Di Mikrotik perintah firewall ini terdapat dalam modus IP, yaitu
[admin@routerku] > /ip firewall
Terdapat beberapa packet filter seperti mangle, nat, dan filter.
-------------------------------------------------------------------------
[admin@routerku] ip firewall> ?
Firewall allows IP packet filtering on per packet basis.
.. -- go up to ip
mangle/ -- The packet marking management
nat/ -- Network Address Translation
connection/ -- Active connections
filter/ -- Firewall filters
address-list/ --
service-port/ -- Service port management
export --
--------------------------------------------------------------------------
Untuk kali ini kita akan lihat konfigurasi pada ip firewall filternya.
Karena Luasnya parameter dari firewall filter ini untuk pembahasan Firewall Filter selengkapnya dapat dilihat pada manual mikrotik, di http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php
Konfigurasi dibawah ini dapat memblokir beberapa Trojan, Virus, Backdoor yang telah dikenali sebelumnya baik Nomor Port yang dipakai serta Protokolnya. Juga telah di konfigurasikan untuk menahan Flooding dari Jaringan Publik dan jaringan Lokal. Serta pemberian rule untuk Access control agar, Rentang jaringan tertentu saja yang bisa melakukan Remote atau mengakses service tertentu terhadap Mesin Mikrotik kita.
Contoh Aplikasi Filternya
-----------------------------------------------------------------------------
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid
connections" disabled=no
add chain=input src-address=!192.168.0.0/27 protocol=tcp src-port=1024-65535
dst-port=8080 action=drop comment="Block to Proxy" disabled=no
add chain=input protocol=udp dst-port=12667 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=27665 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=31335 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=27444 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=34555 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=35555 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=27444 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=27665 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=31335 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=31846 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=34555 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=35555 action=drop comment="Trinoo"
disabled=no
add chain=input connection-state=established action=accept comment="Allow
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input src-address=192.168.0.0/27 action=accept comment="Allow access
to router from known network" disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop
comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow
already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow
related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=""
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=""
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=""
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny
NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny
BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC
portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC
portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny
BackOriffice" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="Port
scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="SYN/FIN
scan" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="SYN/RST
scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping
port scanners" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop
invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow
established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow
already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow
source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow
echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow
time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow
parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=tcp protocol=tcp dst-port=25 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=udp dst-port=25 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=tcp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
-----------------------------------------------------------------------------
Untuk memastikan Service apa saja yang aktif di Mesin mikrotik, perlu kita pindai terhadap port tertentu, seandainya ada service yang tidak dibutuhkan, sebaiknya dimatikan saja.
Untuk menonaktifkan dan mengaktifkan servise, perintah adalah :
Kita periksa dahulu service apa saja yang aktif
----------------------------------------------------------------------------------
[admin@routerku] > ip service
[admin@routerku] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 X telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 www-ssl 443 0.0.0.0/0 none
[admin@routerku] ip service>
----------------------------------------------------------------------------------
Misalkan service FTP akan dinonaktifkan, yaitu di daftar diatas terletak pada nomor 1 (lihat bagian Flags) maka :
---------------------------------------------------------------------------------
[admin@routerku] ip service> set 1 disabled=yes
---------------------------------------------------------------------------------
Perlu kita periksa lagi,
---------------------------------------------------------------------------------
[admin@routerku] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 X telnet 23 0.0.0.0/0
1 X ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 www-ssl 443 0.0.0.0/0 none
[admin@router.dprd.provinsi] ip service>
---------------------------------------------------------------------------------
Sekarang service FTP telah dinonaktifkan.
Dengan memakai tool nmap kita dapat mencek port apa saja yang aktif pada mesin gateway yang telah dikonfigurasikan.
Perintah : nmap -vv -sS -sV -P0 192.168.0.30
Hasil :
-------------------------------------------------------------------------------------
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-04 19:55 SE Asia Standard Time
Initiating ARP Ping Scan at 19:55
Scanning 192.168.0.30 [1 port]
Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:55
Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsed
Initiating SYN Stealth Scan at 19:55
Scanning 192.168.0.30 [1697 ports]
Discovered open port 22/tcp on 192.168.0.30
Discovered open port 53/tcp on 192.168.0.30
Discovered open port 80/tcp on 192.168.0.30
Discovered open port 21/tcp on 192.168.0.30
Discovered open port 3986/tcp on 192.168.0.30
Discovered open port 2000/tcp on 192.168.0.30
Discovered open port 8080/tcp on 192.168.0.30
Discovered open port 3128/tcp on 192.168.0.30
Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports)
Initiating Service scan at 19:55
Scanning 8 services on 192.168.0.30
Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host)
Host 192.168.0.30 appears to be up ... good.
Interesting ports on 192.168.0.30:
Not shown: 1689 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 2.9.27
22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99)
53/tcp open domain?
80/tcp open http MikroTik router http config
2000/tcp open callbook?
3128/tcp open http-proxy Squid webproxy 2.5.STABLE11
3986/tcp open mapper-ws_ethd?
8080/tcp open http-proxy Squid webproxy 2.5.STABLE11
2 services unrecognized despite returning data. If you know the service/version,
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 123.031 seconds
Raw packets sent: 1706 (75.062KB) | Rcvd: 1722 (79.450KB)
---------------------------------------------------------------------------
Dari hasil scanning tersebut dapat kita ambil kesimpulan, bahwa service dan port yang aktif adalah FTP dalam versi MikroTik router ftpd 2.9.27. Untuk SSH dengan versi OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99). Serta Web proxy memakai Squid dalam versi Squid webproxy 2.5.STABLE11.
Tentu saja pihak vendor mikrotik telah melakukan patch terhadap Hole atau Vulnerabilities dari Versi Protocol diatas.
0 Response to "Keamanan di Mikrotik"
Posting Komentar