Reducing the risk of intrusion can be achieved by eliminating many of the known common problems.

The vast majority of attacks on done by script kiddies who scan massive IP blocks looking for a vulnerable computer, then run a program which they don't understand, to exploit the vulnerability they've just discovered. To block these script kiddies just fix the common vulnerabilities that the programs they use rely on.

Buffer Overflow

A buffer overflow attack is when the attacker sends malformed packets to a service that causes the memory buffer to overflow. The cracker hopes this will cause the program to crash and defaulting into a root prompt. Buffer overflows happen because of programming errors where input was not checked to be valid.

To prevent buffer overflows, all code must be meticulously hand checked multiple times by multiple people. Since this is not often possible, to limit the chances of being successfully cracked by a buffer overflow attack, make sure you keep your systems up to date and get rid of all excess services. Reducing the number of total services your server is offering, the less amount of code that could have a potential buffer overflow. Also, there are kernel patches that prevent some forms of buffer overflow.

Denial of Service

A Denial of Service, DoS, attack can come in many shapes and forms. The Blue Screen of Death from Windows can be one if it is caused by someone and not just poor programming. Also, the infamous DDoS attacks from earlier this year are an example where multiple 'zombie' computers coordinate together to attack a host all at the same time. A DoS attack is anything that maliciously prevents the computer from doing what was intended. This is usually accomplished by errors in code that will cause the program to eat up all the system resources.

Preventing DoS attacks in like preventing buffer overflows, but a firewall will also help with this, unlike buffer overflows. Another page with firewall information can be found here

Trojan Horse

A Trojan Horse is a program that purports to do something useful when in fact it really does something malicious such as send off the password file to a remote system. It must first be explicitly placed there by a malicious user. This is typically done to ensure that once a cracker has exploited a weakness in your system he has a way back into the system at a later date, even after the initial vulnerability has been fixed.

If a trojan is on the system, chances are the system has been cracked and needed to be wiped and reinstalled. The only way to prevent trojans is with a good firewall. A firewall works for blocking trojans only if the firewall is set to default deny and only essensial services are allow through the firewall. If a Linux system is cracked with mal-intent, and not just to see if the cracker could, then there will most likely be a root kit on the system. A very common trojan port is 31337; it should probably be blocked on all systems, with email notification if anyone tried to connect to it.

IP Session Hi-Jacking

IP Session Hi-Jacking, also known as a man in the middle attack, is a sophisticated attack which can now be done using tools circulating in the script kiddie community. With an IP Session Hi-Jacking, an user connects to a system using a service like telnet, then a cracker intercepts the packets and tricks the system into thinking that the cracker's machine is actually the user's machine. The user will think her connect got dropped, when in actuality, it is still going, but it has been taken over by the cracker.

With this form of attack, there is no way to block it, but there are checks that can be done to prevent it. Telnet is the type of service that crackers want to hi-jack; it has shell access, is unencrypted, and doesn't perform many checks to make sure the person really is who they say they are. SSH, on the other hand, would be very hard to hi-jack; it has strong encryption, multiple checks of an identity, and can have its shell access limited. Most services can't really be hi-jacked, but the ones that can, like telnet, usually have a secure replacement, like SSH, that can be used instead.

IP Spoofing

IP Spoofing attacks involves the attacker falsifying the sender IP address so that other computers think the packet came from a different system.

This type of attack can be useful in two different ways. First, if an service uses only IP-based authentication, then with IP spoofing, an attacker could use a service that isn't designated for him to use. The second way this type of attack could be used is similar to the first, but is different because it is used in conjunction with another form of attack. For example, a script kiddie knows there is a FTP server running that has a DoS vulnerability in it, but only the company's president's home computer's IP is allowed past the firewall to access the FTP server. With IP spoofing, the script kiddie could trick the firewall into thinking the packets are from the president's home computer and activate the DoS vulnerability.

Conclusion

While fixing these problems can be time consuming, great programs like Bastille Linux are around to make it much easier. This overview of Bastille Linux and also a walkthrough to installing it. But even with Bastille Linux and programs like it, security will always be a process not a program, and it will always take time to properly secure a system.

Resources

  • CERT IP Spoofing Attacks and Hijacked Terminal Connections -- This document summarizes both the IP spoofing technique that can lead to root access on a system and the tool that intruders are using to take over open terminal and login connections after they get root access.
  • CERT smurf IP Denial of Service Attacks -- This document provides some background on ICMP and describes the two main components to the smurf denial-of-service attack, the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses.
  • CERT TCP SYN Flooding and IP Spoofing Attacks -- This document provides a brief outline of the problem and a partial solution.
  • daemon9, Project Neptune -- A comprehensive analysis of TCP SYN flooding.
  • daemon9, IP-spoofing Demystified -- explain IP-spoofing to the masses. It assumes little more than a working knowledge of Unix and TCP/IP. Oh, and that yur not a moron...
  • Ten Security Measures Against DDoS
  • Bennet Todd's Distributed Denial of Service Attacks document.