Membuat Linux Kebal ARP Poisoning ARP Spoofing

From OnnoWiki
Jump to navigation Jump to search

Sumber: http://awarmanf.wordpress.com/2009/12/23/membuat-linux-kebal-arp-poisoning-arp-spoofing/

Membuat router linux anda kebal arp poisoning (arp spoofing)

with 22 comments

Artikel mengenai arp poisoning atau arp spoofing sudah banyak ditulis di internet. Pencarian di google dengan entri arp poisoning memberikan banyak entry. Sekarang bagaimana membuat router linux kebal terhadap arp poisoning ? Dalam kasus ini kita akan melindungi linux dari arp spoofing hanya di interface lan (local area network). Untuk instal arptables, di distro linux keluarga debian jalankan:

$ sudo apt-get install arptables

Sedangkan untuk distro lain, seperti slackware, download source arptables di http://sourceforge.net/projects/ebtables/files/arptables/ Untuk distro seperti slackware ini, kita harus melakukan beberapa modifikasi:

# mkdir /etc/sysconfig
# tar zxf arptables-v0.0.3-3.tar.gz
# cd arptables-v0.0.3-3
# make && make install
# cd /etc/sysconfig
# echo 'NETWORKING=no' >> network

Pertama, buat file yang berisi daftar mac address dan ip address seperti contoh di bawah:

$ cat /etc/arptables
# baris yang berisi karakter '#' di awal baris tidak akan diproses oleh script
# pc 1
192.168.0.1 00:1B:B9:CF:2A:15
# pc 2
192.168.0.2 00:1B:B9:AE:20:0B
# pc 3
192.168.0.3 00:1B:B9:CF:03:C3
# pc 4
192.168.0.4 00:1B:B9:AB:BB:02
# pc 5
192.168.0.5 00:1B:B9:AE:ED:F1
192.168.0.6 00:1B:B9:CF:27:E4
192.168.0.7 00:1B:B9:AE:2F:B9
192.168.0.8 00:1B:B9:AD:19:ED
192.168.0.17 00:1B:B9:CF:23:24
192.168.0.18 00:1B:B9:CF:0A:C8
192.168.0.19 00:1B:B9:80:C6:2B
192.168.0.20 00:1B:B9:CE:57:52
192.168.0.21 00:1B:B9:CF:0A:E6
192.168.0.22 00:1B:B9:AE:28:9D
192.168.0.23 00:1B:B9:CF:1B:80
192.168.0.50 00:19:66:52:10:B2
192.168.0.51 00:19:21:17:5C:98
192.168.0.71 00:04:75:7A:B8:9A
192.168.0.99 00:02:44:89:82:F5
192.168.0.250 00:02:B3:09:71:B4
192.168.0.252 00:19:21:13:57:5D


Kedua, buat script model script init, script ini akan melindungi interface lan linux dari arp poisoning, interface wan perlu didefinisikan di sini agar arp request dan reply dari dan ke port wan tidak didrop oleh arptables:

#!/bin/sh
PATH=/bin:/usr/bin

# Script untuk membuat linux kebal dari arp poisoning (arp spoofing)
# File: rc.arptables

# Parameter
ARPTABLES="/sbin/arptables"
ARP="/usr/sbin/arp"

# File arp table (ip & mac address pairs with space delimiter)
# 192.168.1.100 00:14:BF:CC:9F:07
FARPTABLE="/etc/arptables" 

# put your LOCAL INTERFACE here
INT="eth0"
# Put your WAN INTERFACE here
WAN1="eth1"
WAN2="eth2"
WAN3="eth3"
WAN4="eth4" 

if [ ! -e $FARPTABLE ]; then echo $FARPTABLE not found; exit 0; fi
if [ ! -x $ARPTABLES ]; then echo $ARPTABLES not found; exit 0; fi 

arptables_flush() {
  # Flush table
  # reset the default policies in the filter table.
  #
  $ARPTABLES -P INPUT ACCEPT
  $ARPTABLES -P OUTPUT ACCEPT
  #
  # flush all the rules in the filter
  #
  $ARPTABLES -F
  #
  # erase all chains that's not default in filter.
  #
  $ARPTABLES -X
} 

