Halting hackers

Knowing your network has been compromised is a good thing because the less fortunate ones are those unaware that their systems have been illegally penetrated--time and again--right under their nose.

Prevention, as we know, is always better than cure so how can you avoid from being caught napping?

One of the best ways is to have a consistent schedule to review your server's activity logs and this can be rotated amongst team members on a daily or weekly basis.

Once this exercise has been implemented--and strictly adhered to--don't forget to schedule routine backups for your log files as a precautionary measure.

MUST READ
		You've discovered that your system has been compromised. For next steps and to prevent future penetration, check out IT Manager's guide below.  •  You've been hacked: What to do in the first five minutes  •  You've been hacked: What to do in the first hour  •  You've been hacked: How to prevent future attacks

If you're interested in third-party log monitoring and analysis software, Download.com has a decent selection.

To determine what type of data is valuable, here are some tips from TechRepublic's Michael Mullins:

• Probes to ports that have no application services running on them: Before hackers install backdoor Trojan horse programs, they determine which ports you're already using for another service. If you see a lot of probes to suspicious ports (Doshelp.com maintains a fairly up-to-date list of Trojan ports), look up the port and find out what they’re doing and verify that you’re protected.
  
• Unsuccessful access attempts to your firewall and/or other high-profile systems: If you notice repeated unsuccessful attempts to access your firewall and other systems from one IP address (or group of IP addresses), then you might want to write a rule to drop all connections from that IP space (making sure that the IP address isn’t being spoofed).
  
• IP addresses of the connections that are being rejected and dropped: If the IP address is spoofed, you won't be able to find the owner. Otherwise, you should resolve the domain using a “Who Is” database, contact the owner, and find out why someone from their IP space is trying to attack your systems.
  
• Suspicious outbound connections: Outbound connections coming from internal servers such as your Web servers could be an indication that a hacker is using your systems to launch attacks against other organisations or individuals.
  
• External packets with internal IP addresses: Packets with a source address internal to your network that originate from outside your network indicate that a hacker is spoofing your internal addresses to attempt to gain access to your internal network.

Granted there's more to stopping hackers than event logs, it is a good and valuable start, nonetheless.

Does your IT department take activity logs seriously? Has it helped avert intrusions or is it a sheer waste of time? Please e-mail your comments to itmanager@zdnet.com.au.

• Related stories

• Alerts

Be the first to comment on this article!

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials