Thursday, August 23, 2007

[Bahasa Indonesia] How To : Melindungi FTP Server Mikrotik Anda

How To : Melindungi FTP Server Mikrotik Anda


Artikel singkat ini akan menjelaskan cara untuk melindungi FTP Server Mikrotik anda dari serangan Brute Force.



Service FTP Server pada Router Mikrotik kita kadang2 tentunya kita perlu jalankan untuk keperluan-keperluan administrasi.

Tapi, bagaimana bila jika FTP sedang running, ada pihak-pihak yang ingin memanfaatkan FTP pada Router Mikrotik untuk mencoba hal-hal yang membahayakan Jaringan kita. Cara yang paling umum dilakukan untuk hal ini biasanya adalah dengan menggunakan metode Brute Force Attack.

Brute force attack adalah sebuah teknik serangan terhadap sebuah sistem keamanan komputer yang menggunakan percobaan terhadap semua kunci yang mungkin. Pendekatan ini pada awalnya merujuk pada sebuah program komputer yang mengandalkan kekuatan pemrosesan komputer dibandingkan kecerdasan manusia. (Source : Wikipedia )

Hal yang harus dilakukan untuk mencegah hal diatas sebenarnya cukup sederhana. Hanya butuh 3 rule di firewall.

/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content=530 Login incorrect address-list=ftp_blacklist address-list-timeout=3h


Ingat, urutan diatas harus tepat...tidak boleh tertukar-tukar...


Mari kita bahas satu persatu dari rule-rule diatas...



Code:
/ ip firewall filter
add chain=input in-interface=ether1 protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop


Rule pertama ini akan melakukan filtering untuk traffik yang berasal dari ether1 (silahkan dirubah sesuai kebutuhan), protocol TCP dengan port 21...dan IP asal traffik dicocokkan dengan addr-list ftp_blacklist (yang akan dicreate di rule berikutnya)....bila cocok / positif maka action drop akan dilakukan...

Bila ada yang melakukan brute force attack untuk pertama kalinya, rule pertama ini tidak melakukan apa2...Namun apabila IP-nya telah tercatat, maka akan langsung di Drop.



Code:
# accept 10 incorrect logins per minute
/ ip firewall filter
add chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m

Rule ini bertindak sebagai pengawas, apakah dari IP tertentu telah melakukan Login secara Incorrect sebanyak 9 kali dalam jangka waktu 1 menit....Jadi bila masih dalam batasan 9 kali dalam 1 menit maka masih akan diaccept...Nah apabila telah melampaui 9 kali, maka rule ini tidak akan apply dan akan lanjut ke rule setelahnya yakni...




Code:
#add to blacklist
add chain=output action=add-dst-to-address-list protocol=tcp content=530 Login incorrect address-list=blacklist address-list-timeout=3h


Rule ini akan menambahkan IP sang penyerang ke dalam addr-list bernama ftp_blacklist...hanya itu yang dilakukan rule ini...

Nah, pada saat percobaan yang ke-11 serangan ini akan di Drop oleh Rule yang Pertama....


Sekian artikel singkat ini...Selamat mencoba

Saturday, August 18, 2007

[bahasa indonesia]Cara Buat ISP Yang Gampang dan Cepat Pake Mikrotik + Squid box

Source : http://www.forummikrotik.com/showthread.php?t=251
Written By : d3v4
topologi jaringan adalah sebagai berikut :

inet -- cisco --hub -- Squid (slackware) -- mikrotik (bw managr) -- client
......................|
......................|
......................|-- server lain nya

IP ADDRESS SESUAIKAN DENGAN YANG DI MILIKI

blok ip yang di dapat adalah : 202.152.100.0/24

syarat dasar pemahaman :
1. ip subnetting
2. perintah dasar linux
3. perintah dasar mikrotik

Langkah2...

1. Liat ip address cisco nya (asumsi menggunakan FO)
ip address cisco s0/0 202.152.30.1
netmask 255.255.255.252
gateway 202.152.30.2

(biasanya di dapat dari ISP yang di atas isp kita)

2. Memecah blok ip address yang kita dapat :

sebelum blok ip address yang kita miliki kita gunakan ada baik nya di pecah dulu. pada contoh berikut akan saya berikan untuk di bagi menjadi 2. BLOK IP SERVER dan blok ip CLIENT.

