

Depending on the firewall you can configure the following:

If more than X dropped connections from one ip address in less than Y seconds, then block
all traffic from that ip address for Z minutes.

This is very good to make port scans a lot more work for the dark hats.

Regards, Martin
0
 
ahoffmannCommented:
configure your firewall to drop any incomming connection request (except for your hosts with public services like smtp, http, ...)
0
 
Cyber-DudeCommented:
ICMP indeed blocks messaging system but it prevents an attacker to gain important info on your system as well. Also, if you install a Firewall (somthing like Sygate Firewall) you can track applications while transmitting to the out bound... This will eliminate the chance of anyone hacking to you system. Also, though such Firewall you can track any packet header to review any possible spoofing thus being able to get to the true IP ID.

Cyber
0
 
Tim HolmanCommented:
Port scans are rarely spoofed !  If they were, then the port scanner wouldn't get any information back !  ;)
I wouldn't bother blocking port scans and other hacking white noise - it's simply not worth the effort, and besides, if you're all properly patched and up to date, what benefit would you get in tracking an IP address down to somebody's DSL connection in Korea ?  What you going to do ?  Sue them ?  Fly out and ask them nicely to stop ?  What if their machine has been compromised and is being used indirectly by another hacker in the US ?  
It's just not worth it.  
I would make sure you carry out regular vulnerability scans and have a strict patch management policy, to make sure people can't get in.
Do you have explicit Internet-connected resources you want to protect ?  eg www server ?
0
 
bbaoIT ConsultantCommented:
agree with tim_holman.

the key is to make sure your site can run stable as you expect. what i want to say additionally is to check your firewall log instantly, if the connected rogue IP keeps appearing in the log, you may consider to block it even it might be an indirect address for the hacker.

checking log is the good habit for any network administrator, for learning how your system performs and how the hackers do, they are the basis of defining your own firewall strategy and policies.
0
 
Rich RumbleSecurity SamuraiCommented:
Every point Tim made is correct- spam is spoofed- scan's are not- typically- DOS attempt's use spoofed packets- but not scan's. Allow only necessary port's in (port 80,443,smtp etc...) lodge a complaint with the ISP or provider you detect the scan comming from.
-rich
0
 
pjcrooks2000Commented:
Switch the firewall off :)  then after a while switch it back on!
0
 
anupnellipAuthor Commented:
thaks guys ,lot of useful info .

can any one give me a link on some good reading ??


thanks again

Anup
0
 
bbaoIT ConsultantCommented:
the BOOK recommended:

Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems
http://www.amazon.com/exec/obidos/ASIN/0735712328/qid=1094535732/sr=ka-3/ref=pd_ka_3/103-2137852-0030210

the online READING recommended:
Tech-encyclopedia.com - Network Security  >  IDS
http://www.tech-encyclopedia.com/ids.htm

hope it helps
bbao
0
 
Cyber-DudeCommented:
tim_holman,
I dont have the mony to fly over and tell them to 'stop' nor I dont think it is worthawhile... but thanks for the idea...

I thought more in the direction of blocking those addresses via constructing a well built rullbase but thats another story...

anupnellip,

Background:
You dont have to owe the best software in the world and you dont have to build the best architecture; all you need to know is some TCP/IP basics and a healthy logical thinking. IT security is something extremely complexed and every use has mearly its own security architecture...

In case someone is trying to hack you, you need to know the source of the attack and what kind of attack is it and just block it - just as simple as that. You can do more via trace the attacker down and do some funny things to it but, same here; thats another story. To block whatever the attacker wishes to do you need to stop sharing any information may disclose of who you are, what OS you use and who you are logged on as; and you can gain such an info without working so hard but yet, it is a valueble info. Blocking the ICMP may answer manually part of those problems (and, yes - you dont need any Firewall to do this) But it is not ending here; You need to think whether you commit transactions through the Internet or you have any direct connection to the office; whether you pull mail from an Exchange like server or you use any VAX like clients; this should prepair all diffrent thinking;
Its nice to use VPN but what kind of VPN? Say you use a VPN session, do you surf the Internet the same time? Standart VPN client wont protect you at all due to the fact that multisession action may cause VPN to be insecure and worse; may disclose information about your network architecture...
IDS systems are not aplicable and adjustable to anyone; it so much depends on what you do...

Summary:
To sum things up; if you are a home user fear that someone may scan your computer try to use a simple Firewall software to provide you with basic protection and if you use common sense and you manage some important information on that computer; do not use any software like eMule (I could easily hack into eMule client and learn many factors I needed to know on PCs running that client) due to the reason that it breaks all security levels you have. Also, run an Anti Spyware software as well as an AntiVirus software. If you are an organization type of user and you use your PC to remotley access sensative information, you will have to use high level of security architecture.

Tip:
You can block all ports on your local computer without using any 3rd party software via TCP/IP filterring you have in Windows 2000/XP software. In Windows XP you have the ability to make even more adjustments.

Links:
Some nasty port scanner (To understand why ICMP blocking is essential):
http://knocker.sourceforge.net/

How does WEB hosts are handling port scanning:
http://www.webhostingtalk.com/archive/thread/159755-1.html

What does Personal Firewalls do means?
http://www.theregister.co.uk/2001/11/12/personal_firewalls_are_futile/

And what hackers do think about them?
http://keir.net/firehole.html


Hope that sums things up

Cyber
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 3
  • 3
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now