Blocking Virus Packet di Cisco Router

Sharing pengalaman nanganin virus di cabang, sekalian dokumentasi dan berharap dikomentari sama temen-temen lain yang lebih banyak pengalaman

Awalnya lagi kepikiran gimana nyari tau PC PC yang kena virus di kantor cabang secara remote dan cepat, khususnya virus model sekarang yang membanjiri jaringan dengan paket-paket ga jelas. Nah ide nya adalah pakai acl (access-list), googling sana sini baru deh ngerti access-list hehe..

Berikut contoh acl yang dipakai, contoh IP cabang 10.83.17.0/24, menuju ke IP pusat 10.3.0.0/16, dengan hanya membolehkan port untuk file sharing (445), printer sharing (137, 138 dan 139), telnet (23) dan icmp untuk keperluan diagnosa, selain dari port port tersebut paket akan di blok dan di log

ip access-list ext 102
permit tcp 10.83.17.0 0.0.0.255 10.83.17.0 0.0.0.255 eq 445
permit tcp 10.83.17.0 0.0.0.255 10.83.17.0 0.0.0.255 eq 139
permit tcp 10.83.17.0 0.0.0.255 10.83.17.0 0.0.0.255 eq 23
permit udp 10.83.17.0 0.0.0.255 10.83.17.0 0.0.0.255 eq 137
permit udp 10.83.17.0 0.0.0.255 10.83.17.0 0.0.0.255 eq 138
permit icmp 10.83.17.0 0.0.0.255 10.83.17.0 0.0.0.255
permit ip 10.83.17.0 0.0.0.255 10.3.0.0 0.0.255.255
deny ip any any log

keterangan parameter access list:

ip access-list ext 102 –> access list extended (nomor mulai dari 100 s/d 1299), dengan acl ini kita bisa mendefinisikan aturan filter sampai ke port dan protokol aplikasi.

syntax : permit | deny [type protokol] [network asal] [wildcard mask] [network tujuan] [wilcard mask] [pembanding] [nomor port]

Access-list dipasang di interface yang menuju ke LAN, arah trafik inbound, perintah sbb:

ip access-group 102 in

Log dapat ditampilkan dengan mengaktifkan log buffer di global config, kemudian show log

(config)R#logging buffer informational
R#show log

Berikut contoh hasil log nya.

Feb 8 17:40:29: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.83.17.31(0) -> 204.39.90.60(0), 1 packet
Feb 8 17:40:32: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.83.17.31(0) -> 204.39.90.60(0), 1 packet
Feb 8 17:40:33: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.83.17.22(0) -> 218.64.48.41(0), 1 packet
Feb 8 17:40:35: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.83.17.31(0) -> 57.99.53.89(0), 1 packet
Feb 8 17:40:38: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.83.17.31(0) -> 57.99.53.89(0), 1 packet

Tadaaa.. Muncullah IP PC bervirus

salam-NHW-cmiiw

published 8/Feb/11, edited 11/Feb/11

Twitter

naosim_devSat, 19 May 2012 14:03:10 +0000

AclNotFoundException The exception, that is thrown when a reference to a non-existent Access Control List (ACL) is made.

naosim_devSat, 19 May 2012 13:33:07 +0000

AclEntry The Access Control List Entry interface definition.

FrancineMarieSat, 19 May 2012 13:14:50 +0000

@chicagotribune can you post a list of road closures, water way closures, train sech, restricted access to certain places.Things like this?

shipsockerSat, 19 May 2012 13:14:35 +0000

Complete List of Run Commands for Easy Access in Windows http://t.co/UGAzblrC

naosim_devSat, 19 May 2012 13:02:14 +0000

Acl The Access Control List (ACL) interface definition.