BLOK IP SERVER2 :
network : 202.152.100.0/28
ip yang dapat di gunakan :202.152.100.1 - 202.152.100.14
broadcast : 202.152.100.15

BLOK IP CLIENT :
selain yang di atas adalah ip yang dapat di gunakan untuk client.

3. SET IP ETHERNET CISCO

set ip cisco ethernet0/0
ip address : 202.152.100.1
netmask 255.255.255.240


4. setting Proxy server + TUNE UP :
Linux yang di gunakan adalah SLACKWARE 9 dapat di download di :
http://mirror.vip.net.id/pub/slackware/
yang di gunakan adalah :
komputer P4
HARD DISK 40 G seagate baracuda 7200 rpm 3 keping dengan RAM 2 G
keping hardisk pertama di mount ke /
keping hardisk ke 2 di mount ke /cache1
keping hard disk ke 3 di mount ke /cache2

setelah di install isikan ip address berikut :

interface eth0
ip address : 202.152.100.2
netmask 255.255.255.240
gateway 202.152.100.1

Interface eth1
ip address : 202.152.100.17
netmask 255.255.255.252

setelah itu ...

buka file : type.h
root@proxy:~# vi /usr/include/bits/types.h
edit bagian ini :

#define __FD_SETSIZE 1024

jadi seperti ini

#define __FD_SETSIZE 8192

==> kemudian keluar dari VI EDITOR

kemudian ketik perintah ini :

root@proxy:~# ulimit -HSn 8192

kemudian download squid 2.5.STABLE9 dari sini :

wget http://202.154.183.7/squid-2.5.STABLE9.tar.gz

simpan di direktori /usr/local/src

ekstrak dengan perintah :

tar -zxvf squid-2.5.STABLE9.tar.gz

masuk kedirektori squid
ketik perintah berikut ini :

./configure \
--prefix=/opt/squid \
--exec-prefix=/opt/squid \
--enable-gnuregex \
--enable-async-io=30 \
--with-aufs-threads=30 \
--with-pthreads \
--with-aio \
--with-dl \
--enable-storeio=aufs \
--enable-removal-policies=heap \
--enable-icmp \
--disable-wccp \
--enable-snmp \
--enable-cache-digests \
--enable-default-err-languages=English \
--enable-err-languages=English \
--enable-linux-netfilter \
--disable-ident-lookups \
--disable-hostname-checks \
--enable-underscores

karena udah ada mikrotik untuk bw management tidak di perlukan lagi delay pool. Konfigurasi ini adalah untuk komputer dengan spek seperti berikut :

HARDISK 3 keping 40 G seagate baracuda 7200 rpm, RAM 2 G

2 keping hard disk untuk cache, 1 keping untuk system. apabila menggunakan hard disk scsi --enable-async-io=30 --with-aufs-threads=30 bisa di naekkan jadi 32.

==> selesai install squid. semua file squid akan terletak di direktori /opt/squid

setelah itu gunakan squid.conf di bawah ini :

http_port 8080
acl youtube dstdomain .youtube.com
no_cache allow youtube
hierarchy_stoplist cgi-bin ? localhost .js .jsp .friendster.com
acl QUERY urlpath_regex cgi-bin \? localhost .friendster.com
no_cache deny QUERY
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_mem 6 MB
cache_dir aufs /cache1 8000 13 256
cache_dir aufs /cache2 8000 13 256
cache_swap_low 98
cache_swap_high 99
cache_access_log /cache1/access.log
cache_log /dev/null
cache_store_log none
mime_table /opt/squid/etc/mime.conf
pid_filename /var/run/squid.pid
client_netmask 255.255.255.0
refresh_pattern ^ftp: 10080 95% 241920 reload-into-ims override-lastmod
refresh_pattern . 180 95% 120960 reload-into-ims override-lastmod
redirect_rewrites_host_header off
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localnet src 202.152.100.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 8443 563 777
acl Safe_ports port 25 80 81 110 443 563 6667 7000 777 210 119 70 21 1025-65535
acl Safe_ports port 280 6668 6669
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl lewat dst_as 4622 4761 4787 4795 4796 4855 4800 7587 7597 7713 9326 9340 9448 9657 9791 9794 9875 9905 9228 9251 10114 10137 10208 10217 17440 17450 17451 17538 17658 17671 17670 17725 17727 17769 4832 4833 17817 17884 17907 17910 17922 17800 10220 17974 17826 17885 18052 18056 18059 7632 4821 18103 17996 18004 18153 18156 18189 18237 18251 18347 3583 3382 4382 4434 18364 18365 18379 9341 9785 18393 17995 23651 23666 23671 23679 23691 23756 23945 24052 24057 24194
always_direct allow lewat
always_direct deny all
#header_access Accept-Encoding deny all
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny CONNECT
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access deny all
maximum_object_size 128 MB
maximum_object_size_in_memory 8 KB
ipcache_size 4096
ipcache_low 98
ipcache_high 99
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 75
fqdncache_size 4096
shutdown_lifetime 10 seconds
cache_mgr hendraarif@yahoo.com
cache_effective_user squid
cache_effective_group squid
memory_pools off
buffered_logs off
log_icp_queries off
logfile_rotate 1
log_fqdn off
forwarded_for off
icp_hit_stale on
query_icmp on
reload_into_ims on
emulate_httpd_log off
negative_ttl 2 minutes
pipeline_prefetch on
vary_ignore_expire on
half_closed_clients off
high_page_fault_warning 2
visible_hostname proxy@dodol.org
nonhierarchical_direct on
prefer_direct off


