Pertahanan Melawan ARP spoofing di Linux
Sumber: http://kokikode.wordpress.com/2009/12/01/defense-against-arp-spoofing-in-linux/
ARP spoofing, also know as ARP Poisoning is one of the mechanisms commonly used in denial of services attacks. We are only able to prevent or minimize these attacks. In this article I tried to summarize some points that are practical and easy to apply to the Linux-based server systems regardless of whether the subject security update to the kernel and applications installed.
Some of these points in practice I will describe below:
1. Essential configuration files in “/etc/host.conf” as shown below.
order hosts,bind multi on nospoof on spoofalert on
2. The below are some tweaks that can be done in “/etc/sysctl.conf” nor “/proc/sys/net/ipv4/…” to avoid make kinds of attacks. They pretty simple yet effective.
» Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
» Disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
» Do not accept ICMP redirects (prevent MITM attacks)
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
» Ignore ICMP broadcasts will stop gateway from responding to broadcast pings.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
» Ignore bogus ICMP errors.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
» Do not send ICMP redirects.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
» Do not accept IP source route packets.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
» Turn on log Martian Packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/conf/default/log_martians
3. Use the DHCP service on the server to provide IP restrictions based on the client MAC address.
4. MAC address list of each client and its IP address defined by the following instructions.
arp -s 192.168.0.24 00:9a:7c:3d:15:8f
or can be defined in the file “/etc/ethers” like this.
192.168.0.24 00:9a:7c:3d:15:8f 192.168.0.25 00:e9:18:7c:15:78 192.168.0.26 00:18:15:3d:78:8c
… etc and execute with command “arp -f“
If your server has two network cards and one of them functioned as a DMZ connected to the internet, please add it manually like this.
» assumed “eth1” as a DMZ interface.
arp -i eth1 -s 210.20.152.30 00:03:19:db:8a:58
ensure defined IP and MAC address each client network card is persistent every time the server reboot.
5. Make sure the rules in your packet filtering using IPTables to block the following network address.
Private Networks (RFC 1918) -- 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 IANA Reserved -- 0.0.0.0/8 - Historical Broadcast 127.0.0.0/8 - Loopback 169.254.0.0/16 - Link Local Networks 192.0.2.0/24 - TEST-NET 240.0.0.0/5 - Class E Reserved 248.0.0.0/5 - Unallocated 255.255.255.255/32 - Broadcast
Example:
iptables -A INPUT -j DROP -s 0.0.0.0/8 iptables -A INPUT -j DROP -d 0.0.0.0/8 iptables -A FORWARD -j DROP -s 0.0.0.0/8 iptables -A FORWARD -j DROP -d 0.0.0.0/8 iptables -A OUTPUT -j DROP -d 0.0.0.0/8
6. Done.