Fail2ban
?
0 likes?521 views
Fail2ban is an open source intrusion prevention software developed using the Python programming language. It monitors system logs such as /var/log/pwdfail, /var/log/auth.log, and /var/log/secure for failed login attempts. When the maximum number of failed logins from an IP address within a certain time frame is reached, Fail2ban uses iptables to ban that IP address by adding a DROP rule. It can ban IP addresses for services beyond just SSH, such as SMTP, HTTP, and others. The document then provides instructions on installing and configuring Fail2ban on CentOS 6.3.
![FAIL2BAN
Fail2Ban merupakan salah satu software open source sebagai inttusion prevention
sistem yang dikembangkan menggunakan bahasa pemprogramam python. Fail2ban
digunakan untuk melakukan monitoring terhadapa log sistem seperti /var/logl/pwdfail,
/var/log/auth.log, /var/logl/secure, dan lainnya. Fail2ban bisa juga digunakan untuk
mencegah IP Address tertentu yang digunakan untuk akses masuk ke sisterm setelah
beberapa kali percobaan menggunakan password yang keliru, hal ini karena fail2ban
menggunakan iptables untuk melakukan banned terhadap kegagalan akses. Fail2ban tidak
hanya sebatas pada aplikasi SSH seperti Denyhosts, melainkan terhadap semua aplikasi yang
menggukanan protokol TCP, seperti aplikasi SMTP, HTTP, dan lainnya.
Install Fail2ban di Centos 6.3
Secara default File2Ban tidak terinstall. Lakukan proses instalasi File2Ban seperti beriku ini :
[root@dl ~]# yum install fail2ban -y
===============================================================
Package Arch Version Repository Size
===============================================================
Installing:
fail2ban noarch 0.8.8-2.el6 epel 141 k
Installing for dependencies:
gamin-python x86_64 0.1.10-9.el6 base 33 k
perl-Digest-SHA x86_64 1:5.47-127.el6 base 62 k
python-inotify noarch 0.9.1-1.el6 epel 50 k
shorewall noarch 4.5.4-1.el6 epel 517 k
shorewall-core noarch 4.5.4-1.el6 epel 64 k
tcp_wrappers x86_64 7.6-57.el6 base 61 k
Transaction Summary
================================================================
Install 7 Package(s)
Total download size: 928 k
Installed size: 3.2 M
Is this ok [y/N]: y
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-1-320.jpg)
![Konfigurasi Fail2ban
untuk melakukan konfigurasi fil2ban dapat mengunakan editor VI, Nano atau yang lainnya
yang sekiranya dikuasi, file utama untuk konfigurasi fail2ban adalah /etc/fail2ban/jail.conf.
[root@dl ~]#vi /etc/fail2ban/jail.conf
Dibawah ini merupakan konfigurasi default dari fail2ban
# Fail2Ban jail specifications file
# Comments: use '#' for comment lines and ';' for inline comments
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file, e.g.:
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
#
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath = /var/log/secure
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-2-320.jpg)
![maxretry = 5
[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
logpath = /var/log/sshd.log
[apache-tcpwrapper]
enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-3-320.jpg)
![[postfix-tcpwrapper]
enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/postfix.log
bantime = 300
[vsftpd-notification]
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-4-320.jpg)
![maxretry = 1
[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/apache2/error_log
[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1
[lighttpd-fastcgi]
enabled = false
port = http,https
filter = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled = false
port = http,https
filter = lighttpd-auth
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-5-320.jpg)
![[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@example.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-6-320.jpg)
![#
# [named-refused-udp]
# enabled = false
# filter = named-refused
# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
# sendmail-whois[name=Named, dest=you@example.com]
# logpath = /var/log/named/security.log
# ignoreip = 168.192.0.1
[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@example.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
[asterisk-tcp]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
sendmail-whois[name=Asterisk, dest=you@example.com,
sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
maxretry = 10
[asterisk-udp]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
sendmail-whois[name=Asterisk, dest=you@example.com,
sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-7-320.jpg)
![maxretry = 10
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
Penjelasan dari setiap baris pada konfigurasi [DEFAULT] di atas sebagai berikut:
ignoreip : bagian ini berfungsi untuk menentukan ip addresst / network yang tidak akan
diblokir ketika terjadi kesalahan akses ke sistem. Pastikan alamat ip address / network yang
digunakan untuk admin server terdapat pada baris ini. Untuk masing-masing ip address /
network yang akan didaftarkan harus dipisah dengan spasi.
Bantime : batas waktu maksimal host akan di banned oleh server. Nila defaultnya 600 detik
(10 menit) batas maksimal dapat ditentukan sesuai kebutuhan server.
Findtime : Batas waktu maksimal host yang diperbolehkan untuk melakukan login ke dalam
server. Jika terjadi kegagalan login memenuhi nilai dari maxretry, maka host secara otomatis
akan di banned oleh server. Nilai defaultnya 600 detik (10 menit) batas maksimal dapat
ditentukan sesuai kebutuh server.
maxretry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan
banned host.
Untuk memberikan perlindungan berlapis terhadapa sistem, maka dapat dilakukan perubahan
konfigurasi defaul sesuai kebutuhan servers yang ada.
Konfigurasi ssh-iptables pada Fail2Ban
secara default ssh-iptables pada Fail2Ban sudah aktif, maka tidak perlu ada perubahan lagi.
[ssh-iptables]
enabled = true
filter = sshd
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-8-320.jpg)
![action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 5
Penjelasan dari setiap baris konfigurasi diatas adalah sebagai berikut:
enable : bagian ini menunjukkan filter ssh aktif atau tidak.
Filter : secara default diatur untuk sshd dan mengacu pada file
/etc/fail2ban/filter.d/sshd.conf
Action : bagian ini untuk melakukan banned host dan mengacu pada file
/etc/fail2ban/filter.d/iptables.conf. Untuk memudahkan kontrol tambahkan alamat email
untuk menerima informasi banned host .
Logpath : file log yang digunakan fail2ban untuk melakukan pelacakan port ssh.
Maxtetry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan
banned host.
Menjalankan layana Fail2Ban
[root@dl ~]#chkconfig fail2ban on
[root@dl ~] /etc/init.d/fail2ban start
Verifikasi Aturan Fail2Ban pada iptables
Lakukan pengecekan aturan fail2ban yang secara otomatis ditambahkan pada bagian iptables
[root@dl ~]#/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-9-320.jpg)
![Chain FORWARD (policy DROP)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all -- 10.x.x.x anywhere
RETURN all -- anywhere anywhere
[root@dl ~]#
Dari hasil pengecekan aturan file2ban behasil melakukan banned IP yang telihat pada bagian
Chain fail2ban-SSH diatas.
Melihat Akitfitas Login SSH yang gagal
untuk melihat aktiftas login ssh yang gagal gunakan perintah berikut ini:
[root@dl ~]# cat /var/log/secure |grep 'Failed password' | sort | uniq -c
15 Feb 15 16:20:04 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2
15 Feb 15 16:20:08 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2
15 Feb 15 16:20:12 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2
15 Feb 15 16:20:20 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2
15 Feb 15 16:20:24 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2
[root@dl ~]#
Menghapus IP Address dari Fail2Ban
untuk melakukan penghapus ip address dari aturan fail2ban pada iptables gunakan perintah
berikut ini:
[root@dl ~]# /sbin/iptables -D fail2ban-ssh 1
ruslan@umm.ac.id](https://image.slidesharecdn.com/fail2ban-130216020924-phpapp01/85/Fail2ban-10-320.jpg)
Fail2ban
- 1. FAIL2BAN Fail2Ban merupakan salah satu software open source sebagai inttusion prevention sistem yang dikembangkan menggunakan bahasa pemprogramam python. Fail2ban digunakan untuk melakukan monitoring terhadapa log sistem seperti /var/logl/pwdfail, /var/log/auth.log, /var/logl/secure, dan lainnya. Fail2ban bisa juga digunakan untuk mencegah IP Address tertentu yang digunakan untuk akses masuk ke sisterm setelah beberapa kali percobaan menggunakan password yang keliru, hal ini karena fail2ban menggunakan iptables untuk melakukan banned terhadap kegagalan akses. Fail2ban tidak hanya sebatas pada aplikasi SSH seperti Denyhosts, melainkan terhadap semua aplikasi yang menggukanan protokol TCP, seperti aplikasi SMTP, HTTP, dan lainnya. Install Fail2ban di Centos 6.3 Secara default File2Ban tidak terinstall. Lakukan proses instalasi File2Ban seperti beriku ini : [root@dl ~]# yum install fail2ban -y =============================================================== Package Arch Version Repository Size =============================================================== Installing: fail2ban noarch 0.8.8-2.el6 epel 141 k Installing for dependencies: gamin-python x86_64 0.1.10-9.el6 base 33 k perl-Digest-SHA x86_64 1:5.47-127.el6 base 62 k python-inotify noarch 0.9.1-1.el6 epel 50 k shorewall noarch 4.5.4-1.el6 epel 517 k shorewall-core noarch 4.5.4-1.el6 epel 64 k tcp_wrappers x86_64 7.6-57.el6 base 61 k Transaction Summary ================================================================ Install 7 Package(s) Total download size: 928 k Installed size: 3.2 M Is this ok [y/N]: y ruslan@umm.ac.id
- 2. Konfigurasi Fail2ban untuk melakukan konfigurasi fil2ban dapat mengunakan editor VI, Nano atau yang lainnya yang sekiranya dikuasi, file utama untuk konfigurasi fail2ban adalah /etc/fail2ban/jail.conf. [root@dl ~]#vi /etc/fail2ban/jail.conf Dibawah ini merupakan konfigurasi default dari fail2ban # Fail2Ban jail specifications file # Comments: use '#' for comment lines and ';' for inline comments # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, e.g.: # # [DEFAULT] # bantime = 3600 # # [ssh-iptables] # enabled = true # [DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 findtime = 600 maxretry = 3 backend = auto usedns = warn [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure ruslan@umm.ac.id
- 3. maxretry = 5 [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=you@example.com] logpath = /var/log/proftpd/proftpd.log maxretry = 6 [sasl-iptables] enabled = false filter = sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=you@example.com] logpath = /var/log/mail.log [ssh-tcpwrapper] enabled = false filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=you@example.com] ignoreregex = for myuser from logpath = /var/log/sshd.log [apache-tcpwrapper] enabled = false filter = apache-auth action = hostsdeny logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 6 ruslan@umm.ac.id
