Menghindari scanning nmap di Mikrotik

Nmap adalah tools umum yang digunakan oleh administrator server untuk menscanning port yang terbuka di sebuah komputer atau server. Dengan demikian seorang administrator akan mengetahui port apa saja yang digunakan, yang bersifat umum maupun bersifat berbahaya.
Nmap sendiri bekerja dengan “menggunakan paket IP raw dalam cara yang canggih untuk menentukan host mana saja yang tersedia pada jaringan, layanan (nama aplikasi dan versi) apa yang diberikan, sistem operasi (dan versinya) apa yang digunakan, apa jenis firewall/filter paket yang digunakan, dan sejumlah karakteristik lainnya.”
Kadangkala server menjadi rentan terhadap serangan jika nmap berhasil mengenali informasi-informasi server tersebut. Untuk itu seorang administrator akan mencoba memblokir scanning dengan nmap ini.
Salah satu caranya yaitu dengan mengatur firewall dari si server. Saya belajar dari sebuah site tentang mikrotik, firewall apa yang harus digunakan pada server untuk mencegah scanning nmap.
Berikut adalah perintahnya

ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”Port scanners to list ” disabled=no

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP FIN Stealth scan”

add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN scan”

add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST scan”

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”FIN/PSH/URG scan”

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”ALL/ALL scan”

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w comment=”NMAP NULL scan”

add chain=input src-address-list=”port scanners” action=drop comment=”dropping port scanners” disabled=no

Dengan bahasa firewall iptables yang sama, maka dapat diterapkan pula pada server berbasis non mikrotik. Lengkapnya akan saya pelajari dulu.

Nah ini dia perintah iptablesnya

#!/bin/sh
#
# copyright (c) the KMyFirewall developers 2002-2005
# PLease reprt bugs to: Christian Hubinger
#
# This program is distributed under the terms of the GPL v2
#
# KMyFirewall v1.0.1
# This is an automatic generated file DO NOT EDIT
#

startFirewall() {

echo -n “Starting iptables (created by KMyFirewall)… ”
if [ “$verbose” = “1” ]; then
echo -n ”
Loading needed modules… ”
fi

$MOD ip_tables
$MOD ip_conntrack
$MOD ipt_LOG
$MOD ipt_limit
$MOD ipt_state
$MOD ip_conntrack_ftp
$MOD ip_conntrack_irc

$MOD iptable_filter
$MOD iptable_nat
$MOD iptable_mangle
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

# Define all custom chains
if [ “$verbose” = “1” ]; then
echo -n “Create custom chains… ”
fi

if [ “$verbose” = “1” ]; then
echo ” Done.”
fi

# Rules:
if [ “$verbose” = “1” ]; then
echo “Settup Rules in Table FILTER:”
fi

# Define Rules for Chain: INPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: INPUT”
fi

$IPT -t filter -A INPUT –match limit –limit 5/second –limit-burst 5 -p icmp –icmp-type echo-request -j ACCEPT || { status=”1″; echo ” Setting up Rule: ICMP FAILED! “; exit 1; }

$IPT -t filter -A INPUT –match limit –limit 1/second -p tcp –destination-port 22 -j LOG –log-prefix “Rule SSH_tcp: ”
$IPT -t filter -A INPUT –match limit –limit 1/second -p tcp –destination-port 22 -j ACCEPT || { status=”1″; echo ” Setting up Rule: SSH_tcp FAILED! “; exit 1; }

$IPT -t filter -A INPUT –match multiport –destination-ports 137,138,139 -j ACCEPT || { status=”1″; echo ” Setting up Rule: SMB_tcp FAILED! “; exit 1; }

$IPT -t filter -A INPUT –match state –state RELATED,ESTABLISHED -j ACCEPT || { status=”1″; echo ” Setting up Rule: CONNTRACK FAILED! “; exit 1; }

$IPT -t filter -A INPUT -j LOG –log-prefix “KMF: ” || { status=”1″; echo ” Setting up Rule: Chain: INPUT Drop Logging FAILED! “; exit 1; }

$IPT -t filter -P INPUT DROP || { status=”1″; echo ” Setting up Rule: Chain: INPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: OUTPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: OUTPUT”
fi

$IPT -t filter -P OUTPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: OUTPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: FORWARD
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: FORWARD”
fi

