Ping Of Deadth

Artikel ini dibuat untuk memonitoring kondisi box linux dari serangan Ping Of Death, Scanning port, maupun sekedar eksperimen saja ......... ^_^

Cara kerja daemon ini adalah dengan mencatat log yang terdapat pada iptables ke file /var/log/ulogd.sylogemu.

Biasanya log yang tidak menggunakan ulogd akan di memenuhi log "dmesg". Maka dengan ulogd, log-log yang anda buat pada rule iptables akan dialihkan ke log-nya ulogd. Aku menginstall ulogd ini di mesin Slackware10 dengan kernel 2.6.7. Tidak ada copyright apapun dalam dukumen ini, anda bebas menyalin, mencetak, maupun memodifikasi (dengan menyertakan nama penulis asli)

Oke .... saat nya beraksi,... sebelomnya /me mengucapkan terima kasih kepada mas Hari-uhui atas supportnya.... ^_^

Di asumsikan anda telah mengerti konsep TCP/IP dan iptables. sekedar mengulangin tentang iptables anda dapat membaca artikelnya mas s3trum di http://efnet.linux.or.id/docs/iptables.html

Bagi yang suka merokok ........ silahkan sambil ngisep tuh ... rokok ........ & tanggung sendiri dampak negatifnya ya. ....

Sorry agak nyindir.... soalnya aku dah berhenti merokok sejak kelas 1 SMU ...... aku mulai merokok dari kelas 5 SD .…... dah bosen ... Hmm jangan lupa makanan ringan ... &. minumnya ala kadarnya... Juz Alpokat + Terong Belanda .... (kalo mo ikutin porsi aku)

 

1. Persiapan

Login dari level user biasa ke root, disarankan jangan menjalankan command "su" secara langsung. Biasakan untuk selalu mengetik command tersebut langsung dari nama path-nya, yaitu "/bin/su". Dengan mengetik full pathname, berarti anda menjalankan program su langsung dari sumbarnya. Metode ini sangat penting guna memproteksi passwd Superuser dari penyadapan program2 Trojan Horse. Selanjutnya masuk ke direktory temporari tempat biasanya anda meng-install tool-tool. Saya biasanya meletakkan di /tmp/installer, lalu download dan compile tool tersebut.

[sysadmin@router1]$ /bin/su root

[root@router1]# mkdir /tmp/installer

[root@router1]# cd /tmp/installer

[root@router1]# wget -c http://freshmeat.net/redir/ulogd/10896/url_bz2/ulogd-1.02.tar.bz2

[root@router1]# bunzip2 ulogd-1.02.tar.bz2

[root@router1]# tar -xf ulogd-1.02.tar

[root@router1]# cd ulogd-1.02

-

Disini kita akan melakukan perubahan sedikit path pada file configure karena pada configurasi default sama sekali logging iptables tidak akan ter-log.

Konfigurasi path default nya seperti ini :

/usr/local/sbin/ulogd <== file executie

/usr/local/etc/ulogd.conf <== file konfigurasi

/var/log/ulog.log <== log kondisi daemond

/var/log/ulog.syslogemu <== log laporan iptables

-

Caranya dengan mengedit file configure

# --- ubah menjadi seperti ini ---

bindir='/bin'

sbindir='/sbin'

libexecdir='/libexec'

datadir='/share'

sysconfdir='/etc'

sharedstatedir='/com'

localstatedir='/var'

libdir='/lib'

includedir='/include'

oldincludedir='/usr/include'

infodir='/info'

mandir='/man'

-

Compile Source nya

[root@router1]# ./configure

[root@router1]# make

[root@router1]# make install

Setelah berhasil di install maka file2 penting ulogd akan terletak di direktori :

/sbin/ulogd <== file executie

/etc/ulogd.conf <== file konfigurasi

Lalu jalankan daemon ulogd

[root@router1]# /sbin/ulogd -c /etc/ulogd.conf &

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `raw'

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `oob'

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `ip'

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `tcp'

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `icmp'

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `udp'

Fri Sep 3 13:44:04 2004 <3> ulogd.c:300 registering interpreter `ahesp'

Fri Sep 3 13:44:04 2004 <5> ulogd.c:355 registering output `syslogemu'

Lihat apakah ulogd anda sudah berjalan

[root@router1]# ps ax|grep ulogd

5858 pts/0 S 0:00 /sbin/ulogd -c /etc/ulogd.conf

-

[root@router1]# tail -f /var/log/ulogd.log

Fri Sep 3 13:44:04 2004 <3> ulogd.c:479 ulogd Version 1.01 starting

Fri Sep 3 13:44:04 2004 <5> ulogd.c:696 initialization finished, entering main loop

Oke ........ sekarang daemon ulogd anda sudah jalan .........

Agar dapat dijalankan setiap mesin anda booting maka dapat ditambahkan di rc.local

[root@router1] echo "/sbin/ulogd -c /etc/ulogd.conf &" >> /etc/rc.d.rc.local 

2. Konfigurasi Kernel dan Module

Agar kernel anda support dengan iptables maka terlebih dahulu harus mengaktifkan

config option CONFIG_IP_NF_TARGET_ULOG pada netfilter dengan me-recompile kernel

atau hanya me-recompile module netfilter

[root@router1] cd /usr/src/linux-2.6.7/

[root@router1] make modules SUBDIRS=net/ipv4/netfilter

[root@router1] make modules_install

3. Membuat rule log iptables

Berhubung saya menggunakan distro Slackware, maka rule iptables-nya diletakkin pada /etc/rc.d/rc.firewall

sedangkan untuk distro RedHat dapat diketikkan langsung pada console dan akan tersimpan otomatis pada /etc/sysconfig/iptables

/usr/sbin/iptables -A INPUT -p icmp --icmp-type "echo-request" -m limit --limit 5/minute -j ULOG --ulog-prefix '< Ping Scan >'

/usr/sbin/iptables -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j ULOG --ulog-level \

--ulog-pre fix '< Stealth Scan >'

/usr/sbin/iptables -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j ULOG --ulog-level --ulog-prefix \

'< XMAS Scan >'

/usr/sbin/iptables -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j ULOG --ulog-level --ulog-prefix \

'< SYN/RST Scan>'

/usr/sbin/iptables -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j ULOG --ulog-level --ulog-prefix \

'< SYN/FIN Scan>'

Restart iptables anda, untuk mesin Slackware

[root@router1]# /etc/rc.d/rc.inet2 restart

Untuk mesin Redhat

[root@router1]# /etc/inet.d/iptables save

[root@router1]# /etc/inet.d/iptables restart

4. Mengetes logging iptables

Setelah ulogd di running kan dan iptables direstart ........ saat nya anda mengetest loging tersebut ...........

Skenario yang saya buat adalah dimana mesin router1 (192.168.0.2) di Ping oleh Win2003 server (192.168.0.1)

dan port scanner dari Notebook (192.168.3.37)

Ping yang dilakukan oleh Win2003 Server

*==========================================

Welcome to Microsoft Telnet Server.

*==========================================

C:\Documents and Settings\Administrator>ping 192.168.0.2

Pinging 192.168.0.2 with 32 bytes of data:

Reply from 192.168.0.2: bytes=32 time<1ms TTL=64

Reply from 192.168.0.2: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

-

Kemudian lihat hasil logging iptablesnya :

[root@router1]# tail -f /var/log/ulogd.syslogemu

Sep 3 13:55:46 ns1 < Ping Scan > IN=eth0 OUT= MAC=00:80:48:11:c2:d7:00:c1:28:01:ce:2f:08:00 SRC=192.168.0.1 \

DST=192.168.0.2 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=433 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=256

Sep 3 13:55:47 ns1 < Ping Scan > IN=eth0 OUT= MAC=00:80:48:11:c2:d7:00:c1:28:01:ce:2f:08:00 SRC=192.168.0.1 \

DST=192.168.0.2 LEN=60 TOS=00 PREC=0x00 TTL=128 ID=435 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=512

Port Scanning dari IP 192.168.3.37

[root@iman]# nmap -v www.imanibbi.ac.id

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-09-03 13:51 WIT

Host ns1.imanibbi.ac.id (192.168.2.1) appears to be up ... good.

Initiating SYN Stealth Scan against ns1.imanibbi.ac.id (192.168.2.1) at 13:51

Kemudian lihat lagi hasil logging iptablesnya :

[root@router1]# tail -f /var/log/ulogd.syslogemu

Sep 3 14:01:17 ns1 < Stealth Scan > IN=eth2 OUT= MAC=00:80:48:17:0d:57:00:80:48:17:0d:4a:08:00

SRC=192.168.3.37 DST=192.168.2.1 LEN=40 TOS=00 PREC=0x00 TTL=63 ID=230 DF PROTO=TCP SPT=36344 DPT=79

SEQ=138215714 ACK=0 WINDOW=0 RST URGP=0

Dari hasil logging diatas kelihatan bahwa ip 192.168.0.1 dan 192.168.3.37 masing-masing telah melakukan ping dan port scanning.

Untuk contoh-contoh rule logging yang lain, anda dapat mencarinya di !google …… ^_^

SMURF ATTACK

SMURF ATTACK
 (Kecoak Elektronik)

Tentunya kita sudah sering mendengar tentang DOS (denial-of-service)
ingin saya bahas adalah tentang fenomena SMURF attack yang lumayan seru, soalnya dengan
modal modem 56kbps kita bisa bikin crash koneksi ADSL,Cablevision access, dan laennya selama
masih dibawah T3.. kalau udah ini nyerah aja dech :)

kenapa smurf? smurf adalah suatu program yang digunakan dalam teknik DOS ini, maka dari
itu nama serangannya smurf. Smurf sebenarnya adalah serangan DOS yang menggunakan ICMP echo
dan mempunyai kemiripan serangan dengan "fraggle".

------------
Bahan Bahan
------------

1. Windows OS
   a. koneksi internet
   b. program winsmurf (ini cari sendiri ach)
   c. list broadcast (ada attachmentnya dibawah tapi cuman dikit dan ngga jamin masih idup
      yach)
   d. sedikit pengetahuan ttg bahasa inggris :)
   e. target ( ini ngga mutlak! jangan dipake buat isengin orang)

2. Linux OS (belom coba di varian laennya dari UNIX) <- lebih mantap nih!
   a. Shell (udah pasti ke install lah)
   b. Script smurf.c (ada dibawah)
   c. Scanner Broadcast server (kita pake nmap aja yach...)
   d. Kelengkapan untuk complie *.c (gcc aja udah cukup)
   e. Koneksi Internet
   f. tambahin sendiri

-----------
Cara Kerja
-----------

smurf bekerja dimulai dari sebuah serangan yang mengirimkan 'aliran' data ke Internet
Control Message Protocol (ICMP), atau ping -paket yang dipake buat ngecek apakah sebuah
server itu idup atau ngga-. Dimana server yang dimintai keterangan adalah server dengan
open broadcast yang membawahi subnetwork dibawahnya yang merupakan satu grup *.255.
Gampangnya gini..kalau tuh broadcast server di 'ping' maka yang merespon adalah SEMUA grup
dari server itu. Nah..teknik ini digabungkan dengan spoffing ip...jadi kita mem'ping'
broadcast server menggunakan ip dari target kita, sehingga respon dari broadcast +
networknya akan di'lapor'kan ke alamat target kita.

Sebagai contoh..saya menggunakan Cablevision access yang katanya sih 64kbps (kalau di cek
ngga pernah tuh sampe segitu heuheuhe) berarti 42 64-byte ping paket bisa terkirim tiap
detiknya
kalau sepenuhnya diterima oleh broadcast server ini bisa menjadi 10,626 paket, atau
sekitar 5.2Mbits data perdetik..bayangin tuh! dengan keadaan ini maka target dengan
koneksi T1 akan crash!!

---------------
SKEMA SERANGAN       
---------------

                                seluruh broadcast
                             yang menerima spoof
                            ping dari target akan   
|---------|                |----------------|        me-reply ping tersebut   |-------|
|Penyerang|---spoofing-- > |Broadcast server|------ bayangkan berapa banyak -|target |
|---------|               |----------------|       server yang merespon :)  |-------|
    |                       |                            |
    |                   |                                            | 
202.153.253.**      Menerima Ping untuk xxx.xxx.xxx.255               63.149.**.***(crash)
                          dari 63.149.**.***
                                   |
                   |
             |----------|----------|----------|----------|
    Broadcast   Broadcast Broadcast Broadcast  Broadcast
         network     network   network   network    network
                                   |            
                                   |
         |----------|----------|----------|----------|
    Broadcast   Broadcast Broadcast Broadcast  Broadcast
         network     network   network   network    network


---------
SOLUSI
---------

Sampai artikel ini diturunkan, secara teknis smurf attack ini belom bisa di atasi dari
pihak target dengan cara mempatch software anda..lah? terus gimana? ehm..dari pihak server
sih mungkin bisa...ini adalah solusi untuk server server gede agar tidak mengizinkan
adanya ping boardcast..
cara yang saya berikan dibawah ini didapat digunakan diserver yang menggunakan operation
system linux (belom dicoba ke server dengan OS laen) dengan cara mengaktifkan
'icmp_echo_ignore_broadcasts' dengan cara mengubah valuenya menjadi '1' file ini adanya di
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

berarti commandnya

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

atau edit file /etc/sysctl.conf dan mengubah value menjadi '1'

net.ipv4.icmp_echo_ignore_broadcasts = 1 <- valuenya jadi '1'

lalu gunakan command

# sysctl -w  (untuk menjalankan perubahan yang sudah dilakukan)

ya..saya cuman bisa kasih saran itu ke system admin..keamanan adalah ditangan anda, dan
satu hal yang paling penting...JANGAN PERNAH MELAKUKAN PERBUATAN YANG MERUGIKAN ORANG
LAEN!!!



#SaMuRai_HaCK

Basic Guide To The Internet

The Internet is a computer network made up of thousands of networks worldwide. No one knows exactly how many computers are connected to the Internet. It is certain, however, that these number in the millions.

No one is in charge of the Internet. There are organizations which develop technical aspects of this network and set standards for creating applications on it, but no governing body is in control. The Internet backbone, through which Internet traffic flows, is owned by private companies.

All computers on the Internet communicate with one another using the Transmission Control Protocol/Internet Protocol suite, abbreviated to TCP/IP. Computers on the Internet use a client/server architecture. This means that the remote server machine provides files and services to the user's local client machine. Software can be installed on a client computer to take advantage of the latest access technology.

An Internet user has access to a wide variety of services: electronic mail, file transfer, vast information resources, interest group membership, interactive collaboration, multimedia displays, real-time broadcasting, shopping opportunities, breaking news, and much more.

The Internet consists primarily of a variety of access protocols. Many of these protocols feature programs that allow users to search for and retrieve material made available by the protocol.


--------------------------------------------------------------------------------

COMPONENTS OF THE INTERNET

--------------------------------------------------------------------------------

WORLD WIDE WEB
The World Wide Web (abbreviated as the Web or WWW) is a system of Internet servers that supports hypertext to access several Internet protocols on a single interface. Almost every protocol type available on the Internet is accessible on the Web. This includes e-mail, FTP, Telnet, and Usenet News. In addition to these, the World Wide Web has its own protocol: HyperText Transfer Protocol, or HTTP. These protocols will be explained later in this document.

The World Wide Web provides a single interface for accessing all these protocols. This creates a convenient and user-friendly environment. It is no longer necessary to be conversant in these protocols within separate, command-level environments. The Web gathers together these protocols into a single system. Because of this feature, and because of the Web's ability to work with multimedia and advanced programming languages, the Web is the fastest-growing component of the Internet.

The operation of the Web relies primarily on hypertext as its means of information retrieval. HyperText is a document containing words that connect to other documents. These words are called links and are selectable by the user. A single hypertext document can contain links to many documents. In the context of the Web, words or graphics may serve as links to other documents, images, video, and sound. Links may or may not follow a logical path, as each connection is programmed by the creator of the source document. Overall, the Web contains a complex virtual web of connections among a vast number of documents, graphics, videos, and sounds.

Producing hypertext for the Web is accomplished by creating documents with a language called HyperText Markup Language, or HTML. With HTML, tags are placed within the text to accomplish document formatting, visual features such as font size, italics and bold, and the creation of hypertext links. Graphics and multimedia may also be incorporated into an HTML document. HTML is an evolving language, with new tags being added as each upgrade of the language is developed and released. The World Wide Web Consortium (W3C), led by Web founder Tim Berners-Lee, coordinates the efforts of standardizing HTML. The W3C now calls the language XHTML and considers it to be an application of the XML language standard.

The World Wide Web consists of files, called pages or home pages, containing links to documents and resources throughout the Internet.

The Web provides a vast array of experiences including multimedia presentations, real-time collaboration, interactive pages, radio and television broadcasts, and the automatic "push" of information to a client computer. Programming languages such as Java, JavaScript, Visual Basic, Cold Fusion and XML are extending the capabilities of the Web. A growing amount of information on the Web is served dynamically from content stored in databases. The Web is therefore not a fixed entity, but one that is in a constant state of development and flux.

For more complete information about the World Wide Web, see Understanding The World Wide Web.

E-MAIL
Electronic mail, or e-mail, allows computer users locally and worldwide to exchange messages. Each user of e-mail has a mailbox address to which messages are sent. Messages sent through e-mail can arrive within a matter of seconds.

A powerful aspect of e-mail is the option to send electronic files to a person's e-mail address. Non-ASCII files, known as binary files, may be attached to e-mail messages. These files are referred to as MIME attachments.MIME stands for Multimedia Internet Mail Extension, and was developed to help e-mail software handle a variety of file types. For example, a document created in Microsoft Word can be attached to an e-mail message and retrieved by the recipient with the appropriate e-mail program. Many e-mail programs, including Eudora, Netscape Messenger, and Microsoft Outlook, offer the ability to read files written in HTML, which is itself a MIME type.

TELNET
Telnet is a program that allows you to log into computers on the Internet and use online databases, library catalogs, chat services, and more. There are no graphics in Telnet sessions, just text. To Telnet to a computer, you must know its address. This can consist of words (locis.loc.gov) or numbers (140.147.254.3). Some services require you to connect to a specific port on the remote computer. In this case, type the port number after the Internet address. Example: telnet nri.reston.va.us 185.

Telnet is available on the World Wide Web. Probably the most common Web-based resources available through Telnet have been library catalogs, though most catalogs have since migrated to the Web. A link to a Telnet resource may look like any other link, but it will launch a Telnet session to make the connection. A Telnet program must be installed on your local computer and configured to your Web browser in order to work.

With the increasing popularity of the Web, Telnet has become less frequently used as a means of access to information on the Internet.

FTP
FTP stands for File Transfer Protocol. This is both a program and the method used to transfer files between computers. Anonymous FTP is an option that allows users to transfer files from thousands of host computers on the Internet to their personal computer account. FTP sites contain books, articles, software, games, images, sounds, multimedia, course work, data sets, and more.

If your computer is directly connected to the Internet via an Ethernet cable, you can use one of several PC software programs, such as WS_FTP for Windows, to conduct a file transfer.

FTP transfers can be performed on the World Wide Web without the need for special software. In this case, the Web browser will suffice. Whenever you download software from a Web site to your local machine, you are using FTP. You can also retrieve FTP files via search engines such as FtpFind, located at /http://www.ftpfind.com/. This option is easiest because you do not need to know FTP program commands.

E-MAIL DISCUSSION GROUPS
One of the benefits of the Internet is the opportunity it offers to people worldwide to communicate via e-mail. The Internet is home to a large community of individuals who carry out active discussions organized around topic-oriented forums distributed by e-mail. These are administered by software programs. Probably the most common program is the listserv.

A great variety of topics are covered by listservs, many of them academic in nature. When you subscribe to a listserv, messages from other subscribers are automatically sent to your electronic mailbox. You subscribe to a listserv by sending an e-mail message to a computer program called a listserver. Listservers are located on computer networks throughout the world. This program handles subscription information and distributes messages to and from subscribers. You must have a e-mail account to participate in a listserv discussion group. Visit Tile.net at /http://tile.net/ to see an example of a site that offers a searchablecollection of e-mail discussion groups.

Majordomo and Listproc are two other programs that administer e-mail discussion groups. The commands for subscribing to and managing your list memberships are similar to those of listserv.

USENET NEWS
Usenet News is a global electronic bulletin board system in which millions of computer users exchange information on a vast range of topics. The major difference between Usenet News and e-mail discussion groups is the fact that Usenet messages are stored on central computers, and users must connect to these computers to read or download the messages posted to these groups. This is distinct from e-mail distribution, in which messages arrive in the electronic mailboxes of each list member.

Usenet itself is a set of machines that exchanges messages, or articles, from Usenet discussion forums, called newsgroups. Usenet administrators control their own sites, and decide which (if any) newsgroups to sponsor and which remote newsgroups to allow into the system.

There are thousands of Usenet newsgroups in existence. While many are academic in nature, numerous newsgroups are organized around recreational topics. Much serious computer-related work takes place in Usenet discussions. A small number of e-mail discussion groups also exist as Usenet newsgroups.

The Usenet newsfeed can be read by a variety of newsreader software programs. For example, the Netscape suite comes with a newsreader program called Messenger. Newsreaders are also available as standalone products.

FAQ, RFC, FYI
FAQ stands for Frequently Asked Questions. These are periodic postings to Usenet newsgroups that contain a wealth of information related to the topic of the newsgroup. Many FAQs are quite extensive. FAQs are available by subscribing to individual Usenet newsgroups. A Web-based collection of FAQ resources has been collected by The Internet FAQ Consortium and is available at /http://www.faqs.org/.

RFC stands for Request for Comments. These are documents created by and distributed to the Internet community to help define the nuts and bolts of the Internet. They contain both technical specifications and general information.

FYI stands for For Your Information. These notes are a subset of RFCs and contain information of interest to new Internet users.

Links to indexes of all three of these information resources are available on the University Libraries Web site at /http://library.albany.edu/reference/faqs.html.

CHAT & INSTANT MESSENGING
Chat programs allow users on the Internet to communicate with each other by typing in real time. They are sometimes included as a feature of a Web site, where users can log into the "chat room" to exchange comments and information about the topics addressed on the site. Chat may take other, more wide-ranging forms. For example, America Online is well known for sponsoring a number of topical chat rooms.

Internet Relay Chat (IRC) is a service through which participants can communicate to each other on hundreds of channels. These channels are usually based on specific topics. While many topics are frivolous, substantive conversations are also taking place. To access IRC, you must use an IRC software program.

A variation of chat is the phenomenon of instant messenging. With instant messenging, a user on the Web can contact another user currently logged in and type a conversation. Most famous is America Online's Instant Messenger. ICQ, MSN and Yahoo are other commonly-used chat programs.

Other types of real-time communication are addressed in the tutorial Understanding the World Wide Web.

MUD/MUSH/MOO/MUCK/DUM/MUSE
MUD stands for Multi User Dimension. MUDs, and their variations listed above, are multi-user virtual reality games based on simulated worlds. Traditionally text based, graphical MUDs now exist. There are MUDs of all kinds on the Internet, and many can be joined free of charge. For more information, read one of the FAQs devoted to MUDs available at the FAQ site at