There seem to be many articles introducing broadband Internet security, but they often mention problems such as *s and IE vulnerabilities. However, there is a more dangerous problem that seems to be unnoticed by users and is not even valued by firewalls. However, once it is hacked, you can share all your drives and files in it at will, and it is so simple to implement. What is the danger? Let me tell you slowly.
think
Recently, I am decorating my new home. In the past two days, I have considered the network structure of the new home. Because I have used wired connection, I will definitely move the machine to the next time, so there are two solutions that I can consider:
1. CABLE MODEM—HUB—all hosts;
2. CABLE MODEM——Server (Soft Routing)——HUB——Each host
After seeing this, you must think that the first solution is better. It is obvious that the network structure is simple, and at least one network card can be saved, and there is no need to have a server on it all day. The wired pass manual is also recommended. However, it was when I thought of the first solution that I suddenly realized the security issues that have not been valued by me for a long time.
As we all know, the so-called community broadband is a local area network + Internet export solution. The user of the community is connected to a local area network and then goes to the Internet through an exit. The security of this solution is relatively poor, mainly due to internal security, because it is connected to a local area network. If you don’t pay attention, others may share your resources. The problem of wired access is more concealed. It is not physically a common star Ethernet + export structure, and the DHCP server allocates to users a standard C address, which seems that we are directly facing the impact on the wide area network. Little do we know that its physical bus structure connects almost all wired users to a local area network, and we also face a serious security problem of the local network, and the scope of this local network is larger, so the probability of being invaded (strictly speaking, it cannot be called intrusion, but sharing) is even greater.
experiment
In order to verify my point of view, the following experiment was specially done:
The IP address assigned to by my host is now 211.167.123.8, which is a standard C-type address, so the subnet mask is 24 bits, which means that in theory there are 252 hosts (without the gateway and myself) and I are in the same network segment. Considering the actual usage rate of wired connection, 252 units are probably not available, but dozens of units should still be there at the same time. It should be said that I can access these hosts.
So I pinged, starting from 211.167.123.2, and ping to 211.167.123.15, which means that the host is connected to the line. I immediately opened IE and entered \\211.167.123.15 in the address bar. The system prompted me to enter the username and password. Enter the username and password. The password is empty. Hehe, I entered. Can't see any shared resources besides the printer? It doesn’t matter, I am already an administrator, and I’m still afraid that I can’t find the resources? I enter \\211.167.123.15\c$ again, and the root directory of the C drive will come out. This is the default sharing of Windows 2000. It is set for management and cannot be removed. Next, d$ and e$, what to find and enter by yourself.
During the entire experiment, combined with FluxayIV (streaming light), a network segment was completed in 3 or 5 minutes. I found that there were 3x hosts connected to the line, and among them, the administrator account and password of 5 or 6 hosts was empty. Isn’t this at mercy? Even those who set passwords will generally not set them too complicated on their computers. If you are interested in disassembling them, it will not be very difficult to put them in a dictionary. What's more, it may be that a company's host actually directly shared all resources without any password. It seems that they were used as a file server.
in conclusion
Now you know which of the two solutions I mentioned above is better?
Since wired access is assigned a standard C address, it is impossible to reduce the number of hosts in each network segment by extending the subnet mask, so the security of the local network is always the enemy of us users. Moreover, the IP address assigned by the DHCP server has a survival period. About a week, you will be assigned to a new IP address, which means you have entered a new network segment and 252 new neighbors are waiting for you. Isn’t it scary? The most terrifying thing is that the host on the same network segment as you are considered by your firewall as a LAN host. Generally, the presets of the firewall will not be used to prevent such hosts.
Preventive measures
First of all, and at the very least, set a password for your administrator account (it can't be too simple), because this account cannot be deleted, and you cannot leave the password empty even if you don't use it. During the experiment, I found that many users may use another account and have their passwords set, but the administrator's password is empty. So wouldn't you be in vain?
Some users also set passwords for administrator accounts, but open several accounts with empty passwords, which is also dangerous. Remember, all available accounts must have passwords, and you must manage these accounts regularly. Close accounts that you don’t use for a long time. It is best to change your password frequently for administrator accounts.
It is a good way to install one or two firewalls, but remember to set up the firewalls, because there are no strict precautions for LAN hosts in the general presets, and you should know that the ones we need to guard against most happen to be these "LAN" hosts. At the same time, the firewall itself may have loopholes, so I use Skynet + Norton, which makes me feel more at ease with cross-prevention. As for the specific setting method of the firewall, please refer to the relevant articles, and I will not go into details.
I also want to remind you that after taking this precaution, if your network structure adopts the first solution, then your hosts cannot be shared, because these hosts are on an equal position with other hosts in this network segment. So if you want to build your own network, considering security, it is recommended that you adopt the second solution, which is even better if you can use a hardware router instead of soft routers.
The purpose of writing this article is to play a role in attracting and attracting jade. If you think of convenient, safe and efficient prevention measures, please communicate with me.