Membuat Linux Kebal ARP Poisoning / ARP Spoofing

Artikel mengenai arp poisoning atau arp spoofing sudah banyak ditulis di internet. Pencarian di google dengan entri arp poisoning memberikan banyak entry. Sekarang bagaimana membuat router linux kebal terhadap arp poisoning? Dalam kasus ini kita akan melindungi linux dari arp spoofing hanya di interface lan (local area network). Untuk instal arptables, di distro linux keluarga debian jalankan:

$ sudo apt-get install arptables

Sedangkan untuk distro lain, seperti slackware, download source arptables di http://sourceforge.net/projects/ebtables/files/arptables/ Untuk distro seperti slackware ini, kita harus melakukan beberapa modifikasi:

# mkdir /etc/sysconfig
# tar zxf arptables-v0.0.3-3.tar.gz
# cd arptables-v0.0.3-3
# make && make install
# cd /etc/sysconfig
# echo 'NETWORKING=no' >> network

Pertama, buat file yang berisi daftar mac address dan ip address seperti contoh di bawah:

$ cat /etc/arptables
# baris yang berisi karakter '#' di awal baris tidak akan diproses oleh script
# pc 1
192.168.0.1 00:1B:B9:CF:2A:15
# pc 2
192.168.0.2 00:1B:B9:AE:20:0B
# pc 3
192.168.0.3 00:1B:B9:CF:03:C3
# pc 4
192.168.0.4 00:1B:B9:AB:BB:02
# pc 5
192.168.0.5 00:1B:B9:AE:ED:F1
192.168.0.6 00:1B:B9:CF:27:E4
192.168.0.7 00:1B:B9:AE:2F:B9
192.168.0.8 00:1B:B9:AD:19:ED
192.168.0.17 00:1B:B9:CF:23:24
192.168.0.18 00:1B:B9:CF:0A:C8
192.168.0.19 00:1B:B9:80:C6:2B
192.168.0.20 00:1B:B9:CE:57:52
192.168.0.21 00:1B:B9:CF:0A:E6
192.168.0.22 00:1B:B9:AE:28:9D
192.168.0.23 00:1B:B9:CF:1B:80
192.168.0.50 00:19:66:52:10:B2
192.168.0.51 00:19:21:17:5C:98
192.168.0.71 00:04:75:7A:B8:9A
192.168.0.99 00:02:44:89:82:F5
192.168.0.250 00:02:B3:09:71:B4
192.168.0.252 00:19:21:13:57:5D

Kedua, buat script model script init, script ini akan melindungi interface lan linux dari arp poisoning, interface wan perlu didefinisikan di sini agar arp request dan reply dari dan ke port wan tidak didrop oleh arptables:

#!/bin/sh
PATH=/bin:/usr/bin

# Script untuk membuat linux kebal dari arp poisoning (arp spoofing)
# File: rc.arptables

# Parameter
ARPTABLES="/sbin/arptables"
ARP="/usr/sbin/arp"

# File arp table (ip & mac address pairs with space delimiter)
# 192.168.1.100 00:14:BF:CC:9F:07
FARPTABLE="/etc/arptables" 

# put your LOCAL INTERFACE here
INT="eth0"
# Put your WAN INTERFACE here
WAN1="eth1"
WAN2="eth2"
WAN3="eth3"
WAN4="eth4" 

if [ ! -e $FARPTABLE ]; then echo $FARPTABLE not found; exit 0; fi
if [ ! -x $ARPTABLES ]; then echo $ARPTABLES not found; exit 0; fi 

arptables_flush() {
  # Flush table
  # reset the default policies in the filter table.
  #
  $ARPTABLES -P INPUT ACCEPT
  $ARPTABLES -P OUTPUT ACCEPT
  #
  # flush all the rules in the filter
  #
  $ARPTABLES -F
  #
  # erase all chains that's not default in filter.
  #
  $ARPTABLES -X
} 

case "$1" in
  start)
    echo -n "Starting arptables:" 

    arptables_flush

    #
    # Filter table
    # Set policies
    #
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN1
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN2
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN3
    $ARPTABLES -A INPUT -j ACCEPT -i $WAN4
    $ARPTABLES -P INPUT DROP -i $INT
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN1
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN2
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN3
    $ARPTABLES -A OUTPUT -j ACCEPT -o $WAN4
    $ARPTABLES -P OUTPUT DROP -o $INT 

    grep -v '^#' $FARPTABLE |
    while read i
    do
      IP=`echo $i|cut -f1 -d' '`
      MAC=`echo $i|cut -f2 -d' '`
      $ARPTABLES -A INPUT -s $IP --source-mac $MAC -j ACCEPT -i $INT
      $ARPTABLES -A OUTPUT -d $IP --destination-mac $MAC -j ACCEPT -o $INT
      $ARP -i $INT -s $IP $MAC
    done
    touch /tmp/ARPTABLES
    echo "."
    ;;
  stop)
    echo -n "Stopping arptables:"
    arptables_flush
    # Flush arp
    grep -v '^#' $FARPTABLE |
    while read i
    do
      IP=`echo $i|cut -f1 -d' '`
      $ARP -i $INT -d $IP
    done
    rm -f /tmp/ARPTABLES
    echo "."
    ;;
  stat)
    if [ -f /tmp/ARPTABLES ]; then
      echo "arptables is on."
      $ARPTABLES -L -n
    else
      echo "arptables is off."
      $ARPTABLES -L -n
    fi
    ;;
  *)
    echo "Usage: $0 {start|stop|stat}"
    exit 1
    ;;
esac

Setelah script selesai dibuat, jalankan script tersebut:

# chmod 755 rc.arptables
# ./rc.arptables stat
arptables is off.
Chain INPUT (policy ACCEPT) 

Chain OUTPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)
# ./rc.arptables start
Starting arptables:.
# ./rc.arptables stat
arptables is on.
Chain INPUT (policy DROP)
-j ACCEPT -s 192.168.0.1 --src-mac 00:1b:b9:cf:2a:15
-j ACCEPT -s 192.168.0.2 --src-mac 00:1b:b9:ae:20:0b
-j ACCEPT -s 192.168.0.3 --src-mac 00:1b:b9:cf:03:c3
-j ACCEPT -s 192.168.0.4 --src-mac 00:1b:b9:ab:bb:02
-j ACCEPT -s 192.168.0.5 --src-mac 00:1b:b9:ae:ed:f1
-j ACCEPT -s 192.168.0.6 --src-mac 00:1b:b9:cf:27:e4
-j ACCEPT -s 192.168.0.7 --src-mac 00:1b:b9:ae:2f:b9
-j ACCEPT -s 192.168.0.8 --src-mac 00:1b:b9:ad:19:ed
-j ACCEPT -s 192.168.0.17 --src-mac 00:1b:b9:cf:23:24
-j ACCEPT -s 192.168.0.18 --src-mac 00:1b:b9:cf:0a:c8
-j ACCEPT -s 192.168.0.19 --src-mac 00:1b:b9:80:c6:2b
-j ACCEPT -s 192.168.0.20 --src-mac 00:1b:b9:ce:57:52
-j ACCEPT -s 192.168.0.21 --src-mac 00:1b:b9:cf:0a:e6
-j ACCEPT -s 192.168.0.22 --src-mac 00:1b:b9:ae:28:9d
-j ACCEPT -s 192.168.0.23 --src-mac 00:1b:b9:cf:1b:80
-j ACCEPT -s 192.168.0.50 --src-mac 00:19:66:52:10:b2
-j ACCEPT -s 192.168.0.51 --src-mac 00:19:21:17:5c:98
-j ACCEPT -s 192.168.0.71 --src-mac 00:04:75:7a:b8:9a
-j ACCEPT -s 192.168.0.99 --src-mac 00:02:44:89:82:f5
-j ACCEPT -s 192.168.0.250 --src-mac 00:02:b3:09:71:b4
-j ACCEPT -s 192.168.0.252 --src-mac 00:19:21:13:57:5d  

Chain OUTPUT (policy DROP)
-j ACCEPT -d 192.168.0.1 --dst-mac 00:1b:b9:cf:2a:15
-j ACCEPT -d 192.168.0.2 --dst-mac 00:1b:b9:ae:20:0b
-j ACCEPT -d 192.168.0.3 --dst-mac 00:1b:b9:cf:03:c3
-j ACCEPT -d 192.168.0.4 --dst-mac 00:1b:b9:ab:bb:02
-j ACCEPT -d 192.168.0.5 --dst-mac 00:1b:b9:ae:ed:f1
-j ACCEPT -d 192.168.0.6 --dst-mac 00:1b:b9:cf:27:e4
-j ACCEPT -d 192.168.0.7 --dst-mac 00:1b:b9:ae:2f:b9
-j ACCEPT -d 192.168.0.8 --dst-mac 00:1b:b9:ad:19:ed
-j ACCEPT -d 192.168.0.17 --dst-mac 00:1b:b9:cf:23:24
-j ACCEPT -d 192.168.0.18 --dst-mac 00:1b:b9:cf:0a:c8
-j ACCEPT -d 192.168.0.19 --dst-mac 00:1b:b9:80:c6:2b
-j ACCEPT -d 192.168.0.20 --dst-mac 00:1b:b9:ce:57:52
-j ACCEPT -d 192.168.0.21 --dst-mac 00:1b:b9:cf:0a:e6
-j ACCEPT -d 192.168.0.22 --dst-mac 00:1b:b9:ae:28:9d
-j ACCEPT -d 192.168.0.23 --dst-mac 00:1b:b9:cf:1b:80
-j ACCEPT -d 192.168.0.50 --dst-mac 00:19:66:52:10:b2
-j ACCEPT -d 192.168.0.51 --dst-mac 00:19:21:17:5c:98
-j ACCEPT -d 192.168.0.71 --dst-mac 00:04:75:7a:b8:9a
-j ACCEPT -d 192.168.0.99 --dst-mac 00:02:44:89:82:f5
-j ACCEPT -d 192.168.0.250 --dst-mac 00:02:b3:09:71:b4
-j ACCEPT -d 192.168.0.252 --dst-mac 00:19:21:13:57:5d 

Chain FORWARD (policy DROP)

Sekarang coba kita hapus table arp yang menyimpan mac address interface wan:

# arp -i eth1 -d 192.168.1.1; arp -i eth2 -d 192.168.2.1
# arp -i eth3 -d 192.168.1.9; arp -i eth4 -d 192.168.1.5

Dan lihat isi table arp apakah daftar tersebut sudah bersih, kalau “belum bersih” hal itu karena interface wan ini aktif sebagai gateway ke internet jadi table arp segera langsung terisi, hal ini membuktikan script di atas cocok dipakai untuk melindungi linux router dari arp spoofing / arp poisoning di interface lan:

# arp -n| grep -v CM
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.9              ether   00:0B:2B:32:C3:C4   C                     eth3
192.168.1.5              ether   00:0B:2B:32:C3:86   C                     eth4
192.168.2.1              ether   00:04:ED:6D:41:AE   C                     eth2

Kalau ingin menjalankan rc.arptables sebagai init scripts yang otomatis dijalankan setiap kali linux boot. Untuk distro keluarga debian:

# cp rc.arptables /etc/init.d/
# cd /etc/init.d
# chmod 755 rc.arptables
# update-rc.d rc.arptables start 20 2 3 4 5 . stop 20 1 6 .

Slackware dan turunannya:

# cp rc.arptables /etc/rc.d/
# cd /etc/rc.d
# chmod 755 rc.arptables
# echo "if [ -x /etc/rc.d/rc.arptables ]; then /etc/rc.d/rc.arptables start; fi" >> rc.local
# echo "if [ -x /etc/rc.d/rc.arptables ]; then /etc/rc.d/rc.arptables stop; fi" >> rc.local_shutdown

Itulah langkah-langkah cara membuat linux kebal ARP Poisoning / ARP Spoofing.

Iklan

Perihal Ronny Tri Asmara
University Student | Computer Technician | Programmer | Webmaster | Blogger | Pusamania | Metalheads

Tinggalkan Komentar

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

%d blogger menyukai ini: