First, let’s dispell a couple of myths
Many people believe hackers are either kids or some elite criminal. In fact, most hackers look just like you and me and are part of everyday society.
Another myth is that all hackers are trying to gain access in order to install software to steal peoples information. While this is true for a good portion of them, it is not always the case. A lot of them are just doing it for various reasons that have nothing to do with stealing peoples information.
DO NOT MISTAKE THE ABOVE. HACKERS ARE USUALLY TRYING TO ACCESS YOUR SYSTEM FOR SOME REASON AND ARE A THREAT.
The reason the question is being asked is because if you do a couple of very simple things, you can thwart all but the really good hackers and most likely, the really good hackers are not interested in you or your system.
I deal with the issue of people trying to hack my systems everyday. As a matter of fact, I can guarantee you that someone is trying to hack my system as I am writing this. By doing a couple of simple things, you can stop them in their tracks. The following is a list of things to do. I will continue to add to this list as I find more ways of thwarting hackers.
1) Monitor your security log using your event viewer.
If someone is trying to hack into your system, they usually try and just login using default operating system passwords. You can tell this by looking for a bunch of Audit Failures in your Security log. If someone is trying to gain access you will see something similar to the following:
An account failed to log on.
Security ID: NULL SID
Account Name: –
Account Domain: –
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: administrator
Account Domain: ZXIN10-CDMA205
Failure Reason: Unknown user name or bad password.
Sub Status: 0xc000006a
Caller Process ID: 0x0
Caller Process Name: –
Workstation Name: ZXIN10-CDMA205
Source Network Address: 18.104.22.168
Source Port: 4032
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
– Transited services indicate which intermediate services have participated in this logon request.
– Package name indicates which sub-protocol was used among the NTLM protocols.
– Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
The above is an actual log entry from one of my systems of someone trying to hack into my system. I figured that everyone should know that if they see the above IP address, it is a hacker. 🙂
2) Change the Administrative username and password.
This is one of the common mistakes people make. They change the password for the administrative account but they leave the default username in place. Always either change or disable the default administrative username and password. On my systems, I usually disable the administrative account and create another one with a username with a length of at least 10 characters and a password of 10 or more characters made up of a combination of uppercase and lowercase letters and at least 2 or 3 numbers with a special character or two.
3) Monitor your system
Watch for people accessing services that should not be accessed. I have caught many hackers using this method. Keep in mind, that although it may look like an IP address is trying to access services they should not be, that may not always be the case. So, check your security logs and confirm that they are indeed trying to gain access to your system.
4) Utilize system tools to ban the IP address
When you do find someone trying to hack your system, make sure you track down the IP address and ban the IP. This is the best way to stop them in their tracks. If they are not even allowed access to an anonymous incoming TCP/IP session, then they cannot get anywhere.
The above four points will stop most hackers from getting anywhere at all via standard system access methods. There are many other ways to gain access to a web site so if you are running a website be diligent in monitoring your systems. If a hacker manages to exploit your website, a lot of times they can also add and remove credentials to your server.
Why do most do it?
Here is a list of the some of the reasons I know of:
– The challenge
– To gain free web server access
– To gain access to personal information
– To use your system as a hopping point in order to hack someone else
– To use your IP address instead of theirs when they are hacking others
– To perform spam emailing
– To setup phishing sites
As you can see, there are many reasons they do it. None of which are good. Just be diligent and follow a few rules and you really have nothing to worry about.
If you have more to add, please submit it in the comments below.