ReneeDelangeSat, 19 May 2012 12:58:31 +0000

I’m on the list for access to exclusive beauty products & collections - only on @Beautylish! Join me http://t.co/bJBg4StE

chloevjamesSat, 19 May 2012 12:31:04 +0000

advantages of mobile access to internet... a huge list and nowhere it says twitter, facebook or shopping... #tuttut #ict

TimBerndtSat, 19 May 2012 12:30:47 +0000

I"m on "The List" meaning that I"ll get VIP access and treatment. #likeaboss (guessing it will just get me in the door w/o paying...)

nickclement1Sat, 19 May 2012 12:21:24 +0000

Feeling nervous watching the result list on the IFSC website (cant access the live stream), Ned and Stew still in the top 6 . #IFSCwbc

camipellizzieriSat, 19 May 2012 12:01:15 +0000

I’m on the list for access to exclusive beauty products & collections - only on @Beautylish! Join me http://t.co/fRBxS0T2

allwebtutsSat, 19 May 2012 11:41:23 +0000

AllWebTuts Block Access to Certain Programs with AppAdmin: If you want to stop someone running a program on a co... http://t.co/ocDdhmfW

_CHARMSSSat, 19 May 2012 11:16:46 +0000

Finally able to access my hotmail again! Damn hacker tried to send spam mails to my contact list.. http://t.co/qNO8hycI

MissCreamTeaseSat, 19 May 2012 11:11:18 +0000

Join the mailing list to exclusive offers and access to the class catchup page http://t.co/v5a1IK3z

vellavarunSat, 19 May 2012 10:43:51 +0000

For those who can"t access TPB, use HTTPS(TLS is bypassing the block for now) or check this list out http://t.co/URG6uweP #TPB #IndiaBlocks

qlikcommunitySat, 19 May 2012 10:07:23 +0000

#QlikCommunity Access to reports: Hi Jason, I did try the following steps:1. Added ony 1 user in the users list ... http://t.co/SS69Gdvx

Tagged with: access list block cisco virus

9 Comments

SGG says:
Tuesday, February 08, 2011 at 21:51
Widiih .. Berat bgt nich postingan na smp2 gw kaga ngerti .. Btw, itu virus na paan Nang??
- nhw says:
  Thursday, February 10, 2011 at 14:48
  hehehe.. beda laah webmaster mah bukan ini makanannya
  setau gue virus yang biasa bikin broadcast itu conficker dan varian nya, dia akan nyari cara untuk menghubungi semacam server atau induknya kali ya hehe.. makanya di log muncul IP dari LAN yang ga konek ke inet tapi paket yang dikirim mempunyai IP tujuan ke inet / ip public
setra says:
Tuesday, February 08, 2011 at 23:28
tambahin dikit tentang parameter access-list dan access list nya di pasang di interface inbound / outbound nya bro… dan cara nampilin log nya, biar tambah lengkap… setelah itu tambahin postingan cara basmi virusnya … Jangan pake jurus format hehehhe
- nhw says:
  Friday, February 11, 2011 at 19:39
  update version as requested.. untuk cara basmi virus belum sempet bikin, tips cepet aja ya.. scan pake mc.afee, ampuh tuh buat conficker
SGG says:
Thursday, February 10, 2011 at 15:56
oOo .. Conficker Nang .. Kalo ma Stuxnet parahan mana tuch?? Btw, Linked-in itu wat paan Nang trus cara make na gmn??
- nhw says:
  Friday, February 11, 2011 at 19:43
  hmm.. stuxnet sama conficker ga milih dua dua nya gue.. mendingan pilih futsal aja
  Linked-in itu facebook nya orang cari kerja atau proyek bro.. udah punya belum? add dong..
  - SGG says:
    Friday, February 11, 2011 at 21:43
    males gwe punya account banyak2 .. ini aja gwe mo jual account FB gwe kalo mis. ada yg mo beli.
Jordan says:
Thursday, February 10, 2011 at 19:48
Jadi inget gw jaman dulu waktu jadi PJP di LA, hehehe….
tapi kayanya ada yg kurang tuh nang, ip nya kebaca tapi portnya koq ngga?
- nhw says:
  Friday, February 11, 2011 at 19:49
  betul jord.. untuk itu harus ditambahin parameter gt 0 biar muncul port nya.
  jadi gini “deny ip any gt 0 any gt 0 log”
  mana artikel lu belum publish nih?

Blocking Virus Packet di Cisco Router

Twitter

9 Comments

Leave a Reply

The Writer

Information

Advertisement

Hot Topics

Categories

Archives

Login

Subscription