Skip to content

Belajar Access-list untuk memblok aplikasi port yang mencurigakan

10 May 2010
Terinspirasi ketika menonton film "firewall" di transtv
tadi malam,ketika pemain utama "Mr.Jack",seorang kepala
network administrator suatu bank, sedang mengkonfigurasi
rule ip access list dari networknya, lalu ketika membaca
tulisan dari Pak Mudji [2]tentang Memonitor dan memblok
trafik virus pada cisco router, saya teringat dengan kebiasaan
dari senior saya yang selalu menambahkan script dibawah
ini untuk melindungi setiap router yang dia konfigurasi,
ini dia contoh scriptnya:
-----------------------------------------------
ip access-list extended WORM
 deny   tcp any any eq 135
 deny   udp any any eq 135
 deny   udp any any eq netbios-ns
 deny   udp any any eq netbios-dgm
 deny   tcp any any eq 67
 deny   tcp any any eq 68
 deny   tcp any any eq 139
 deny   udp any any eq netbios-ss
 deny   tcp any any eq 445
 deny   tcp any any eq 593
 deny   tcp any any eq 444
 deny   tcp any any eq 2048
 deny   udp any any eq 2048
 !deny   ip 10.0.0.0 0.255.255.255 any
 !deny   ip any 10.0.0.0 0.255.255.255
 !deny   ip any 192.168.0.0 0.0.255.255
 !deny   ip 192.168.0.0 0.0.255.255 any
 !deny   ip 172.16.0.0 0.0.0.255 any
 !deny   ip any 172.16.0.0 0.0.0.255
 permit ip any any
-------------------------------------------------
contoh penerapan di interface
!
interface FastEthernet0/0.110
 description Public LAN xxx
 encapsulation dot1Q 100
 ip address 202.x.x.x 255.255.255.224
 ip access-group WORM in
 ip access-group WORM out
!
--------------------------------------------------
Port-port apakah gerangan yang diblokir tersebut ?
@135 Microsoft RPC
@137-139 NetBIOS
@67-68 DHCP/BOOTP
@445 Microsoft DS
dll.
Daftar port yang lebih lengkap bisa merujuk ke referensi[1]

contoh kasus dalam ref [2], TCP port 445, 139 dan UDP port 137/138
diblokir karena digunakan dalam penyebaran virus blaster.

contoh kasus yang lain adalah, misal suatu ip address dari jaringan kita
berusaha untuk menscan suatu ip address yang lain, kasus seperti ini sering
terjadi, contoh dalam kasus saya adalah diwarnet.




contoh dari gambar diatas memperlihatkan log yang sedikit mencurigakan,
dari ip add 192.168.60.2 mengirimkan paket dengan port yang berbeda
dalam waktu yang berdekatan, hal ini patut dicurigai xixixi...

---------------------------------------------------
! Legacy syntax
access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]
! Modern syntax
ip access-list extended {<number> | <name>}
[<sequence>] {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]

---------------------------------------------------
permit   --> Allow matched packets
deny     --> Deny matched packets
remark   --> Record a config comment
evaluate --> Evaluate a reflexive ACL

---------------------------------------------------
any              : Any address
host <address>   : A single address
<network> <mask> : Any address matched by the wildcard mask
---------------------------------------------------
eq <port> Equal to
neq <port> Not equal to
lt <port> Less than
gt <port> Greater than
range <port> <port> Matches a range of port numbers
---------------------------------------------------
contoh konfigurasi lengkap dilab

Username: iwing
Password:

cnc1>ena
Password:
cnc1#
cnc1#sh run
Building configuration...

*May 10 05:16:13.855: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by iwing on console
Current configuration : 2217 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cnc1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging userinfo
logging buffered 16384
enable secret 5 $1$qOZ9$tqEugGP41UyyBzB8ClCvw/
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
ip source-route
ip cef
!
no ipv6 cef
!
multilink bundle-name authenticated
!
voice dsp waitstate 0
!
memory-size iomem 0
username iwing privilege 15 password 7 xxxx
username datakom privilege 0 password 7 xxxx
archive
 log config
 hidekeys
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.60.1 255.255.255.0
 ip access-group WORM in
 ip access-group WORM out
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.10.65 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.1 0.0.0.0 area 0
 network 192.168.10.64 0.0.0.3 area 0
 network 192.168.60.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip access-list extended WORM
 deny   tcp any any eq 135 log
 deny   udp any any eq 135 log
 deny   udp any any eq netbios-ns log
 deny   udp any any eq netbios-dgm log
 deny   tcp any any eq 139 log
 deny   udp any any eq netbios-ss log
 deny   tcp any any eq 445 log
 deny   tcp any any eq 593 log
 deny   tcp any any eq 4444 log
 deny   tcp any any eq 2048 log
 deny   udp any any eq 2048 log
 deny   tcp any any eq 1433 log
 deny   udp any any eq 1434 log
 permit icmp any any log
 permit tcp any any gt 0 log
 permit udp any any gt 0 log
 permit ip any any log
!
logging 192.168.60.2
snmp-server community iwing RO
snmp-server location dayeuhkolot
snmp-server contact iwing
snmp-server host 192.168.60.2 iwing
!
control-plane
!
mgcp fax t38 ecm
!
gatekeeper
 shutdown
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password 7 xxxx
!
end

cnc1#

-------------------------------------------------
Sekian sharing pengalaman dari saya, semoga bermanfaat.
CMIIW, and "Salam Sedogedoi"

ref:
[1] http://www.iana.org/assignments/port-numbers
[2] Basuki,Mudji.Monitor dan Memblok Trafik Virus Pada Cisco Router,
URL: http://mudji.net (2010)
[3] http://www.cisco.com 


Tambahan dari kakak kelas gue :
-------------------------------------------------
Mitigating Distributed DoS with ACLs
-Using Martian Filters: RFC 2827
-Distributed DoS Attack Mitigation:
@TRIN00 attack using these ports:
1524 tcp
27665 tcp
27444 udp
31335 udp
@Stacheldraht attack using these ports:
16660 tcp
65000 tcp
@Trinity v3 attack using these ports:
6667 tcp
33270 tcp
@SubSeven v3 attack using these ports:
1243 tcp
2773 tcp
6711 tcp
6712 tcp
6713 tcp
6776 tcp
7000 tcp
7215 tcp
27374 tcp
27573 tcp
and 54283 tcp
-------------------------------------------------
1080 MyDoom
2745 Bagle.H
3127 MyDoom
4444 Blaster
5554 Sasser
8866 Bagle.B
9898 Dabber
9988 Rbot/Spybot
12345 NetBus
31337 Back Orifice
-------------------------------------------------
contoh : kita mencurigai ada serangan sub7 v3, 
kita akan mencoba blokir dengan ACLs

ip access-list extended WORM
 deny tcp any any eq 1243 log
 deny tcp any any eq 2773 log
 deny tcp any any range 6711 6713 log
 deny tcp any any eq 6776 log
 deny tcp any any eq 7000 log
 deny tcp any any eq 7215 log
 deny tcp any any eq 27374 log
 deny tcp any any eq 27573 log
 deny tcp any any eq 54283 log 
 permit ip any any 
-------------------------------------------------
contoh penerapan di interface
!
interface FastEthernet0/0.110
 description Public LAN xxx
 encapsulation dot1Q 100
 ip address 202.x.x.x 255.255.255.224
 ip access-group WORM in
 ip access-group WORM out
!
--------------------------------------------------
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: