Penulisan selanjutnya adalah akan membahas tentang bagaimana “menghindari” proses scanning yang sering dilakukan oleh beberapa pihak yang tidak bertanggung jawab. Nah yang jadi pertanyaan, kenapa proses scanning port dilakukan ? pada dasarnya proses scanning dilakukan agar “si pelaku” dapat mencari informasi yang terdapat didalam komputer server kita. misal : port apakah sajakah yang terbuka, nah jika “si pelaku” sudah mengetahui port yang terbuka, maka “si pelaku” akan mudah untuk melakukan proses penyerangan ke dalam mesin server kita.
Contoh Port Scanner :
root@cupid-laptop:/etc/webmin# nmap 192.168.1.7
Starting Nmap 4.62 ( http://nmap.org ) at 2008-11-21 21:17 WIT
Interesting ports on 192.168.1.7:
Not shown: 1712 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt //Port Webmin
Nmap done: 1 IP address (1 host up) scanned in 0.380 seconds
Disini, penulis akan menggunakan program Portsentry, alasannya kenapa ? Soalnya dengan Portsentry ini, kita dapat mendeteksi adanya tindakan scanning port. Pada dasarnya tugas dari portsentry ini adalah memasukkan IP address komputer yang melakukan scanning ke dalam file /etc/host.deny. File ini sendiri akan diakses oleh sistem untuk mengecek IP address mana sajakah yang tidak berhak untuk mengakses sistem. Ketika seseorang melakukan scanning port maka secara otomatis IP addressnya akan dimasukkan kedalam file /etc/hosts.deny, jadi sebelum IP address yang melakukan proses scanning di hapus dari file /etc/hosts.deny maka komputer tersebut tidak akan dapat melakukan proses scanning lagi. Nah untuk mendapatkan file tarball dari portsentry ini sendiri, pembaca dapat mendownload paketnya http://sourceforge.net/projects/sentrytools/
Nah syarat agar Portsentry ini dapat di install secara sempurna, maka Paket dari GCC terlebih dahulu harus dalam kondisi ready/terinstall semua.
Langkah Pertama, cek terlebih dahulu apakah paket GCC telah terinstall atau belum.
root@cupid-laptop:/etc/webmin# dpkg -l | grep gcc
ii gcc 4:4.3.1-1ubuntu2 The GNU C compiler
ii gcc-4.3 4.3.2-1ubuntu11 The GNU C compiler
ii gcc-4.3-base 4.3.2-1ubuntu11 The GNU Compiler Collection (base package)
ii libgcc1 1:4.3.2-1ubuntu11 GCC support library
Langkah Kedua, install paket portsentry, dikarenakan penulis menggunakan distro ubuntu, maka penulis menggunakan apt-get install saja.
root@cupid-laptop:/usr/local/src# apt-get install portsentry
langkah Ketiga, ada baiknya sebelum melakukan konfigurasi dari file utama portsentry, kita sebelumnya harus mengetahui kernel dari mesin linux kita.
root@cupid-laptop:/usr/local/src# uname -r
2.6.27-7-generic //ternyata ini adalah kernel yang digunakan oleh mesin penulis
Langkah Ketiga, melakukan sedikit konfigurasi file portsentry.conf (file tersebut merupakan file utama dari portsentry)
root@cupid-laptop:/usr/local/src# updatedb
root@cupid-laptop:/usr/local/src# locate portsentry.conf
/etc/portsentry/portsentry.conf
/usr/share/man/man5/portsentry.conf.5.gz
/var/lib/dpkg/info/portsentry.conffiles
/var/lib/dpkg/info/portsentry.config
root@cupid-laptop:/usr/local/src# vim /etc/portsentry/portsentry.conf
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. NOTE THAT
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
#
# ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
# uncomment the correct line for your OS. If you OS is not listed
# here and you have a route drop command that works then please
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
#
# NOTE: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.
#
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
##
# Using a packet filter is the PREFERRED. The below lines
# work well on many OS's. Remember, you can only uncomment *one*
# KILL_ROUTE option.
##
# ipfwadm support for Linux
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# ipfwadm support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
#
# ipchain support for Linux
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
#
# ipchain support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
#
# iptables support for Linux
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP" //Hilangkan Tanda pagarnya
#
# iptables support for Linux with limit and LOG support. Logs only
# a limited number of packets to avoid a denial of service attack.
# KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
#
#
# For those running ipfilt (OpenBSD, etc.)
# NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
#
#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
#KILL_HOSTS_DENY="ALL: $TARGET$"
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
Langkah Keempat, jalankan service dari portcentry :
root@cupid-laptop:/etc/portsentry# /etc/init.d/portsentry restart
Stopping anti portscan daemon: portsentry.
Starting anti portscan daemon: portsentry in tcp & udp mode.
Langkah yang terakhir scan ip dengan ataupun tanpa portsentry, bandingkan hasilnya :
root@cupid-laptop:/etc/portsentry# nmap 192.168.1.7 //Sebelum menggunakan Portsentry
Starting Nmap 4.62 ( http://nmap.org ) at 2008-11-21 23:16 WIT
Interesting ports on 192.168.1.7:
Not shown: 1712 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
root@cupid-laptop:/etc/portsentry# nmap 192.168.1.7 //Setelah menggunakan PortSentry
Starting Nmap 4.62 ( http://nmap.org ) at 2008-11-21 23:21 WIT
Interesting ports on 192.168.1.7:
Not shown: 1690 closed ports
PORT STATE SERVICE
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
79/tcp open finger
111/tcp open rpcbind
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
6667/tcp open irc
10000/tcp open snet-sensor-mgmt
12345/tcp open netbus
12346/tcp open netbus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
Nmap done: 1 IP address (1 host up) scanned in 0.219 seconds
Posted in Uncategorized