Membuat Linux Kebal ARP Poisoning ARP Spoofing
Sumber: http://awarmanf.wordpress.com/2009/12/23/membuat-linux-kebal-arp-poisoning-arp-spoofing/
Membuat router linux anda kebal arp poisoning (arp spoofing)
with 22 comments
Artikel mengenai arp poisoning atau arp spoofing sudah banyak ditulis di internet. Pencarian di google dengan entri arp poisoning memberikan banyak entry. Sekarang bagaimana membuat router linux kebal terhadap arp poisoning ? Dalam kasus ini kita akan melindungi linux dari arp spoofing hanya di interface lan (local area network). Untuk instal arptables, di distro linux keluarga debian jalankan:
$ sudo apt-get install arptables
Sedangkan untuk distro lain, seperti slackware, download source arptables di http://sourceforge.net/projects/ebtables/files/arptables/ Untuk distro seperti slackware ini, kita harus melakukan beberapa modifikasi:
# mkdir /etc/sysconfig # tar zxf arptables-v0.0.3-3.tar.gz # cd arptables-v0.0.3-3 # make && make install # cd /etc/sysconfig # echo 'NETWORKING=no' >> network
Pertama, buat file yang berisi daftar mac address dan ip address seperti contoh di bawah:
$ cat /etc/arptables # baris yang berisi karakter '#' di awal baris tidak akan diproses oleh script # pc 1 192.168.0.1 00:1B:B9:CF:2A:15 # pc 2 192.168.0.2 00:1B:B9:AE:20:0B # pc 3 192.168.0.3 00:1B:B9:CF:03:C3 # pc 4 192.168.0.4 00:1B:B9:AB:BB:02 # pc 5 192.168.0.5 00:1B:B9:AE:ED:F1 192.168.0.6 00:1B:B9:CF:27:E4 192.168.0.7 00:1B:B9:AE:2F:B9 192.168.0.8 00:1B:B9:AD:19:ED 192.168.0.17 00:1B:B9:CF:23:24 192.168.0.18 00:1B:B9:CF:0A:C8 192.168.0.19 00:1B:B9:80:C6:2B 192.168.0.20 00:1B:B9:CE:57:52 192.168.0.21 00:1B:B9:CF:0A:E6 192.168.0.22 00:1B:B9:AE:28:9D 192.168.0.23 00:1B:B9:CF:1B:80 192.168.0.50 00:19:66:52:10:B2 192.168.0.51 00:19:21:17:5C:98 192.168.0.71 00:04:75:7A:B8:9A 192.168.0.99 00:02:44:89:82:F5 192.168.0.250 00:02:B3:09:71:B4 192.168.0.252 00:19:21:13:57:5D
Kedua, buat script model script init, script ini akan melindungi interface lan linux dari arp poisoning, interface wan perlu didefinisikan di sini agar arp request dan reply dari dan ke port wan tidak didrop oleh arptables:
#!/bin/sh PATH=/bin:/usr/bin # Script untuk membuat linux kebal dari arp poisoning (arp spoofing) # File: rc.arptables # Parameter ARPTABLES="/sbin/arptables" ARP="/usr/sbin/arp" # File arp table (ip & mac address pairs with space delimiter) # 192.168.1.100 00:14:BF:CC:9F:07 FARPTABLE="/etc/arptables" # put your LOCAL INTERFACE here INT="eth0" # Put your WAN INTERFACE here WAN1="eth1" WAN2="eth2" WAN3="eth3" WAN4="eth4" if [ ! -e $FARPTABLE ]; then echo $FARPTABLE not found; exit 0; fi if [ ! -x $ARPTABLES ]; then echo $ARPTABLES not found; exit 0; fi