Jump to content
Sign in to follow this  
Followers 0
Shanai

Firewall Untuk Server Putera.com

By Shanai, in Rangkaian Komputer

Recommended Posts

Shanai    31

Shanai
Posted

ip address firewal tu betul. tapi dia saje yg takleh ping, server lain boleh, putera disable dekat server.

saya masukkan

icmp permit any echo-reply outside

icmp permit any unreachable outside

bila buat ni yg firewall jadi takleh ping.

dalam access-list saya benarkan icmp echo dan echo-reply, dalam ip audit saya disable signature 2004 (sahaja) supaya ping tidak didrop oleh IDS.

ssh pulak masih permit kat server2 sebab kebanyakan server sh guna sftp untuk transfer file

ssh ni ktitikal ke nak kena tutup?

Share this post

Link to post
Share on other sites

azuan    2

azuan
Posted

terpulang kepada selera ko la. kalau rasa paranoid, filter la. boleh set supaya lebih 2-3 kali cubaan untuk login dalam masa beberapa minit, firewall akan block ip tu. banyak cara boleh buat. samada nak atau taknak. sama macam DDoS, dia akan cam kalau ada banyak sangat paket datang dalam masa sekian sekian, dia akan sekat ip address tu. yang paling penting DoS protection tu sebab server boleh down dibuatnya.

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

ooooo, patutla masih open sampai sekarang ssh tu, not that critical, pix ni ada application inspection, so dont worry, jadi.... berapa banyak baris da awak create access-list? boleh suruh azuan test macam ari tu, hentam dengan ping ke, guna hping2 ke, sebab serangan jenis ni jadi favourite ramai, entah naper,aku cuba flood guna udp tadi, tapi firewall tu berjaya discard udp dari aku. Azuan, apa lagi? boleh cuba hentam.. record ip audit tu nanti

:D

Share this post

Link to post
Share on other sites

gegule    0

gegule
Posted

ekekekek. timeout ek? :P tuh ler aku rasa admin kena amek perhatian tang "DDoS" tuh sebelum pikir dok tutup bukak itu ini. yang tuh sumer leh buat kendian. lupakan pasai nak tutup inbound sumer tuh. better focused to DDoS part. aku rasa saranan zuan tuh betui, fokus kepada repeating tcp/udp/icmp flood tuh

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

Ohh yeahh, inilah dikatakan DoS testing, masuk 1 gol (teringat time jadi goal keeper sklh menengah dulu ekekeke), admin, sudah buat ip verify & emb_limit & max_conn aku suruh buat tu? dalam ip audit, which attack it count? Azuan, ko guna hping, or yg sewaktu dengannya? kena revise balik exam ccsp nih... :D

:D

Share this post

Link to post
Share on other sites

LucentAmar    0

LucentAmar
Posted (edited)

Ohh yeahh, inilah dikatakan DoS testing, masuk 1 gol (teringat time jadi goal keeper sklh menengah dulu ekekeke), admin, sudah buat ip verify & emb_limit & max_conn aku suruh buat tu? dalam ip audit, which attack it count? Azuan, ko guna hping, or yg sewaktu dengannya? kena revise balik exam ccsp nih... :D

:D

Apa kata plan betul2 apa yang nak dibuat dulu. Bawa mesyuarat. Duduk semeja.

Risau gak kalo nak belajar, test buat itu ini... sedangkan PIX sedang online.

Pendapat kawe, kita pun dah ada pakar PIX ni. Ada baiknya dibawa mesyuarat untuk dapatkan plan betul2.

Kawe takut nanti putera punyer firewall kene trial-drowning jer. :(

PS: PIX pun ada kelemahan dia, tak la semua dia boleh buat. :D

Edited by LucentAmar

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

ip fragment guard pun belum di implement lagi, banyak kena adjust & tune dia punya fragment chain, tapi, kalau salah adjust, silap2 boleh menyebabkan putera tak stable, sehingga adjust value yg sesuai, begitu juga tcp intercept (emb_limit & max_con). nevermain, just inform pengunjung2 kat putera, supaya faham2 kalau putera tak dapat di access, adjust mengejas tengah dijalankan :D , let me know if u r ready.

Share this post

Link to post
Share on other sites

azuan    2

azuan
Posted

so azuan, tang mana yg hang rasa aku nak kena tengok nih?

ko kena tengok tang TCP/UDP/ICMP DDoS prevention. aku taktau la ada ke tak option tu, tapi dalam router biasa pun ada, takkan dalam pix takda. aku taktau command apa nak taruk, tapi idea aku macamtula. dengan TCP flood, orang boleh tembak port yang terbuka, iaitu port 80 yang menjadi kegemaran ramai si pengguna komputer kat luar tu yang takda keje tu :D

Share this post

Link to post
Share on other sites

Shanai    31

Shanai
Posted

ip verify saya dah buat

emb_limit dan max_con dah set 70 30 (tapi utk server putera sahaja dulu)

ip audit yg ada cuma berikut:

2000 I ICMP Echo Reply 398074 398074

2001 I ICMP Unreachable 85600 85600

2002 I ICMP Source Quench 23 23

2003 I ICMP Redirect 38754 38754

2005 I ICMP Time Exceed 88088 88088

2151 A Large ICMP 6 6

itupun tak dapat nak kenal pasti berlaku masa azwan attack atau random attack dari lain.

Dari logging ke terminal monitor saya tengok ada beberapa ip international yg duduk sangkut, mungkin random penggodam atau virus.

Tapi tak disangkalkan masa pasang IPS, dia report banyak SSH brute-force dan macam-macam SQL worm. Tapi skrng demo period dah tamat so dah tak ada alat tu untuk cross-check.

Share this post

Link to post
Share on other sites

azuan    2

azuan
Posted

firewall model tu ada "SYN threshold" tak? kalau ada, mari kita mulakan dengan itu dulu. abaikan yang lelain tu dulu

Share this post

Link to post
Share on other sites

prontoxp    2

prontoxp
Posted

firewall model tu ada "SYN threshold" tak? kalau ada, mari kita mulakan dengan itu dulu. abaikan yang lelain tu dulu

test sekali firewall ni... ip = 218.208.251.27

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted (edited)

firewall model tu ada "SYN threshold" tak? kalau ada, mari kita mulakan dengan itu dulu. abaikan yang lelain tu dulu

Azuan, tcp intercept tu lah threshold untuk syn.

Admin, buat sementara waktu ni, just shun ip yg attack tu. guna syntax ni

shun <src_ip> [<dst_ip> <sport> <dport> [<protocol>]]

contoh shun 218.xxx.xxx.xxx

I'll make a report to cisco systems, this matter is serious.

oo ya, large ICMP is consider denial-of service.

Edited by mat_tenuk

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted (edited)

Admin,

Nampak gayanya kena buat manual lah deny statement at the end for extra security, don’t know what happen to your PIX, nak write erase the config? baik jangan

please apply this policies..

Access-list infrastructure deny ip 0.0.0.0 255.0.0.0 any

Access-list infrastructure deny ip 10.0.0.0 255.0.0.0 any

Access-list infrastructure deny ip 127.0.0.0 255.0.0.0 any

Access-list infrastructure deny ip 172.16.0.0 255.240.0.0 any

Access-list infrastructure deny ip 192.168.1.0 255.255.0.0 any

Access-list infrastructure deny ip 224.0.0.0 224.0.0.0 any

Access-list infrastructure deny ip host 255.255.255.255 any

icmp deny any any

access-group infrastructure in interface outside

------------------------------------------------------------------------------------------

Access-list out_in permit tcp any host 61.4.64.187 eq 80

Access-list out_in permit tcp any host 61.4.64.186 eq smtp

Access-list out_in permit icmp any host 61.4.64.187 echo-reply

Access-list out_in permit icmp any host 61.4.64.186 echo-reply

Access-list out_in deny tcp any host 61.4.64.187 eq 22

Access-list out_in deny icmp any any unreachable

Access-list out_in deny icmp any any redirect

Access-list out_in deny icmp any any alternate-address

Access-list out_in deny icmp any any echo

Access-list out_in deny icmp any any router-advertisement

Access-list out_in deny icmp any any router-solicitation

Access-list out_in deny icmp any any time-exceeded

Access-list out_in deny icmp any any parameter-problem

Access-list out_in deny icmp any any timestamp-reply

Access-list out_in deny icmp any any timestamp-request

Access-list out_in deny icmp any any information-request

Access-list out_in deny icmp any any information-reply

Access-list out_in deny icmp any any mask-request

Access-list out_in deny icmp any any mask-reply

Access-list out_in deny icmp any any conversion-error

Access-list out_in deny icmp any any mobile-redirect

Access-list out_in deny icmp any any

Access-list out_in deny tcp any any

Access-list out_in deny udp any any

Access-list out_in deny ip any any

Access-list out_in permit ip any any

Access-group out_in in interface outside

----------------------------------------------------------------------------------------

Lepas buat ni, suruh azuan test semula. make sure tcp intercept, ip verify masih ada, jgn delete.

