FAIL2BAN Fail2Ban merupakan salah satu software open source sebagai inttusion prevention sistem yang dikembangkan menggunakan

bahasa pemprogramam python. Fail2ban digunakan untuk melakukan monitoring terhadapa log sistem seperti /var/logl/pwdfail, /var/log/auth.log, /var/logl/secure, dan lainnya. Fail2ban bisa juga digunakan untuk mencegah IP Address tertentu yang digunakan untuk akses masuk ke sisterm setelah beberapa kali percobaan menggunakan password yang keliru, hal ini karena fail2ban menggunakan iptables untuk melakukan banned terhadap kegagalan akses. Fail2ban tidak hanya sebatas pada aplikasi SSH seperti Denyhosts, melainkan terhadap semua aplikasi yang menggukanan protokol TCP, seperti aplikasi SMTP, HTTP, dan lainnya. Install Fail2ban di Centos 6.3 Secara default File2Ban tidak terinstall. Lakukan proses instalasi File2Ban seperti beriku ini : [root@dl ~]# yum install fail2ban -y =============================================================== Package Installing: fail2ban gamin-python perl-Digest-SHA python-inotify shorewall shorewall-core tcp_wrappers Transaction Summary ================================================================ Install 7 Package(s) Total download size: 928 k Installed size: 3.2 M Is this ok [y/N]: y ruslan@umm.ac.id noarch x86_64 x86_64 noarch noarch noarch x86_64 0.8.8-2.el6 0.1.10-9.el6 1:5.47-127.el6 0.9.1-1.el6 4.5.4-1.el6 4.5.4-1.el6 7.6-57.el6 epel base base epel epel epel base 141 k 33 k 62 k 50 k 517 k 64 k 61 k Installing for dependencies: Arch Version Repository Size ===============================================================

Konfigurasi Fail2ban untuk melakukan konfigurasi fil2ban dapat mengunakan editor VI, Nano atau yang lainnya yang sekiranya dikuasi, file utama untuk konfigurasi fail2ban adalah /etc/fail2ban/jail.conf. [root@dl ~]#vi /etc/fail2ban/jail.conf Dibawah ini merupakan konfigurasi default dari fail2ban # Fail2Ban jail specifications file # Comments: use '#' for comment lines and ';' for inline comments # Changes: in most of the cases you should not modify this # # # [DEFAULT] # bantime = 3600 # # [ssh-iptables] # enabled = true # [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 findtime = 600 maxretry = 3 backend = auto usedns = warn [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure ruslan@umm.ac.id file, but provide customizations in jail.local file, e.g.:

maxretry = 5 [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6 [sasl-iptables] enabled = false filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com] logpath = /var/log/mail.log [ssh-tcpwrapper] enabled filter action = false = sshd = hostsdeny sendmail-whois[name=SSH, dest=you@example.com] ignoreregex = for myuser from logpath = /var/log/sshd.log

[apache-tcpwrapper] enabled = false filter = apache-auth action = hostsdeny logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 6 ruslan@umm.ac.id

[postfix-tcpwrapper] enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/postfix.log bantime = 300 [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] logpath = /var/www/*/logs/access_log bantime = 172800 ruslan@umm.ac.id

maxretry = 1 [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/apache2/error_log [php-url-fopen] enabled = false port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 [lighttpd-auth] enabled = false port = http,https filter = lighttpd-auth # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2

ruslan@umm.ac.id

[ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@example.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1 # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # # # # # # # # # }; # # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. ruslan@umm.ac.id }; }; category security { security_file; channel security_file { file "/var/log/named/security.log" versions 3 size 30m; severity dynamic; print-time yes;

# # [named-refused-udp] # enabled = false # filter = named-refused # action = iptables-multiport[name=Named, port="domain,953", protocol=udp] # sendmail-whois[name=Named, dest=you@example.com] # logpath = /var/log/named/security.log # ignoreip = 168.192.0.1 [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=you@example.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 [asterisk-tcp] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] logpath = /var/log/asterisk/messages maxretry = 10 [asterisk-udp] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] logpath = /var/log/asterisk/messages ruslan@umm.ac.id

maxretry = 10 [recidive] enabled = false filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 Penjelasan dari setiap baris pada konfigurasi [DEFAULT] di atas sebagai berikut: ignoreip : bagian ini berfungsi untuk menentukan ip addresst / network yang tidak akan diblokir ketika terjadi kesalahan akses ke sistem. Pastikan alamat ip address / network yang digunakan untuk admin server terdapat pada baris ini. Untuk masing-masing ip address / network yang akan didaftarkan harus dipisah dengan spasi. Bantime : batas waktu maksimal host akan di banned oleh server. Nila defaultnya 600 detik (10 menit) batas maksimal dapat ditentukan sesuai kebutuhan server. Findtime : Batas waktu maksimal host yang diperbolehkan untuk melakukan login ke dalam server. Jika terjadi kegagalan login memenuhi nilai dari maxretry, maka host secara otomatis akan di banned oleh server. Nilai defaultnya 600 detik (10 menit) batas maksimal dapat ditentukan sesuai kebutuh server. maxretry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan banned host. Untuk memberikan perlindungan berlapis terhadapa sistem, maka dapat dilakukan perubahan konfigurasi defaul sesuai kebutuhan servers yang ada.

Konfigurasi ssh-iptables pada Fail2Ban secara default ssh-iptables pada Fail2Ban sudah aktif, maka tidak perlu ada perubahan lagi. [ssh-iptables] enabled = true filter = sshd ruslan@umm.ac.id

action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5 Penjelasan dari setiap baris konfigurasi diatas adalah sebagai berikut: enable : bagian ini menunjukkan filter ssh aktif atau tidak. Filter : secara default diatur untuk sshd dan mengacu pada file /etc/fail2ban/filter.d/sshd.conf Action : bagian ini untuk melakukan banned host dan mengacu pada file /etc/fail2ban/filter.d/iptables.conf. Untuk memudahkan kontrol tambahkan alamat email untuk menerima informasi banned host . Logpath : file log yang digunakan fail2ban untuk melakukan pelacakan port ssh. Maxtetry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan banned host. Menjalankan layana Fail2Ban [root@dl ~]#chkconfig fail2ban on [root@dl ~] /etc/init.d/fail2ban start Verifikasi Aturan Fail2Ban pada iptables Lakukan pengecekan aturan fail2ban yang secara otomatis ditambahkan pada bagian iptables [root@dl ~]#/sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source all -- anywhere icmp -- anywhere all -- anywhere tcp -- anywhere all -- anywhere destination anywhere anywhere anywhere anywhere anywhere anywhere state NEW tcp dpt:ssh reject-with icmp-host-prohibited tcp dpt:ssh state RELATED,ESTABLISHED fail2ban-SSH tcp -- anywhere ACCEPT ACCEPT ACCEPT ACCEPT REJECT

ruslan@umm.ac.id

Chain FORWARD (policy DROP) target prot opt source all -- anywhere destination anywhere reject-with icmp-host-prohibited REJECT

Chain OUTPUT (policy DROP) target prot opt source all -- anywhere all -- anywhere destination anywhere anywhere ACCEPT ACCEPT

Chain fail2ban-SSH (1 references) target DROP RETURN prot opt source all -- 10.x.x.x all -- anywhere destination anywhere anywhere

[root@dl ~]# Dari hasil pengecekan aturan file2ban behasil melakukan banned IP yang telihat pada bagian Chain fail2ban-SSH diatas. Melihat Akitfitas Login SSH yang gagal untuk melihat aktiftas login ssh yang gagal gunakan perintah berikut ini: [root@dl ~]# cat /var/log/secure |grep 'Failed password' | sort | uniq -c 15 Feb 15 16:20:04 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2 15 Feb 15 16:20:08 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2 15 Feb 15 16:20:12 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2 15 Feb 15 16:20:20 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2 15 Feb 15 16:20:24 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2 [root@dl ~]# Menghapus IP Address dari Fail2Ban untuk melakukan penghapus ip address dari aturan fail2ban pada iptables gunakan perintah berikut ini: [root@dl ~]# /sbin/iptables -D fail2ban-ssh 1

ruslan@umm.ac.id