arptables_flush() { # Flush table # reset the default policies in the filter table. # $ARPTABLES -P INPUT ACCEPT $ARPTABLES -P OUTPUT ACCEPT # # flush all the rules in the filter # $ARPTABLES -F # # erase all chains that's not default in filter. # $ARPTABLES -X } case "$1" in start) echo -n "Starting arptables:" arptables_flush # # Filter table # Set policies # $ARPTABLES -A INPUT -j ACCEPT -i $WAN1 $ARPTABLES -A INPUT -j ACCEPT -i $WAN2 $ARPTABLES -A INPUT -j ACCEPT -i $WAN3 $ARPTABLES -A INPUT -j ACCEPT -i $WAN4 $ARPTABLES -P INPUT DROP -i $INT $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN1 $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN2 $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN3 $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN4 $ARPTABLES -P OUTPUT DROP -o $INT grep -v '^#' $FARPTABLE | while read i do IP=`echo $i|cut -f1 -d' '` MAC=`echo $i|cut -f2 -d' '` $ARPTABLES -A INPUT -s $IP --source-mac $MAC -j ACCEPT -i $INT $ARPTABLES -A OUTPUT -d $IP --destination-mac $MAC -j ACCEPT -o $INT $ARP -i $INT -s $IP $MAC done touch /tmp/ARPTABLES echo "." ;; stop) echo -n "Stopping arptables:" arptables_flush # Flush arp grep -v '^#' $FARPTABLE | while read i do IP=`echo $i|cut -f1 -d' '` $ARP -i $INT -d $IP done rm -f /tmp/ARPTABLES echo "." ;; stat) if [ -f /tmp/ARPTABLES ]; then echo "arptables is on." $ARPTABLES -L -n else echo "arptables is off." $ARPTABLES -L -n fi ;; *) echo "Usage: $0 {start|stop|stat}" exit 1 ;; esac
Setelah script selesai dibuat, jalankan script tersebut:
# chmod 755 rc.arptables # ./rc.arptables stat arptables is off. Chain INPUT (policy ACCEPT) Chain OUTPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) # ./rc.arptables start Starting arptables:. # ./rc.arptables stat arptables is on. Chain INPUT (policy DROP) -j ACCEPT -s 192.168.0.1 --src-mac 00:1b:b9:cf:2a:15 -j ACCEPT -s 192.168.0.2 --src-mac 00:1b:b9:ae:20:0b -j ACCEPT -s 192.168.0.3 --src-mac 00:1b:b9:cf:03:c3 -j ACCEPT -s 192.168.0.4 --src-mac 00:1b:b9:ab:bb:02 -j ACCEPT -s 192.168.0.5 --src-mac 00:1b:b9:ae:ed:f1 -j ACCEPT -s 192.168.0.6 --src-mac 00:1b:b9:cf:27:e4 -j ACCEPT -s 192.168.0.7 --src-mac 00:1b:b9:ae:2f:b9 -j ACCEPT -s 192.168.0.8 --src-mac 00:1b:b9:ad:19:ed -j ACCEPT -s 192.168.0.17 --src-mac 00:1b:b9:cf:23:24 -j ACCEPT -s 192.168.0.18 --src-mac 00:1b:b9:cf:0a:c8 -j ACCEPT -s 192.168.0.19 --src-mac 00:1b:b9:80:c6:2b -j ACCEPT -s 192.168.0.20 --src-mac 00:1b:b9:ce:57:52 -j ACCEPT -s 192.168.0.21 --src-mac 00:1b:b9:cf:0a:e6 -j ACCEPT -s 192.168.0.22 --src-mac 00:1b:b9:ae:28:9d -j ACCEPT -s 192.168.0.23 --src-mac 00:1b:b9:cf:1b:80 -j ACCEPT -s 192.168.0.50 --src-mac 00:19:66:52:10:b2 -j ACCEPT -s 192.168.0.51 --src-mac 00:19:21:17:5c:98 -j ACCEPT -s 192.168.0.71 --src-mac 00:04:75:7a:b8:9a -j ACCEPT -s 192.168.0.99 --src-mac 00:02:44:89:82:f5 -j ACCEPT -s 192.168.0.250 --src-mac 00:02:b3:09:71:b4 -j ACCEPT -s 192.168.0.252 --src-mac 00:19:21:13:57:5d Chain OUTPUT (policy DROP) -j ACCEPT -d 192.168.0.1 --dst-mac 00:1b:b9:cf:2a:15 -j ACCEPT -d 192.168.0.2 --dst-mac 00:1b:b9:ae:20:0b -j ACCEPT -d 192.168.0.3 --dst-mac 00:1b:b9:cf:03:c3 -j ACCEPT -d 192.168.0.4 --dst-mac 00:1b:b9:ab:bb:02 -j ACCEPT -d 192.168.0.5 --dst-mac 00:1b:b9:ae:ed:f1 -j ACCEPT -d 192.168.0.6 --dst-mac 00:1b:b9:cf:27:e4 -j ACCEPT -d 192.168.0.7 --dst-mac 00:1b:b9:ae:2f:b9 -j ACCEPT -d 192.168.0.8 --dst-mac 00:1b:b9:ad:19:ed -j ACCEPT -d 192.168.0.17 --dst-mac 00:1b:b9:cf:23:24 -j ACCEPT -d 192.168.0.18 --dst-mac 00:1b:b9:cf:0a:c8 -j ACCEPT -d 192.168.0.19 --dst-mac 00:1b:b9:80:c6:2b -j ACCEPT -d 192.168.0.20 --dst-mac 00:1b:b9:ce:57:52 -j ACCEPT -d 192.168.0.21 --dst-mac 00:1b:b9:cf:0a:e6 -j ACCEPT -d 192.168.0.22 --dst-mac 00:1b:b9:ae:28:9d -j ACCEPT -d 192.168.0.23 --dst-mac 00:1b:b9:cf:1b:80 -j ACCEPT -d 192.168.0.50 --dst-mac 00:19:66:52:10:b2 -j ACCEPT -d 192.168.0.51 --dst-mac 00:19:21:17:5c:98 -j ACCEPT -d 192.168.0.71 --dst-mac 00:04:75:7a:b8:9a -j ACCEPT -d 192.168.0.99 --dst-mac 00:02:44:89:82:f5 -j ACCEPT -d 192.168.0.250 --dst-mac 00:02:b3:09:71:b4 -j ACCEPT -d 192.168.0.252 --dst-mac 00:19:21:13:57:5d Chain FORWARD (policy DROP)
Sekarang coba kita hapus table arp yang menyimpan mac address interface wan:
# arp -i eth1 -d 192.168.1.1; arp -i eth2 -d 192.168.2.1 # arp -i eth3 -d 192.168.1.9; arp -i eth4 -d 192.168.1.5
Dan lihat isi table arp apakah daftar tersebut sudah bersih, kalau “belum bersih” hal itu karena interface wan ini aktif sebagai gateway ke internet jadi table arp segera langsung terisi, hal ini membuktikan script di atas cocok dipakai untuk melindungi linux router dari arp spoofing / arp poisoning di interface lan:
# arp -n| grep -v CM Address HWtype HWaddress Flags Mask Iface 192.168.1.9 ether 00:0B:2B:32:C3:C4 C eth3 192.168.1.5 ether 00:0B:2B:32:C3:86 C eth4 192.168.2.1 ether 00:04:ED:6D:41:AE C eth2
Kalau ingin menjalankan rc.arptables sebagai init scripts yang otomatis dijalankan setiap kali linux boot. Untuk distro keluarga debian:
# cp rc.arptables /etc/init.d/ # cd /etc/init.d # chmod 755 rc.arptables # update-rc.d rc.arptables start 20 2 3 4 5 . stop 20 1 6 .
Slackware dan turunannya:
# cp rc.arptables /etc/rc.d/ # cd /etc/rc.d # chmod 755 rc.arptables # echo "if [ -x /etc/rc.d/rc.arptables ]; then /etc/rc.d/rc.arptables start; fi" >> rc.local # echo "if [ -x /etc/rc.d/rc.arptables ]; then /etc/rc.d/rc.arptables stop; fi" >> rc.local_shutdown