Warning: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in ..../includes/class_bbcode.php on line 2958

Warning: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in ..../includes/class_bbcode.php on line 2962
Firewall Security Tutorial
Results 1 to 7 of 7

Thread: Firewall Security Tutorial

Hybrid View

  1. #1
    Member
    Join Date
    Jan 2005
    Location
    Compton
    Posts
    102
    Ports - The Doorways to Your Computer

    When thinking about securing your machine from unauthorized access or use, considering using the analogy of trying to keep burglars out of a warehouse. Your first step would be to seal off those entrances that are not essential to the operation of the warehouse, thereby allowing you to focus your attention on specific entrances, rather than the entire building.

    Using the above analogy, substitute the word "doorways" for "ports." Ports are entrances to your machine. For instance, whenever you go to a website, you are connecting to that company's server on port 80 (unless remapped). Don't believe me? Try these two links:

    * http://www.yahoo.com
    * http://www.yahoo.com:80

    Now let's look at what "doors" are open on your computer. In order to do this we will be using a utility called Netstat. Netstat provides its user with the network status of the computer from which the command is being sent. Netstat is very comprehensive; below you will find its usage stanza:

    Code:
    Displays protocol statistics and current TCP/IP network connections.
    
    NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
    
    -a Displays all connections and listening ports.
    -e Displays Ethernet statistics. This may be combined with the -s
    option.
    -n Displays addresses and port numbers in numerical form.
    -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display
    per-protocol statistics, proto may be TCP, UDP, or IP.
    -r Displays the routing table.
    -s Displays per-protocol statistics. By default, statistics are
    shown for TCP, UDP and IP; the -p option may be used to specify
    a subset of the default.
    interval Redisplays selected statistics, pausing interval seconds
    between each display. Press CTRL+C to stop redisplaying
    statistics. If omitted, netstat will print the current
    configuration information once.
    There are a lot of options listed, but we are only concerned with the first one:

    -a Displays all connections and listening ports.

    Translation:

    -a Shows you who's in the "warehouse" and and which "doors" are open.

    Now let's do a little.....hacking? Follow these steps.

    STEP 1 - Launch DOS or Command Prompt

    1. Click on the Start button on the bottom left of your screen.


    2. Next click on Run.


    3. You will be presented with the Run window which allows you to type in commands. The command we want to run is cmd to bring up the command prompt or DOS. Type cmd in the window, and click the OK button.


    STEP 2 - Execute netstat -a command

    1. Now you should be looking at the command prompt or DOS window. This where we can type in our command: netstat -a After you type this command, press Enter.


    STEP 3 - Reading the outpu

    Code:
    You should see fours columns on your screen:
    
     * ** Proto(col) - This is the protocol or language being used by your system for a service. *Examples are: 
     * * * * *o TCP Transmission Control Protocol
     * * * * *o UDP User Datagram Protocol
    
     * ** Local Address - Your system name otherwise known as hostname, and the port number/name. The port number may be substituted for the name of the service being used.
     * * *Example: localhost:http instead of localhost:80
    
     * ** Foreign Address - The name or IP address of the system you are connected to and the port number/name. *The IP address is the number representation for a system name. *try the following link to see what I mean:
     * * * * *o http://64.58.76.225
    
     * ** State - This lets you know what is happening on a particular port. *The words we're looking for are:
     * * * * *o LISTENING, an open door
     * * * * *o ESTABLISHED, a door which is being used
     * * * * *o TIME_WAIT, a door was used, now it's closed
    STEP 4 - Grouping, grouping, gone!

    Let's group everything according to its State. This will require opening up a blank/new document in either Note Pad, Write Pad, Word, or any other word professing software. Copy and paste the entire Netstat-a output from your DOS/Command Prompt window into your new document. Follow these steps:
    Code:
     * ** *"Right-click" on the Title Bar of the DOS/Command Prompt 
     * ** Select the Edit item and then select the Select All item
     * ** "Right-click" on the Title Bar of the DOS/Command Prompt 
     * ** Select the Edit item and then select the Copy item
     * ** Go to your new document and Paste
    Ok. Let's do some grouping by State. Move all LISTENING lines together, all the ESTABLISHED lines together, and all the TIME_WAIT lines together.

    NOTE: You can find out which of these ports is opened to the general Internet public by running the Probe My Ports test. If your results are unsatisfactory and you don't have a firewall, you need to get a firewall. A firewall should be a basic component of your Internet security.

    STEP 5 - Let's go a-hunting!

