Daily Archives: July 29, 2016

Menghindari scanning nmap di Mikrotik

Published by:

Nmap adalah tools umum yang digunakan oleh administrator server untuk menscanning port yang terbuka di sebuah komputer atau server. Dengan demikian seorang administrator akan mengetahui port apa saja yang digunakan, yang bersifat umum maupun bersifat berbahaya.
Nmap sendiri bekerja dengan “menggunakan paket IP raw dalam cara yang canggih untuk menentukan host mana saja yang tersedia pada jaringan, layanan (nama aplikasi dan versi) apa yang diberikan, sistem operasi (dan versinya) apa yang digunakan, apa jenis firewall/filter paket yang digunakan, dan sejumlah karakteristik lainnya.”
Kadangkala server menjadi rentan terhadap serangan jika nmap berhasil mengenali informasi-informasi server tersebut. Untuk itu seorang administrator akan mencoba memblokir scanning dengan nmap ini.
Salah satu caranya yaitu dengan mengatur firewall dari si server. Saya belajar dari sebuah site tentang mikrotik, firewall apa yang harus digunakan pada server untuk mencegah scanning nmap.
Berikut adalah perintahnya

ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port scanners to list ” disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan”

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN scan”

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST scan”

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”FIN/PSH/URG scan”

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”ALL/ALL scan”

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP NULL scan”

add chain=input src-address-list=”port scanners” action=drop comment=”dropping port scanners” disabled=no

Dengan bahasa firewall iptables yang sama, maka dapat diterapkan pula pada server berbasis non mikrotik. Lengkapnya akan saya pelajari dulu.

Nah ini dia perintah iptablesnya

#!/bin/sh
#
# copyright (c) the KMyFirewall developers 2002-2005
# PLease reprt bugs to: Christian Hubinger
#
# This program is distributed under the terms of the GPL v2
#
# KMyFirewall v1.0.1
# This is an automatic generated file DO NOT EDIT
#

startFirewall() {

echo -n “Starting iptables (created by KMyFirewall)… ”
if [ “$verbose” = “1” ]; then
echo -n ”
Loading needed modules… ”
fi

$MOD ip_tables
$MOD ip_conntrack
$MOD ipt_LOG
$MOD ipt_limit
$MOD ipt_state
$MOD ip_conntrack_ftp
$MOD ip_conntrack_irc

$MOD iptable_filter
$MOD iptable_nat
$MOD iptable_mangle
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

# Define all custom chains
if [ “$verbose” = “1” ]; then
echo -n “Create custom chains… ”
fi

if [ “$verbose” = “1” ]; then
echo ” Done.”
fi

# Rules:
if [ “$verbose” = “1” ]; then
echo “Settup Rules in Table FILTER:”
fi

# Define Rules for Chain: INPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: INPUT”
fi

$IPT -t filter -A INPUT –match limit –limit 5/second –limit-burst 5 -p icmp –icmp-type echo-request -j ACCEPT || { status=”1″; echo ” Setting up Rule: ICMP FAILED! “; exit 1; }

$IPT -t filter -A INPUT –match limit –limit 1/second -p tcp –destination-port 22 -j LOG –log-prefix “Rule SSH_tcp: ”
$IPT -t filter -A INPUT –match limit –limit 1/second -p tcp –destination-port 22 -j ACCEPT || { status=”1″; echo ” Setting up Rule: SSH_tcp FAILED! “; exit 1; }

$IPT -t filter -A INPUT –match multiport –destination-ports 137,138,139 -j ACCEPT || { status=”1″; echo ” Setting up Rule: SMB_tcp FAILED! “; exit 1; }

$IPT -t filter -A INPUT –match state –state RELATED,ESTABLISHED -j ACCEPT || { status=”1″; echo ” Setting up Rule: CONNTRACK FAILED! “; exit 1; }

$IPT -t filter -A INPUT -j LOG –log-prefix “KMF: ” || { status=”1″; echo ” Setting up Rule: Chain: INPUT Drop Logging FAILED! “; exit 1; }

$IPT -t filter -P INPUT DROP || { status=”1″; echo ” Setting up Rule: Chain: INPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: OUTPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: OUTPUT”
fi

$IPT -t filter -P OUTPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: OUTPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: FORWARD
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: FORWARD”
fi

$IPT -t filter -P FORWARD ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: FORWARD Default Target FAILED! “; exit 1; }

if [ “$verbose” = “1” ]; then
echo “Settup Rules in Table NAT:”
fi

# Define Rules for Chain: OUTPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: OUTPUT”
fi

$IPT -t nat -P OUTPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: OUTPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: PREROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: PREROUTING”
fi

$IPT -t nat -P PREROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: PREROUTING Default Target FAILED! “; exit 1; }

# Define Rules for Chain: POSTROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: POSTROUTING”
fi

$IPT -t nat -P POSTROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: POSTROUTING Default Target FAILED! “; exit 1; }

if [ “$verbose” = “1” ]; then
echo “Settup Rules in Table MANGLE:”
fi

# Define Rules for Chain: INPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: INPUT”
fi

$IPT -t mangle -P INPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: INPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: OUTPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: OUTPUT”
fi

$IPT -t mangle -P OUTPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: OUTPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: FORWARD
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: FORWARD”
fi

$IPT -t mangle -P FORWARD ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: FORWARD Default Target FAILED! “; exit 1; }

# Define Rules for Chain: PREROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: PREROUTING”
fi

$IPT -t mangle -P PREROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: PREROUTING Default Target FAILED! “; exit 1; }

# Define Rules for Chain: POSTROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: POSTROUTING”
fi

$IPT -t mangle -P POSTROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: POSTROUTING Default Target FAILED! “; exit 1; }

if [ “$verbose” = “1” ]; then
echo -n “Enable IP Forwarding. ”
fi

echo 1 > /proc/sys/net/ipv4/ip_forward
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

if [ “$verbose” = “1” ]; then
echo -n “Disable Reverse Path Filtering ”
fi

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

if [ “$verbose” = “1” ]; then
echo -n “Disable log_martians (logging). ”
fi

for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 0 > $i
done
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

if [ “$verbose” = “1” ]; then
echo -n “Enable Syn Cookies. ”
fi

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

echo Done.
}

stopFirewall() {
echo -n “Clearing iptables (created by KMyFirewall)… ”

$IPT -t filter -F || status=”1″
$IPT -t filter -X || status=”1″
$IPT -t filter -P INPUT ACCEPT || status=”1″
$IPT -t filter -P OUTPUT ACCEPT || status=”1″
$IPT -t filter -P FORWARD ACCEPT || status=”1″

$IPT -t nat -F || status=”1″
$IPT -t nat -X || status=”1″
$IPT -t nat -P OUTPUT ACCEPT || status=”1″
$IPT -t nat -P PREROUTING ACCEPT || status=”1″
$IPT -t nat -P POSTROUTING ACCEPT || status=”1″

$IPT -t mangle -F || status=”1″
$IPT -t mangle -X || status=”1″
$IPT -t mangle -P INPUT ACCEPT || status=”1″
$IPT -t mangle -P OUTPUT ACCEPT || status=”1″
$IPT -t mangle -P OUTPUT ACCEPT || status=”1″
$IPT -t mangle -P PREROUTING ACCEPT || status=”1″
$IPT -t mangle -P POSTROUTING ACCEPT || status=”1″

echo “Done.”

}

IPT=”/usr/sbin/iptables”
MOD=”/usr/sbin/modprobe”
status=”0″
verbose=”0″
action=”$1″
if [ “$1” = “-v” ]; then
verbose=”1″
fi

if [ “$1” = “–verbose” ]; then
verbose=”1″
fi

if [ “$verbose” = “1” ]; then
if [ “$2” = “” ]; then
echo “Usage: sh kmyfirewall.sh [-v|–verbose] { start | stop | restart }”
exit 1
fi
action=”$2″
fi

case $action in
start)
stopFirewall
startFirewall
;;
stop)
stopFirewall
;;
restart)
stopFirewall
startFirewall
;;
*)
echo “Invalid action!
Usage: sh kmyfirewall.sh [-v|–verbose] { start | stop | restart }”
;;
esac

if [ “$status” = “1” ]; then
exit 1
else
exit 0
fi

backup data with rsync and ssh

Published by:

I have computer1 as a data source and computer2 as a backup machine, computer1 and computer2 is also an example username on both machine. I want to create a backup function using rsycn and ssh without using password so it can run in cronjob automatically on the date I command to.

First let’s work in the computer1.
Create a public ssh key
#ssh-keygen -t rsa
Press enter if it asking for the place to put id-rsa
And Press enter twice to pass the passphrase. It means it will no ask for password.

Add the /home/computer1/.ssh/id-rsa.pub to computer2 .ssh/authorized-keys
Simply do this
#ssh-copy-id computer2@xxx.xxx.xxx.xxx
enter the password of the computer2

Let’s check computer2. It should be a file called authorized-keys on .ssh folder.
Back to computer1, now time for backup.
#rsync -avzp –exclude-from=myexclude -e ssh /mnt/mydir/file* computer@xxx.xxx.xxx.xxx:/mnt/backupdir/
-avzp means archive, verbose, compressed, show progress
–exclude-from=myexclude is the file that I create to pass some directory or types of file that I don’t want to backup.
The myexclude file is :
Myfirstdir
*.jpg
Myseconddir

Test the rsync command in the terminal first before we put it in the cron job.

To put it a cron, let’s do this
#crontab -e
0 5 /1 * * /home/computer1/rsync-command
Type :wq to save and exit.

The rsync-command is
rsync -avzp –exclude-from=myexclude -e ssh /mnt/mydir/file* computer@xxx.xxx.xxx.xxx:/mnt/backupdir/

It works for me.

Another option for rsync is -P means progress copy is displayed in our screen.
source : ubuntuforum