Shanai 31 Report post Posted November 10, 2006 ip address firewal tu betul. tapi dia saje yg takleh ping, server lain boleh, putera disable dekat server.saya masukkan icmp permit any echo-reply outsideicmp permit any unreachable outsidebila buat ni yg firewall jadi takleh ping.dalam access-list saya benarkan icmp echo dan echo-reply, dalam ip audit saya disable signature 2004 (sahaja) supaya ping tidak didrop oleh IDS.ssh pulak masih permit kat server2 sebab kebanyakan server sh guna sftp untuk transfer filessh ni ktitikal ke nak kena tutup? Quote Share this post Link to post Share on other sites
azuan 2 Report post Posted November 10, 2006 terpulang kepada selera ko la. kalau rasa paranoid, filter la. boleh set supaya lebih 2-3 kali cubaan untuk login dalam masa beberapa minit, firewall akan block ip tu. banyak cara boleh buat. samada nak atau taknak. sama macam DDoS, dia akan cam kalau ada banyak sangat paket datang dalam masa sekian sekian, dia akan sekat ip address tu. yang paling penting DoS protection tu sebab server boleh down dibuatnya. Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 10, 2006 ooooo, patutla masih open sampai sekarang ssh tu, not that critical, pix ni ada application inspection, so dont worry, jadi.... berapa banyak baris da awak create access-list? boleh suruh azuan test macam ari tu, hentam dengan ping ke, guna hping2 ke, sebab serangan jenis ni jadi favourite ramai, entah naper,aku cuba flood guna udp tadi, tapi firewall tu berjaya discard udp dari aku. Azuan, apa lagi? boleh cuba hentam.. record ip audit tu nanti Quote Share this post Link to post Share on other sites
azuan 2 Report post Posted November 10, 2006 GAGAL! sila cuba lagi Quote Share this post Link to post Share on other sites
gegule 0 Report post Posted November 10, 2006 ekekekek. timeout ek? tuh ler aku rasa admin kena amek perhatian tang "DDoS" tuh sebelum pikir dok tutup bukak itu ini. yang tuh sumer leh buat kendian. lupakan pasai nak tutup inbound sumer tuh. better focused to DDoS part. aku rasa saranan zuan tuh betui, fokus kepada repeating tcp/udp/icmp flood tuh Quote Share this post Link to post Share on other sites
Shanai 31 Report post Posted November 10, 2006 so azuan, tang mana yg hang rasa aku nak kena tengok nih?bagi aku masa sikit.. nak buat ssh filtering dulu Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 11, 2006 Ohh yeahh, inilah dikatakan DoS testing, masuk 1 gol (teringat time jadi goal keeper sklh menengah dulu ekekeke), admin, sudah buat ip verify & emb_limit & max_conn aku suruh buat tu? dalam ip audit, which attack it count? Azuan, ko guna hping, or yg sewaktu dengannya? kena revise balik exam ccsp nih... Quote Share this post Link to post Share on other sites
LucentAmar 0 Report post Posted November 11, 2006 (edited) Ohh yeahh, inilah dikatakan DoS testing, masuk 1 gol (teringat time jadi goal keeper sklh menengah dulu ekekeke), admin, sudah buat ip verify & emb_limit & max_conn aku suruh buat tu? dalam ip audit, which attack it count? Azuan, ko guna hping, or yg sewaktu dengannya? kena revise balik exam ccsp nih... Apa kata plan betul2 apa yang nak dibuat dulu. Bawa mesyuarat. Duduk semeja.Risau gak kalo nak belajar, test buat itu ini... sedangkan PIX sedang online.Pendapat kawe, kita pun dah ada pakar PIX ni. Ada baiknya dibawa mesyuarat untuk dapatkan plan betul2.Kawe takut nanti putera punyer firewall kene trial-drowning jer. PS: PIX pun ada kelemahan dia, tak la semua dia boleh buat. Edited November 11, 2006 by LucentAmar Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 11, 2006 ip fragment guard pun belum di implement lagi, banyak kena adjust & tune dia punya fragment chain, tapi, kalau salah adjust, silap2 boleh menyebabkan putera tak stable, sehingga adjust value yg sesuai, begitu juga tcp intercept (emb_limit & max_con). nevermain, just inform pengunjung2 kat putera, supaya faham2 kalau putera tak dapat di access, adjust mengejas tengah dijalankan , let me know if u r ready. Quote Share this post Link to post Share on other sites
azuan 2 Report post Posted November 11, 2006 so azuan, tang mana yg hang rasa aku nak kena tengok nih?ko kena tengok tang TCP/UDP/ICMP DDoS prevention. aku taktau la ada ke tak option tu, tapi dalam router biasa pun ada, takkan dalam pix takda. aku taktau command apa nak taruk, tapi idea aku macamtula. dengan TCP flood, orang boleh tembak port yang terbuka, iaitu port 80 yang menjadi kegemaran ramai si pengguna komputer kat luar tu yang takda keje tu Quote Share this post Link to post Share on other sites
Shanai 31 Report post Posted November 11, 2006 ip verify saya dah buatemb_limit dan max_con dah set 70 30 (tapi utk server putera sahaja dulu)ip audit yg ada cuma berikut:2000 I ICMP Echo Reply 398074 3980742001 I ICMP Unreachable 85600 856002002 I ICMP Source Quench 23 232003 I ICMP Redirect 38754 387542005 I ICMP Time Exceed 88088 880882151 A Large ICMP 6 6itupun tak dapat nak kenal pasti berlaku masa azwan attack atau random attack dari lain.Dari logging ke terminal monitor saya tengok ada beberapa ip international yg duduk sangkut, mungkin random penggodam atau virus.Tapi tak disangkalkan masa pasang IPS, dia report banyak SSH brute-force dan macam-macam SQL worm. Tapi skrng demo period dah tamat so dah tak ada alat tu untuk cross-check. Quote Share this post Link to post Share on other sites
azuan 2 Report post Posted November 12, 2006 firewall model tu ada "SYN threshold" tak? kalau ada, mari kita mulakan dengan itu dulu. abaikan yang lelain tu dulu Quote Share this post Link to post Share on other sites
prontoxp 2 Report post Posted November 13, 2006 firewall model tu ada "SYN threshold" tak? kalau ada, mari kita mulakan dengan itu dulu. abaikan yang lelain tu dulutest sekali firewall ni... ip = 218.208.251.27 Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 13, 2006 (edited) firewall model tu ada "SYN threshold" tak? kalau ada, mari kita mulakan dengan itu dulu. abaikan yang lelain tu duluAzuan, tcp intercept tu lah threshold untuk syn.Admin, buat sementara waktu ni, just shun ip yg attack tu. guna syntax nishun <src_ip> [<dst_ip> <sport> <dport> [<protocol>]]contoh shun 218.xxx.xxx.xxxI'll make a report to cisco systems, this matter is serious.oo ya, large ICMP is consider denial-of service. Edited November 13, 2006 by mat_tenuk Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 13, 2006 (edited) Admin,Nampak gayanya kena buat manual lah deny statement at the end for extra security, don’t know what happen to your PIX, nak write erase the config? baik janganplease apply this policies.. Access-list infrastructure deny ip 0.0.0.0 255.0.0.0 anyAccess-list infrastructure deny ip 10.0.0.0 255.0.0.0 anyAccess-list infrastructure deny ip 127.0.0.0 255.0.0.0 anyAccess-list infrastructure deny ip 172.16.0.0 255.240.0.0 anyAccess-list infrastructure deny ip 192.168.1.0 255.255.0.0 anyAccess-list infrastructure deny ip 224.0.0.0 224.0.0.0 anyAccess-list infrastructure deny ip host 255.255.255.255 anyicmp deny any anyaccess-group infrastructure in interface outside------------------------------------------------------------------------------------------Access-list out_in permit tcp any host 61.4.64.187 eq 80Access-list out_in permit tcp any host 61.4.64.186 eq smtpAccess-list out_in permit icmp any host 61.4.64.187 echo-replyAccess-list out_in permit icmp any host 61.4.64.186 echo-replyAccess-list out_in deny tcp any host 61.4.64.187 eq 22Access-list out_in deny icmp any any unreachableAccess-list out_in deny icmp any any redirectAccess-list out_in deny icmp any any alternate-addressAccess-list out_in deny icmp any any echoAccess-list out_in deny icmp any any router-advertisementAccess-list out_in deny icmp any any router-solicitationAccess-list out_in deny icmp any any time-exceededAccess-list out_in deny icmp any any parameter-problemAccess-list out_in deny icmp any any timestamp-replyAccess-list out_in deny icmp any any timestamp-requestAccess-list out_in deny icmp any any information-requestAccess-list out_in deny icmp any any information-replyAccess-list out_in deny icmp any any mask-requestAccess-list out_in deny icmp any any mask-replyAccess-list out_in deny icmp any any conversion-errorAccess-list out_in deny icmp any any mobile-redirectAccess-list out_in deny icmp any anyAccess-list out_in deny tcp any anyAccess-list out_in deny udp any anyAccess-list out_in deny ip any anyAccess-list out_in permit ip any anyAccess-group out_in in interface outside----------------------------------------------------------------------------------------Lepas buat ni, suruh azuan test semula. make sure tcp intercept, ip verify masih ada, jgn delete. Edited November 13, 2006 by mat_tenuk Quote Share this post Link to post Share on other sites
azuan 2 Report post Posted November 13, 2006 Azuan, tcp intercept tu lah threshold untuk syn.itu macam ka? kiranya dia boleh filter syn flood attack? tak silap aku dia ada value kot. lagi rendah value dia lagi selamat webserver dengan syarat tak terlalu rendah sampaikan http request biasa pun kantoi anyway, kalau dah ready, kasik tau ha! Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 13, 2006 ya, admin set max_conn 70, emb_limit 30, maybe can try 40 15? Putera slow semacam jer ari ni Quote Share this post Link to post Share on other sites
Shanai 31 Report post Posted November 13, 2006 Sila test dulu dgn configuration yg saya buat pada hari sabtu.mat tenuk, 1. access-list infrastucture tu apa pulak, kenapa nak kena deny local ip?2. kenapa deny icmp nak buat penuh balik?3. bila show ip audit count dan keluar macam kat atas tu, adakah yg itu adalah yg berjaya diblok? Adakah itu tanda-tanda bagus kerana dapat blok atau tak bagus kerana tak dapat tapis? Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 14, 2006 Nice questions 1) Extra protection against spoofed attack (kira tolong ip verify tu)2) For testing only, in case deny all tidak berfungsi.3) Berita baik, sebab dapat detect & drop that packet. Keep in mind that PIX is FIREWALL, not fully IDS & IPS device, certain DoS dia takkan detect, sebab signature dia limited kalau dibanding device yg khas untuk IDS/IPS. Kalau ips yg dulu tu detect brute force attack kat ssh, jadi kena tapislah ssh tu kat firewall. Begitu juga worm, try to deny OUTBOUND traffic, takut dia flood firewall tu sendiri.Dont worry, kita cuba attack 1 persatu, Azuan, cuba flood tcp syn lagi. ehhh nanti dulu, rilekss, admin buat dulu access-list seperti yg saya suruh tu. Quote Share this post Link to post Share on other sites
Red-Hat-Enigma 0 Report post Posted November 17, 2006 Pelik aku tengok .. kejap .. ni nak verifykan apa yg korang tgh buat .. dengan acess list Infra ke OutFra ke TakKiraFra ke .. klu DENY pada yg sepaham aku la .. maknanya dia MASIH REPLY cuma paket tu ditolak. bukan DROP . kiranya masih ada lagi peluang walau sesaat sekali pun nak pass/send kan carefully crafted fragment TCP/UDP yang mempunyai bad packet ke putera dan Voila!. Terpampang besar lubang. Ni cuma nak verify apa yg sepaham aku , klu dalam Netfilter lain . ada , ACCEPT , REJECT , DROP , MANGLE dan lain lain laei . Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 17, 2006 Dear brother, dalam cisco nyer product ader DENY/PERMIT, deny sekaligus drop the packet... kalau merujuk kepada rfc1918, address2 infrastructure sebegitu, di-rekomen untuk block..admin, any latest news? Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 20, 2006 Putera macam time out dari pukul 11am tadi, sekarang (11:55am) ok, heharap dah setup syslog server supaya dapat tengok kelemahannya, kalau view guna terminal monitor, log dia akan hilang kecuali setup syslog server. Quote Share this post Link to post Share on other sites
Shanai 31 Report post Posted November 20, 2006 ye down tadi, tapi malangnya masa tu syslog tak run jadi takleh trace* access-group infrastructure tak boleh buat sebab bila buat, dia akan padam kan access-group out_insebab dua-dua interface outside .. boleh ke? Quote Share this post Link to post Share on other sites
crypto.md5 1 Report post Posted November 21, 2006 oooo, kalau boleh setup syslog server sekarang, make sure jugak syslog server tak kat outside, kat inside secure..access-list untuk rfc1918,3330,2827, aku ikut style cisco router, work fine with my pix 525, example link dia kat sini http://www.cisco.com/en/US/tech/tk648/tk36...0801afc76.shtmlanyway, try masukkan access-list infrastructure tu dalam access-list out_in (interface outside) Quote Share this post Link to post Share on other sites
gegule 0 Report post Posted November 21, 2006 aku rasa ler kan threshold atau tcp intercept tuh tokleh absorb attack dari luar kalo bandwidth ngko stakat cukup makan jeks. pasai yang aku paham company hosting pung terpaksa pakai bandwidth sampai T3 untuk absorb tcp/udp/icmp attack dari luar. Quote Share this post Link to post Share on other sites