Edited by mat_tenuk

Share this post

Link to post
Share on other sites

azuan    2

azuan
Posted

Azuan, tcp intercept tu lah threshold untuk syn.

itu macam ka? kiranya dia boleh filter syn flood attack? tak silap aku dia ada value kot. lagi rendah value dia lagi selamat webserver dengan syarat tak terlalu rendah sampaikan http request biasa pun kantoi :D

anyway, kalau dah ready, kasik tau ha!

Share this post

Link to post
Share on other sites

Shanai    31

Shanai
Posted

Sila test dulu dgn configuration yg saya buat pada hari sabtu.

mat tenuk,

1. access-list infrastucture tu apa pulak, kenapa nak kena deny local ip?

2. kenapa deny icmp nak buat penuh balik?

3. bila show ip audit count dan keluar macam kat atas tu, adakah yg itu adalah yg berjaya diblok? Adakah itu tanda-tanda bagus kerana dapat blok atau tak bagus kerana tak dapat tapis?

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

Nice questions :D

1) Extra protection against spoofed attack (kira tolong ip verify tu)

2) For testing only, in case deny all tidak berfungsi.

3) Berita baik, sebab dapat detect & drop that packet. Keep in mind that PIX is FIREWALL, not fully IDS & IPS device, certain DoS dia takkan detect, sebab signature dia limited kalau dibanding device yg khas untuk IDS/IPS. Kalau ips yg dulu tu detect brute force attack kat ssh, jadi kena tapislah ssh tu kat firewall. Begitu juga worm, try to deny OUTBOUND traffic, takut dia flood firewall tu sendiri.

Dont worry, kita cuba attack 1 persatu, Azuan, cuba flood tcp syn lagi. ehhh nanti dulu, rilekss, admin buat dulu access-list seperti yg saya suruh tu.

Share this post

Link to post
Share on other sites

Red-Hat-Enigma    0

Red-Hat-Enigma
Posted

Pelik aku tengok .. kejap .. ni nak verifykan apa yg korang tgh buat .. dengan acess list Infra ke OutFra ke TakKiraFra ke .. klu DENY pada yg sepaham aku la .. maknanya dia MASIH REPLY cuma paket tu ditolak. bukan DROP . kiranya masih ada lagi peluang walau sesaat sekali pun nak pass/send kan carefully crafted fragment TCP/UDP yang mempunyai bad packet ke putera dan Voila!. Terpampang besar lubang. Ni cuma nak verify apa yg sepaham aku , klu dalam Netfilter lain . ada , ACCEPT , REJECT , DROP , MANGLE dan lain lain laei .

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

Dear brother, dalam cisco nyer product ader DENY/PERMIT, deny sekaligus drop the packet... kalau merujuk kepada rfc1918, address2 infrastructure sebegitu, di-rekomen untuk block..

admin, any latest news? :D

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

Putera macam time out dari pukul 11am tadi, sekarang (11:55am) ok, heharap dah setup syslog server supaya dapat tengok kelemahannya, kalau view guna terminal monitor, log dia akan hilang kecuali setup syslog server.

Share this post

Link to post
Share on other sites

Shanai    31

Shanai
Posted

ye down tadi, tapi malangnya masa tu syslog tak run jadi takleh trace

* access-group infrastructure tak boleh buat sebab bila buat, dia akan padam kan access-group out_in

sebab dua-dua interface outside .. boleh ke?

Share this post

Link to post
Share on other sites

crypto.md5    1

crypto.md5
Posted

oooo, kalau boleh setup syslog server sekarang, make sure jugak syslog server tak kat outside, kat inside secure..

access-list untuk rfc1918,3330,2827, aku ikut style cisco router, work fine with my pix 525,

example link dia kat sini http://www.cisco.com/en/US/tech/tk648/tk36...0801afc76.shtml

anyway, try masukkan access-list infrastructure tu dalam access-list out_in (interface outside)

:D

Share this post

Link to post
Share on other sites

gegule    0

gegule
Posted

aku rasa ler kan threshold atau tcp intercept tuh tokleh absorb attack dari luar kalo bandwidth ngko stakat cukup makan jeks. pasai yang aku paham company hosting pung terpaksa pakai bandwidth sampai T3 untuk absorb tcp/udp/icmp attack dari luar.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...