- 4. [postfix-tcpwrapper] enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/postfix.log bantime = 300 [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@example.com] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] logpath = /var/www/*/logs/access_log bantime = 172800 ruslan@umm.ac.id
- 5. maxretry = 1 [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=you@example.com] logpath = /var/log/apache2/error_log [php-url-fopen] enabled = false port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 [lighttpd-auth] enabled = false port = http,https filter = lighttpd-auth # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 ruslan@umm.ac.id
- 6. [ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@example.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1 # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. ruslan@umm.ac.id
- 7. # # [named-refused-udp] # enabled = false # filter = named-refused # action = iptables-multiport[name=Named, port="domain,953", protocol=udp] # sendmail-whois[name=Named, dest=you@example.com] # logpath = /var/log/named/security.log # ignoreip = 168.192.0.1 [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=you@example.com] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 [asterisk-tcp] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] logpath = /var/log/asterisk/messages maxretry = 10 [asterisk-udp] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] logpath = /var/log/asterisk/messages ruslan@umm.ac.id
- 8. maxretry = 10 [recidive] enabled = false filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 Penjelasan dari setiap baris pada konfigurasi [DEFAULT] di atas sebagai berikut: ignoreip : bagian ini berfungsi untuk menentukan ip addresst / network yang tidak akan diblokir ketika terjadi kesalahan akses ke sistem. Pastikan alamat ip address / network yang digunakan untuk admin server terdapat pada baris ini. Untuk masing-masing ip address / network yang akan didaftarkan harus dipisah dengan spasi. Bantime : batas waktu maksimal host akan di banned oleh server. Nila defaultnya 600 detik (10 menit) batas maksimal dapat ditentukan sesuai kebutuhan server. Findtime : Batas waktu maksimal host yang diperbolehkan untuk melakukan login ke dalam server. Jika terjadi kegagalan login memenuhi nilai dari maxretry, maka host secara otomatis akan di banned oleh server. Nilai defaultnya 600 detik (10 menit) batas maksimal dapat ditentukan sesuai kebutuh server. maxretry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan banned host. Untuk memberikan perlindungan berlapis terhadapa sistem, maka dapat dilakukan perubahan konfigurasi defaul sesuai kebutuhan servers yang ada. Konfigurasi ssh-iptables pada Fail2Ban secara default ssh-iptables pada Fail2Ban sudah aktif, maka tidak perlu ada perubahan lagi. [ssh-iptables] enabled = true filter = sshd ruslan@umm.ac.id
- 9. action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5 Penjelasan dari setiap baris konfigurasi diatas adalah sebagai berikut: enable : bagian ini menunjukkan filter ssh aktif atau tidak. Filter : secara default diatur untuk sshd dan mengacu pada file /etc/fail2ban/filter.d/sshd.conf Action : bagian ini untuk melakukan banned host dan mengacu pada file /etc/fail2ban/filter.d/iptables.conf. Untuk memudahkan kontrol tambahkan alamat email untuk menerima informasi banned host . Logpath : file log yang digunakan fail2ban untuk melakukan pelacakan port ssh. Maxtetry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan banned host. Menjalankan layana Fail2Ban [root@dl ~]#chkconfig fail2ban on [root@dl ~] /etc/init.d/fail2ban start Verifikasi Aturan Fail2Ban pada iptables Lakukan pengecekan aturan fail2ban yang secara otomatis ditambahkan pada bagian iptables [root@dl ~]#/sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ruslan@umm.ac.id
- 10. Chain FORWARD (policy DROP) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain fail2ban-SSH (1 references) target prot opt source destination DROP all -- 10.x.x.x anywhere RETURN all -- anywhere anywhere [root@dl ~]# Dari hasil pengecekan aturan file2ban behasil melakukan banned IP yang telihat pada bagian Chain fail2ban-SSH diatas. Melihat Akitfitas Login SSH yang gagal untuk melihat aktiftas login ssh yang gagal gunakan perintah berikut ini: [root@dl ~]# cat /var/log/secure |grep 'Failed password' | sort | uniq -c 15 Feb 15 16:20:04 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2 15 Feb 15 16:20:08 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2 15 Feb 15 16:20:12 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2 15 Feb 15 16:20:20 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2 15 Feb 15 16:20:24 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2 [root@dl ~]# Menghapus IP Address dari Fail2Ban untuk melakukan penghapus ip address dari aturan fail2ban pada iptables gunakan perintah berikut ini: [root@dl ~]# /sbin/iptables -D fail2ban-ssh 1 ruslan@umm.ac.id