perhatikan ip address yang di izinkan. sesuaikan dengan ip yang di gunakan.
perhatikan juga penggunaan cache direktori. maksimal untuk 1 keping adalah 18 Giga.

setelah itu tambahkan user squid di linux :

root@proxy:~# useradd squid

tambahkan juga group squid

root@proxy:~# groupadd squid


bentuk direktori cache di squid :

root@proxy:~# /opt/squid/sbin/squid -z

ketik perintah ini sekali lagi :

root@proxy:~# ulimit -HSn 8192

kemudian jalankan squid dengan perintah :

root@proxy:~# /opt/squid/sbin/squid -DY &

================================================== ==============

okeee.. kita lanjut :

5. Setting mikrotik :

masukin ip address ether 1 :
/ip address add address=202.152.100.18/30 interface=ether1

karena seluruh ip yang di gunakan adalah ip public maka perlu subnetting di pisah-pisah :
masukin ip address untuk pasangan ip client :
misalkan ip client adalah 202.152.100.22 maka yang di masukkan di mikrotik ethr2 adalah 202.152.100.21/30

demikian pula untuk pasangan ip client2 yang lain.

/ip address add address=202.152.100.21/30 interface=ether2



untuk lebih jelasnya dapat di liat pada tablel berikut :
Code:
   network      first avail           last avail         broadcast
202.152.100.20 202.152.100.21 202.152.100.22 202.152.100.23
202.152.100.24 202.152.100.25 202.152.100.26 202.152.100.27
202.152.100.28 202.152.100.29 202.152.100.30 202.152.100.31
202.152.100.32 202.152.100.33 202.152.100.34 202.152.100.35
202.152.100.36 202.152.100.37 202.152.100.38 202.152.100.39
202.152.100.40 202.152.100.41 202.152.100.42 202.152.100.43
202.152.100.44 202.152.100.45 202.152.100.46 202.152.100.47
202.152.100.48 202.152.100.49 202.152.100.50 202.152.100.51
202.152.100.52 202.152.100.53 202.152.100.54 202.152.100.55
202.152.100.56 202.152.100.57 202.152.100.58 202.152.100.59
202.152.100.60 202.152.100.61 202.152.100.62 202.152.100.63
202.152.100.64 202.152.100.65 202.152.100.66 202.152.100.67
202.152.100.68 202.152.100.69 202.152.100.70 202.152.100.71
202.152.100.72 202.152.100.73 202.152.100.74 202.152.100.75
202.152.100.76 202.152.100.77 202.152.100.78 202.152.100.79
202.152.100.80 202.152.100.81 202.152.100.82 202.152.100.83
202.152.100.84 202.152.100.85 202.152.100.86 202.152.100.87
202.152.100.88 202.152.100.89 202.152.100.90 202.152.100.91
202.152.100.92 202.152.100.93 202.152.100.94 202.152.100.95
202.152.100.96 202.152.100.97 202.152.100.98 202.152.100.99
202.152.100.100 202.152.100.101 202.152.100.102 202.152.100.103
202.152.100.104 202.152.100.105 202.152.100.106 202.152.100.107
202.152.100.108 202.152.100.109 202.152.100.110 202.152.100.111
202.152.100.112 202.152.100.113 202.152.100.114 202.152.100.115
202.152.100.116 202.152.100.117 202.152.100.118 202.152.100.119
202.152.100.120 202.152.100.121 202.152.100.122 202.152.100.123
202.152.100.124 202.152.100.125 202.152.100.126 202.152.100.127
202.152.100.128 202.152.100.129 202.152.100.130 202.152.100.131
202.152.100.132 202.152.100.133 202.152.100.134 202.152.100.135