    We need to identify what is actually running on these ports. First let's look in our Windows services file. This document is used to startup services on certain ports and contains a very brief description of the service. Below is the location of the files:

    Code:
    # Win 95/98 - C:\WINDOWS\SERVICES
    
    # Win NT/2k- C:\WINNT\SYSTEM32\DRIVERS\ETC\SERVICES
    Tip: Create a shortcut of this file on your desktop so that you don't have to hunt for it again:

    1. Right-click on the file
    2. Click Send to...
    3. Select desktop

    It's good to know what you actually have running on your machine so that in case you do get hacked, you know what ports you should see open. You should make sure that you don't have any Internet applications running when you compile the list. This includes, but is not limited to :
    Code:
     * ** *AOL Instant Messenger
     * ** Yahoo Messenger
     * ** ICQ
     * ** Trillian
     * ** Internet explorer
     * ** Netscape Navigator
     * ** Eudora E-mail client
     * ** Outlook or Outlook Express clients
    NOTE:Port 138 which is used by the NetBios protocol has "well known" exploits and vulnerabilities. If you don't have a home network setup than turn off the following services:
    Code:
     * ** *File and Print Sharing for Microsoft Networks
     * ** Client Services for Microsoft Networks
    STEP 6 - Now what?

    Now you're ready to rid your machine of the dreaded "script kiddies" should you get hacked. Pay attention, grasshopper. You NEED a firewall - whether it is a software firewall, a hardware firewall, or both, you need a firewall! This will protect you 99.99% of the time, unless someone has a personal vendetta against you. So let's suppose your .01% time happens before you leave this beautiful planet, then here's what you need to do. You already have the basics down - we're just going to put it all together.

    Check the Netstat-a output against the following trojan port list. If you find the port, then click on the name of the trojan to get more information. Copy this information in another text document by via copy/paste. It will come in handy later.

    # Run Netstat-n. This will give you the IP address of the machine that is connected to you on that port (the script kiddie). Write this down as well so that you can nail them later by turning them into their ISP.
    # Disconnect from the Internet. Easiest way to do this is remove the cable from your modem, and and shutdown all Internet applications.
    # Run anti-virus scan.
    # Run anti-trojan scan.
    # If the description of the trojan from the trojan list noted any files in the registry, make sure they are gone. Use the same method you used to open the DOS/Command Prompt, but instead of typing cmd, type regedit. Then do a "Find" for the files listed in the description. If you find them, delete them.
    # Reconnect your modem cable and reboot computer.
    # Check Netstat-a against the trojan list again to verify a "script kiddie" free machine.
    # If you want to try and catch the culprit, open up your DOS/command prompt window like you did for Netstat and type: tracert ["script kiddies" IP]. You should have copied down the IP address from step 2. Now, before the trace gets to the IP address of the perpetrator, it will pass through the ISP first. So check the two previous IP addresses before getting to the destination. Type them into the browser the way we did with Yahoo above, and see who to report the incident to. Usually, it will be abuse@[ISP].com



  2. #2
    Mentor
    Join Date
    Aug 2004
    Location
    Toronto, Canada
    Posts
    1,159
    Once again, excellent tutorial.

  3. #3
    Senior Member
    Join Date
    Jan 2005
    Posts
    399
    Nice tutorial, that is going to help alot of people.

  4. #4
    Member
    Join Date
    Jan 2005
    Location
    Compton
    Posts
    102
    I appreciate the positive feedback from everyone, it gives me pleasure to bring the tutes!

  5. #5

    Thumbs up Thatz Gud

    appreciate ur pedagogical way of explaining each step. nice.come up with more tutorials..

  6. #6
    Newbie
    Join Date
    Jan 2007
    Location
    Phnom Penh
    Posts
    6

    Thumbs up A very nice tutorial

    Thank for your good explaination. I am also the same as others comment. This tutorial can help many people relate to IT technology.

  7. #7
    Thanks for the tips mate I did most of the things explained and I feel alot safer now

Similar Threads

  1. C plus plus tutorial
    By peter in forum Tutorials
    Replies: 0
    Last Post: 11-24-2008, 04:55 AM
  2. SQL tutorial
    By omidkamangar in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 03-17-2007, 01:55 AM
  3. DNS / FIREWALL / SQUID/ DMZ security
    By lth98105 in forum Linux - Software, Applications & Programming
    Replies: 4
    Last Post: 03-17-2006, 05:30 PM
  4. PHP Tutorial
    By Waka-Gashira in forum Windows - General Topics
    Replies: 8
    Last Post: 01-27-2005, 09:10 AM
  5. QT Tutorial
    By in forum Linux - Software, Applications & Programming
    Replies: 0
    Last Post: 11-24-2001, 08:13 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •