Kamis, 02 Juni 2011

Firewall Untuk Mengamankan

Lagi lagi ngomong Firewall .... nggarahi munthuk neng lambe ... mumet neng sirah ... apalagi pas ada kendala .... bisa jadi bumerang buat si admin ... hehehehh
Toh Sebetulnya gak ada yg nyarankan memasang terlalu rumit .... kapan iso lemu jika tiap hari selalu mikirin Firewall dan masalah-nya .... xixixixix
belum lagi keterbatasan perangkat yg kita jagokan sebagai Router itu .... cukup mampukah bekerja dgn system serumit itu .... akan menjadi maximal-kah??? ... atau bahkan mungkin malah menjadi ngambek .... xixixixixi ... (mesin opo ngerti mbegot yo mergo jibek mikir tugas sing hoakeh ... heheheh) ...

Langsung aja ini Script-nya boss ... mohon di edit ulang biar sesuai dgn punyak-e sampean ..


1. Untuk filter brute forces
----------------------------

/ ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="Drop SSH brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no



2. Untuk filter port scaning
----------------------------

/ ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port Scanners to list" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="" disabled=no



3. Untuk filter port FTP
------------------------

/ ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="Filter FTP to Box" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h comment="" disabled=no



4. Untuk separate packet flag
-----------------------------

/ ip firewall filter
add chain=forward protocol=tcp action=jump jump-target=tcp comment="Separate Protocol into Chains" disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" disabled=no



5. Untuk blocking UDP taffik setan
----------------------------------

/ ip firewall filter
add chain=udp protocol=udp dst-port=69 action=drop comment="Blocking UDP Packet" disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="" disabled=no



6. Untuk blocking tcp traffik setan
-----------------------------------

/ ip firewall filter
add chain=tcp protocol=tcp dst-port=69 action=drop comment="Bloking TCP Packet" disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=119 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="" disabled=no



7. Untuk bloking bukis mail traffic
-----------------------------------

/ ip firewall filter
add chain=forward protocol=tcp dst-port=25 action=drop comment="Allow SMTP" disabled=no



8. Untuk membuat filter DOS
---------------------------

/ ip firewall filter
add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="Limited Ping Flood" disabled=no
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="" disabled=no
add chain=icmp protocol=icmp action=drop comment="" disabled=no




9. Yntuk membuat fileter koneksi P2P
------------------------------------

/ ip firewall filter
add chain=forward p2p=all-p2p action=accept comment="trafik P2P" disabled=no




10. Untuk membuat filter akses jalur mapping network
----------------------------------------------------

/ ip firewall filter
add chain=input dst-address-type=broadcast,multicast action=accept comment="Allow Broadcast Traffic" disabled=no
add chain=input src-address=192.168.0.0/28 action=accept comment="Allow access to router from known network" disabled=no
add chain=input src-address=192.168.1.0/24 action=accept comment="" disabled=no
add chain=input src-address=192.168.2.0/30 action=accept comment="" disabled=no
add chain=input src-address=125.162.0.0/16 action=accept comment="" disabled=no
Diposting oleh hallo.udin di 11.00

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)