202.152.100.136 202.152.100.137 202.152.100.138 202.152.100.139
202.152.100.140 202.152.100.141 202.152.100.142 202.152.100.143
202.152.100.144 202.152.100.145 202.152.100.146 202.152.100.147
202.152.100.148 202.152.100.149 202.152.100.150 202.152.100.151
202.152.100.152 202.152.100.153 202.152.100.154 202.152.100.155
202.152.100.156 202.152.100.157 202.152.100.158 202.152.100.159
202.152.100.160 202.152.100.161 202.152.100.162 202.152.100.163
202.152.100.164 202.152.100.165 202.152.100.166 202.152.100.167
202.152.100.168 202.152.100.169 202.152.100.170 202.152.100.171
202.152.100.172 202.152.100.173 202.152.100.174 202.152.100.175
202.152.100.176 202.152.100.177 202.152.100.178 202.152.100.179
202.152.100.180 202.152.100.181 202.152.100.182 202.152.100.183
202.152.100.184 202.152.100.185 202.152.100.186 202.152.100.187
202.152.100.188 202.152.100.189 202.152.100.190 202.152.100.191
202.152.100.192 202.152.100.193 202.152.100.194 202.152.100.195
202.152.100.196 202.152.100.197 202.152.100.198 202.152.100.199
202.152.100.200 202.152.100.201 202.152.100.202 202.152.100.203
202.152.100.204 202.152.100.205 202.152.100.206 202.152.100.207
202.152.100.208 202.152.100.209 202.152.100.210 202.152.100.211
202.152.100.212 202.152.100.213 202.152.100.214 202.152.100.215
202.152.100.216 202.152.100.217 202.152.100.218 202.152.100.219
202.152.100.220 202.152.100.221 202.152.100.222 202.152.100.223
202.152.100.224 202.152.100.225 202.152.100.226 202.152.100.227
202.152.100.228 202.152.100.229 202.152.100.230 202.152.100.231
202.152.100.232 202.152.100.233 202.152.100.234 202.152.100.235
202.152.100.236 202.152.100.237 202.152.100.238 202.152.100.239
202.152.100.240 202.152.100.241 202.152.100.242 202.152.100.243
202.152.100.244 202.152.100.245 202.152.100.246 202.152.100.247
202.152.100.248 202.152.100.249 202.152.100.250 202.152.100.251
202.152.100.252 202.152.100.253 202.152.100.254 202.152.100.255
kemudian masukan gateway nya ke arah proxy :

/route add gateway=202.152.100.17


atur route di proxy agar mengizinkan network end mikrotik dapat lewat :

route add -net 202.152.100.16/30 gateway 202.154.183.18

selesai urusan ip address...

6. dapat di uji coba client
menggunakan ip address :
202.152.100.22
netmask 255.255.255.252
gateway 202.152.100.21

karena menggunakan subnetting selain ip address 22 tidak akan dapat melewati router mikrotik yang di buat

7. iptables di proxy
semua traffic harus di paksa lewat proxy server yang kita buat dengan perintah :

Code:
iptables -A PREROUTING -t nat -p tcp -s 202.152.100.0/24 -i eth2 -d \! 202.152.100.0/24 --dport 80 -j REDIRECT --to 8080
9. DNS SERVER
jalankan dns server yang telah ada secara defaul di slackware dengan perintah :

root@proxy:~# named -d1

tinggal masukin di /etc/resolv.conf

nameserver 127.0.0.1

dan seluruh client pake dns ip 202.152.100.18

TANPA NAT/MASQUERADE .................. ip public terdistribusi ke client

jadi deeeehhhhhh gampang dan cepat kan ?

