FAIL2BAN

Fail2Ban merupakan salah satu software open source sebagai inttusion prevention

sistem yang dikembangkan menggunakan bahasa pemprogramam python. Fail2ban

digunakan untuk melakukan monitoring terhadapa log sistem seperti /var/logl/pwdfail,

/var/log/auth.log, /var/logl/secure, dan lainnya. Fail2ban bisa juga digunakan untuk

mencegah IP Address tertentu yang digunakan untuk akses masuk ke sisterm setelah

beberapa kali percobaan menggunakan password yang keliru, hal ini karena fail2ban

menggunakan iptables untuk melakukan banned terhadap kegagalan akses. Fail2ban tidak

hanya sebatas pada aplikasi SSH seperti Denyhosts, melainkan terhadap semua aplikasi yang

menggukanan protokol TCP, seperti aplikasi SMTP, HTTP, dan lainnya.

Install Fail2ban di Centos 6.3

Secara default File2Ban tidak terinstall. Lakukan proses instalasi File2Ban seperti beriku ini :

[root@dl ~]# yum install fail2ban -y

===============================================================

Package Arch Version Repository Size

===============================================================

Installing:

fail2ban noarch 0.8.8-2.el6 epel 141 k

Installing for dependencies:

gamin-python x86_64 0.1.10-9.el6 base 33 k

perl-Digest-SHA x86_64 1:5.47-127.el6 base 62 k

python-inotify noarch 0.9.1-1.el6 epel 50 k

shorewall noarch 4.5.4-1.el6 epel 517 k

shorewall-core noarch 4.5.4-1.el6 epel 64 k

tcp_wrappers x86_64 7.6-57.el6 base 61 k

Transaction Summary

================================================================

Install 7 Package(s)

Total download size: 928 k

Installed size: 3.2 M

Is this ok [y/N]: y

ruslan@umm.ac.id

Konfigurasi Fail2ban

untuk melakukan konfigurasi fil2ban dapat mengunakan editor VI, Nano atau yang lainnya

yang sekiranya dikuasi, file utama untuk konfigurasi fail2ban adalah /etc/fail2ban/jail.conf.

[root@dl ~]#vi /etc/fail2ban/jail.conf

Dibawah ini merupakan konfigurasi default dari fail2ban

# Fail2Ban jail specifications file

# Comments: use '#' for comment lines and ';' for inline comments

# Changes: in most of the cases you should not modify this

# file, but provide customizations in jail.local file, e.g.:

#

# [DEFAULT]

# bantime = 3600

#

# [ssh-iptables]

# enabled = true

#

[DEFAULT]

ignoreip = 127.0.0.1/8

bantime = 600

findtime = 600

maxretry = 3

backend = auto

usedns = warn

[ssh-iptables]

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]

logpath = /var/log/secure

ruslan@umm.ac.id

maxretry = 5

[proftpd-iptables]

enabled = false

filter = proftpd

action = iptables[name=ProFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath = /var/log/proftpd/proftpd.log

maxretry = 6

[sasl-iptables]

enabled = false

filter = sasl

backend = polling

action = iptables[name=sasl, port=smtp, protocol=tcp]

sendmail-whois[name=sasl, dest=you@example.com]

logpath = /var/log/mail.log

[ssh-tcpwrapper]

enabled = false

filter = sshd

action = hostsdeny

sendmail-whois[name=SSH, dest=you@example.com]

ignoreregex = for myuser from

logpath = /var/log/sshd.log

[apache-tcpwrapper]

enabled = false

filter = apache-auth

action = hostsdeny

logpath = /var/log/apache*/*error.log

/home/www/myhomepage/error.log

maxretry = 6

ruslan@umm.ac.id

[postfix-tcpwrapper]

enabled = false

filter = postfix

action = hostsdeny[file=/not/a/standard/path/hosts.deny]

sendmail[name=Postfix, dest=you@example.com]

logpath = /var/log/postfix.log

bantime = 300

[vsftpd-notification]

enabled = false

filter = vsftpd

action = sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath = /var/log/vsftpd.log

maxretry = 5

bantime = 1800

[vsftpd-iptables]

enabled = false

filter = vsftpd

action = iptables[name=VSFTPD, port=ftp, protocol=tcp]

sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath = /var/log/vsftpd.log

maxretry = 5

bantime = 1800

[apache-badbots]

enabled = false

filter = apache-badbots

action = iptables-multiport[name=BadBots, port="http,https"]

sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath = /var/www/*/logs/access_log

bantime = 172800

ruslan@umm.ac.id

maxretry = 1

[apache-shorewall]

enabled = false

filter = apache-noscript

action = shorewall

sendmail[name=Postfix, dest=you@example.com]

logpath = /var/log/apache2/error_log

[php-url-fopen]

enabled = false

port = http,https

filter = php-url-fopen

logpath = /var/www/*/logs/access_log

maxretry = 1

[lighttpd-fastcgi]

enabled = false

port = http,https

filter = lighttpd-fastcgi

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

[lighttpd-auth]

enabled = false

port = http,https

filter = lighttpd-auth

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

ruslan@umm.ac.id

[ssh-ipfw]

enabled = false

filter = sshd

action = ipfw[localhost=192.168.0.1]

sendmail-whois[name="SSH,IPFW", dest=you@example.com]

logpath = /var/log/auth.log

ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off

# with bind9 installation. You will need something like this:

#

# logging {

# channel security_file {

# file "/var/log/named/security.log" versions 3 size 30m;

# severity dynamic;

# print-time yes;

# };

# category security {

# security_file;

# };

# };

#

# in your named.conf to provide proper logging.

# This jail blocks UDP traffic for DNS requests.

# !!! WARNING !!!

# Since UDP is connection-less protocol, spoofing of IP and imitation

# of illegal actions is way too simple. Thus enabling of this filter

# might provide an easy way for implementing a DoS against a chosen

# victim. See

# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

# Please DO NOT USE this jail unless you know what you are doing.

ruslan@umm.ac.id

#

# [named-refused-udp]

# enabled = false

# filter = named-refused

# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]