case "$1" in
  start)
    echo -n "Starting arptables:" 

    arptables_flush

    #
    # Filter table
    # Set policies
    #
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN1
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN2
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN3
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN4
    $ARPTABLES -P INPUT DROP -i $INT
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN1
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN2
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN3
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN4
    $ARPTABLES -P OUTPUT DROP -o $INT 

    grep -v '^#' $FARPTABLE |
    while read i
    do
      IP=`echo $i|cut -f1 -d' '`
      MAC=`echo $i|cut -f2 -d' '`
      $ARPTABLES -A INPUT -s $IP --source-mac $MAC -j ACCEPT -i $INT
      $ARPTABLES -A OUTPUT -d $IP --destination-mac $MAC -j ACCEPT -o $INT
      $ARP -i $INT -s $IP $MAC
    done
    touch /tmp/ARPTABLES
    echo "."
    ;;
  stop)
    echo -n "Stopping arptables:"
    arptables_flush
    # Flush arp
    grep -v '^#' $FARPTABLE |
    while read i
    do
      IP=`echo $i|cut -f1 -d' '`
      $ARP -i $INT -d $IP
    done
    rm -f /tmp/ARPTABLES
    echo "."
    ;;
  stat)
    if [ -f /tmp/ARPTABLES ]; then
      echo "arptables is on."
      $ARPTABLES -L -n
    else
      echo "arptables is off."
      $ARPTABLES -L -n
    fi
    ;;
  *)
    echo "Usage: $0 {start|stop|stat}"
    exit 1
    ;;
esac


Setelah script selesai dibuat, jalankan script tersebut:

# chmod 755 rc.arptables
# ./rc.arptables stat
arptables is off.
Chain INPUT (policy ACCEPT) 

Chain OUTPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)
# ./rc.arptables start
Starting arptables:.
# ./rc.arptables stat
arptables is on.
Chain INPUT (policy DROP)
-j ACCEPT -s 192.168.0.1 --src-mac 00:1b:b9:cf:2a:15
-j ACCEPT -s 192.168.0.2 --src-mac 00:1b:b9:ae:20:0b
-j ACCEPT -s 192.168.0.3 --src-mac 00:1b:b9:cf:03:c3
-j ACCEPT -s 192.168.0.4 --src-mac 00:1b:b9:ab:bb:02
-j ACCEPT -s 192.168.0.5 --src-mac 00:1b:b9:ae:ed:f1
-j ACCEPT -s 192.168.0.6 --src-mac 00:1b:b9:cf:27:e4
-j ACCEPT -s 192.168.0.7 --src-mac 00:1b:b9:ae:2f:b9
-j ACCEPT -s 192.168.0.8 --src-mac 00:1b:b9:ad:19:ed
-j ACCEPT -s 192.168.0.17 --src-mac 00:1b:b9:cf:23:24
-j ACCEPT -s 192.168.0.18 --src-mac 00:1b:b9:cf:0a:c8
-j ACCEPT -s 192.168.0.19 --src-mac 00:1b:b9:80:c6:2b
-j ACCEPT -s 192.168.0.20 --src-mac 00:1b:b9:ce:57:52
-j ACCEPT -s 192.168.0.21 --src-mac 00:1b:b9:cf:0a:e6
-j ACCEPT -s 192.168.0.22 --src-mac 00:1b:b9:ae:28:9d
-j ACCEPT -s 192.168.0.23 --src-mac 00:1b:b9:cf:1b:80
-j ACCEPT -s 192.168.0.50 --src-mac 00:19:66:52:10:b2
-j ACCEPT -s 192.168.0.51 --src-mac 00:19:21:17:5c:98
-j ACCEPT -s 192.168.0.71 --src-mac 00:04:75:7a:b8:9a
-j ACCEPT -s 192.168.0.99 --src-mac 00:02:44:89:82:f5
-j ACCEPT -s 192.168.0.250 --src-mac 00:02:b3:09:71:b4
-j ACCEPT -s 192.168.0.252 --src-mac 00:19:21:13:57:5d  

Chain OUTPUT (policy DROP)
-j ACCEPT -d 192.168.0.1 --dst-mac 00:1b:b9:cf:2a:15
-j ACCEPT -d 192.168.0.2 --dst-mac 00:1b:b9:ae:20:0b
-j ACCEPT -d 192.168.0.3 --dst-mac 00:1b:b9:cf:03:c3
-j ACCEPT -d 192.168.0.4 --dst-mac 00:1b:b9:ab:bb:02
-j ACCEPT -d 192.168.0.5 --dst-mac 00:1b:b9:ae:ed:f1
-j ACCEPT -d 192.168.0.6 --dst-mac 00:1b:b9:cf:27:e4
-j ACCEPT -d 192.168.0.7 --dst-mac 00:1b:b9:ae:2f:b9
-j ACCEPT -d 192.168.0.8 --dst-mac 00:1b:b9:ad:19:ed
-j ACCEPT -d 192.168.0.17 --dst-mac 00:1b:b9:cf:23:24
-j ACCEPT -d 192.168.0.18 --dst-mac 00:1b:b9:cf:0a:c8
-j ACCEPT -d 192.168.0.19 --dst-mac 00:1b:b9:80:c6:2b
-j ACCEPT -d 192.168.0.20 --dst-mac 00:1b:b9:ce:57:52
-j ACCEPT -d 192.168.0.21 --dst-mac 00:1b:b9:cf:0a:e6
-j ACCEPT -d 192.168.0.22 --dst-mac 00:1b:b9:ae:28:9d
-j ACCEPT -d 192.168.0.23 --dst-mac 00:1b:b9:cf:1b:80
-j ACCEPT -d 192.168.0.50 --dst-mac 00:19:66:52:10:b2
-j ACCEPT -d 192.168.0.51 --dst-mac 00:19:21:17:5c:98
-j ACCEPT -d 192.168.0.71 --dst-mac 00:04:75:7a:b8:9a
-j ACCEPT -d 192.168.0.99 --dst-mac 00:02:44:89:82:f5
-j ACCEPT -d 192.168.0.250 --dst-mac 00:02:b3:09:71:b4
-j ACCEPT -d 192.168.0.252 --dst-mac 00:19:21:13:57:5d 

Chain FORWARD (policy DROP)

Sekarang coba kita hapus table arp yang menyimpan mac address interface wan:

# arp -i eth1 -d 192.168.1.1; arp -i eth2 -d 192.168.2.1
# arp -i eth3 -d 192.168.1.9; arp -i eth4 -d 192.168.1.5

Dan lihat isi table arp apakah daftar tersebut sudah bersih, kalau “belum bersih” hal itu karena interface wan ini aktif sebagai gateway ke internet jadi table arp segera langsung terisi, hal ini membuktikan script di atas cocok dipakai untuk melindungi linux router dari arp spoofing / arp poisoning di interface lan:

# arp -n| grep -v CM
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.9              ether   00:0B:2B:32:C3:C4   C                     eth3
192.168.1.5              ether   00:0B:2B:32:C3:86   C                     eth4
192.168.2.1              ether   00:04:ED:6D:41:AE   C                     eth2


Kalau ingin menjalankan rc.arptables sebagai init scripts yang otomatis dijalankan setiap kali linux boot. Untuk distro keluarga debian:

# cp rc.arptables /etc/init.d/
# cd /etc/init.d
# chmod 755 rc.arptables
# update-rc.d rc.arptables start 20 2 3 4 5 . stop 20 1 6 .

Slackware dan turunannya:

# cp rc.arptables /etc/rc.d/
# cd /etc/rc.d
# chmod 755 rc.arptables
# echo "if [ -x /etc/rc.d/rc.arptables ]; then /etc/rc.d/rc.arptables start; fi" >> rc.local
# echo "if [ -x /etc/rc.d/rc.arptables ]; then /etc/rc.d/rc.arptables stop; fi" >> rc.local_shutdown


Referensi

Pranala Menarik