How To : Creating a Transparent Web Proxy

Web proxy allows clients to make indirect network connections to other network services. A client connects to the proxy server, then requests file, or other resource available on a different server. Web proxy performs Internet object cache function by storing requested Internet objects, i.e., data available via HTTP and FTP protocols on a system positioned closer to the recipient than the site the data is originated from. Transparent proxy performs request caching invisibly to the end-user. This way the user does not notice that his connection is being processed by the proxy and therefore does not need to perform any additional configuration of the software he is using. To setup transparent proxy follow the steps listed bellow

1. Configure the router to redirect all connections coming from clients (we assume that clients are connected to routers ether1 interface) to port 80 to the web proxy listening on port 8080, by adding the following destination NAT rule:

[admin@MikroTik] >ip firewall nat add in-interface=ether1 dst-port=80 \
\... protocol=tcp action=redirect to-ports=8080 chain=dstnat

2. Specify DNS server:

[admin@MikroTik] ip dns set primary-dns=195.2.96.2

3. Enable the proxy on port 8080:

[admin@MikroTik] ip web-proxy set enabled=yes port=8080 transparent-proxy=yes

Notice that only HTTP traffic is supported in transparent mode of the web proxy. HTTPS and FTP protocols are not going to work this way.

Friday, August 17, 2007

How to limit traffic from Rapidshare

You can use this little script to get an IP from Rapidshare...This script will look into the DNS cache, and everytime the word rapidshare comes out, it will place the IP it get to a address list, then after that you can config a queue rule to limit the traffic...

:foreach i in=[/ip dns cache find] do={
:if ([:find [/ip dns cache get $i name] "rapidshare"] > 0) do={
:log info ("rapidshare: " . [/ip dns cache get $i name] . " (ip address " . [/ip dns cache get $i address] . ")")
/ip firewall address-list add address=[/ip dns cache get $i address] list=rapidshare disabled=no
}
}

Source : http://forum.mikrotik.com/viewtopic.php?p=84349#p84349

Free Level 6 Mikrotik License

normis :
...who uploads MikroTik related videos to the http://www.TikTube.com video system. Any video directly related with MikroTik stuff will do. We will evaluate your video, and you will receive a free license!



How to Block a Customer and Tell him to Pay the Bill

Sometimes you may need to cut off a customer and tell him to pay his bill. It's best done by redirecting his http requests to a page with information telling to pay in order to get reconnected. You can do it with a simple destination NAT rule that captures all http requests from a specific address and sends them to a server with webpage telling to pay the bill. However, it's quite easy to make this using the HotSpot feature of RouterOS. Please note that this don't work with PPPoE connections.

To make this setup, you should have Hotspot package enabled on the RouterOS. This example will cover how to block customer's computer. When he tries to open a webpage he would be redirected to the hotspot page which will contain info that he hasn't paid the bill for the Internet access. Your router should have already been configured and working (customer should have access to the Internet), you should have the DNS server specified in the router.

First you should edit the Hotspot login.html page with the text that contains information that will be shown to the customers who haven't paid their bills. It could be something like this: "Service not available, please pay the bill and contact us by phone to get reconnected". This page can be found within the hotspot folder of RouterOS.

Next, add an ip-binding rule that will allow all customers to bypass the hotspot page. It is done using such a command:

/ip hotspot ip-binding add type=bypassed address=0.0.0.0/0 \
comment="bypass the hotspot for all the paying customers"

After that add the Hotspot server on the interface where your clients are connected. It can be done using such command:

/ip hotspot add interface=local disabled=no

Now you can add ip-binding rules for the customers that haven't paid their bill. You can match them by IP address or MAC address. Here is an example using MAC address:

/ip hotspot ip-binding add mac-address=00:0C:42:00:00:90 type=regular comment "Non paying client 1"

Now we have such configuration:

[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0
1 ;;; Non paying client 1
00:0C:42:00:00:90

There is one more step to make it work, you should change the order of these rules, the first rule should be above the bypass rule so it could be processed. You can move it using move command:

[admin@MikroTik] ip hotspot ip-binding> move 1 0

Now the ip-binding configuration should look like this:

[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 ;;; Non paying client 1
00:0C:42:00:00:90
1 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0

If the customers can pay their bill using internet you can modify the login.html by adding some links to clients bank web-page where they can pay their bill. After you add these links in the login page you should also add them in the hotspot configuration so the blocked customer could access that page. This can be done in the 'ip hotspot walled-garden ip' menu. Here is an example:

/ip hotspot walled-garden ip add dst-host=www.paypal.com

Drop port scanners


To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP

in /ip firewall filter


add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity.

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

Then you can drop those IPs:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".