$IPT -t filter -P FORWARD ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: FORWARD Default Target FAILED! “; exit 1; }

if [ “$verbose” = “1” ]; then
echo “Settup Rules in Table NAT:”
fi

# Define Rules for Chain: OUTPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: OUTPUT”
fi

$IPT -t nat -P OUTPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: OUTPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: PREROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: PREROUTING”
fi

$IPT -t nat -P PREROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: PREROUTING Default Target FAILED! “; exit 1; }

# Define Rules for Chain: POSTROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: POSTROUTING”
fi

$IPT -t nat -P POSTROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: POSTROUTING Default Target FAILED! “; exit 1; }

if [ “$verbose” = “1” ]; then
echo “Settup Rules in Table MANGLE:”
fi

# Define Rules for Chain: INPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: INPUT”
fi

$IPT -t mangle -P INPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: INPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: OUTPUT
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: OUTPUT”
fi

$IPT -t mangle -P OUTPUT ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: OUTPUT Default Target FAILED! “; exit 1; }

# Define Rules for Chain: FORWARD
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: FORWARD”
fi

$IPT -t mangle -P FORWARD ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: FORWARD Default Target FAILED! “; exit 1; }

# Define Rules for Chain: PREROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: PREROUTING”
fi

$IPT -t mangle -P PREROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: PREROUTING Default Target FAILED! “; exit 1; }

# Define Rules for Chain: POSTROUTING
if [ “$verbose” = “1” ]; then
echo “Create Rules for Chain: POSTROUTING”
fi

$IPT -t mangle -P POSTROUTING ACCEPT || { status=”1″; echo ” Setting up Rule: Chain: POSTROUTING Default Target FAILED! “; exit 1; }

if [ “$verbose” = “1” ]; then
echo -n “Enable IP Forwarding. ”
fi

echo 1 > /proc/sys/net/ipv4/ip_forward
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

if [ “$verbose” = “1” ]; then
echo -n “Disable Reverse Path Filtering ”
fi

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

if [ “$verbose” = “1” ]; then
echo -n “Disable log_martians (logging). ”
fi

for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 0 > $i
done
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

if [ “$verbose” = “1” ]; then
echo -n “Enable Syn Cookies. ”
fi

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
if [ “$verbose” = “1” ]; then
echo “Done.”
fi

echo Done.
}

stopFirewall() {
echo -n “Clearing iptables (created by KMyFirewall)… ”

$IPT -t filter -F || status=”1″
$IPT -t filter -X || status=”1″
$IPT -t filter -P INPUT ACCEPT || status=”1″
$IPT -t filter -P OUTPUT ACCEPT || status=”1″
$IPT -t filter -P FORWARD ACCEPT || status=”1″

$IPT -t nat -F || status=”1″
$IPT -t nat -X || status=”1″
$IPT -t nat -P OUTPUT ACCEPT || status=”1″
$IPT -t nat -P PREROUTING ACCEPT || status=”1″
$IPT -t nat -P POSTROUTING ACCEPT || status=”1″

$IPT -t mangle -F || status=”1″
$IPT -t mangle -X || status=”1″
$IPT -t mangle -P INPUT ACCEPT || status=”1″
$IPT -t mangle -P OUTPUT ACCEPT || status=”1″
$IPT -t mangle -P OUTPUT ACCEPT || status=”1″
$IPT -t mangle -P PREROUTING ACCEPT || status=”1″
$IPT -t mangle -P POSTROUTING ACCEPT || status=”1″

echo “Done.”

}

IPT=”/usr/sbin/iptables”
MOD=”/usr/sbin/modprobe”
status=”0″
verbose=”0″
action=”$1″
if [ “$1” = “-v” ]; then
verbose=”1″
fi

if [ “$1” = “–verbose” ]; then
verbose=”1″
fi

if [ “$verbose” = “1” ]; then
if [ “$2” = “” ]; then
echo “Usage: sh kmyfirewall.sh [-v|–verbose] { start | stop | restart }”
exit 1
fi
action=”$2″
fi

case $action in
start)
stopFirewall
startFirewall
;;
stop)
stopFirewall
;;
restart)
stopFirewall
startFirewall
;;
*)
echo “Invalid action!
Usage: sh kmyfirewall.sh [-v|–verbose] { start | stop | restart }”
;;
esac

if [ “$status” = “1” ]; then
exit 1
else
exit 0
fi

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.