# sendmail-whois[name=Named, dest=you@example.com]

# logpath = /var/log/named/security.log

# ignoreip = 168.192.0.1

[named-refused-tcp]

enabled = false

filter = named-refused

action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]

sendmail-whois[name=Named, dest=you@example.com]

logpath = /var/log/named/security.log

ignoreip = 168.192.0.1

[asterisk-tcp]

enabled = false

filter = asterisk

action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

sendmail-whois[name=Asterisk, dest=you@example.com,

sender=fail2ban@example.com]

logpath = /var/log/asterisk/messages

maxretry = 10

[asterisk-udp]

enabled = false

filter = asterisk

action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

sendmail-whois[name=Asterisk, dest=you@example.com,

sender=fail2ban@example.com]

logpath = /var/log/asterisk/messages

ruslan@umm.ac.id

maxretry = 10

[recidive]

enabled = false

filter = recidive

logpath = /var/log/fail2ban.log

action = iptables-allports[name=recidive]

sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

bantime = 604800 ; 1 week

findtime = 86400 ; 1 day

maxretry = 5

Penjelasan dari setiap baris pada konfigurasi [DEFAULT] di atas sebagai berikut:

ignoreip : bagian ini berfungsi untuk menentukan ip addresst / network yang tidak akan

diblokir ketika terjadi kesalahan akses ke sistem. Pastikan alamat ip address / network yang

digunakan untuk admin server terdapat pada baris ini. Untuk masing-masing ip address /

network yang akan didaftarkan harus dipisah dengan spasi.

Bantime : batas waktu maksimal host akan di banned oleh server. Nila defaultnya 600 detik

(10 menit) batas maksimal dapat ditentukan sesuai kebutuhan server.

Findtime : Batas waktu maksimal host yang diperbolehkan untuk melakukan login ke dalam

server. Jika terjadi kegagalan login memenuhi nilai dari maxretry, maka host secara otomatis

akan di banned oleh server. Nilai defaultnya 600 detik (10 menit) batas maksimal dapat

ditentukan sesuai kebutuh server.

maxretry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan

banned host.

Untuk memberikan perlindungan berlapis terhadapa sistem, maka dapat dilakukan perubahan

konfigurasi defaul sesuai kebutuhan servers yang ada.

Konfigurasi ssh-iptables pada Fail2Ban

secara default ssh-iptables pada Fail2Ban sudah aktif, maka tidak perlu ada perubahan lagi.

[ssh-iptables]

enabled = true

filter = sshd

ruslan@umm.ac.id

action = iptables[name=SSH, port=ssh, protocol=tcp]

sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]

logpath = /var/log/secure

maxretry = 5

Penjelasan dari setiap baris konfigurasi diatas adalah sebagai berikut:

enable : bagian ini menunjukkan filter ssh aktif atau tidak.

Filter : secara default diatur untuk sshd dan mengacu pada file

/etc/fail2ban/filter.d/sshd.conf

Action : bagian ini untuk melakukan banned host dan mengacu pada file

/etc/fail2ban/filter.d/iptables.conf. Untuk memudahkan kontrol tambahkan alamat email

untuk menerima informasi banned host .

Logpath : file log yang digunakan fail2ban untuk melakukan pelacakan port ssh.

Maxtetry : nilai maksimal percobaan ke server yang bisa dilakukan sebelum melakukan

banned host.

Menjalankan layana Fail2Ban

[root@dl ~]#chkconfig fail2ban on

[root@dl ~] /etc/init.d/fail2ban start

Verifikasi Aturan Fail2Ban pada iptables

Lakukan pengecekan aturan fail2ban yang secara otomatis ditambahkan pada bagian iptables

[root@dl ~]#/sbin/iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT icmp -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

ruslan@umm.ac.id

Chain FORWARD (policy DROP)

target prot opt source destination

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy DROP)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

Chain fail2ban-SSH (1 references)

target prot opt source destination

DROP all -- 10.x.x.x anywhere

RETURN all -- anywhere anywhere

[root@dl ~]#

Dari hasil pengecekan aturan file2ban behasil melakukan banned IP yang telihat pada bagian

Chain fail2ban-SSH diatas.

Melihat Akitfitas Login SSH yang gagal

untuk melihat aktiftas login ssh yang gagal gunakan perintah berikut ini:

[root@dl ~]# cat /var/log/secure |grep 'Failed password' | sort | uniq -c

15 Feb 15 16:20:04 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2

15 Feb 15 16:20:08 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2

15 Feb 15 16:20:12 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2

15 Feb 15 16:20:20 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2

15 Feb 15 16:20:24 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2

[root@dl ~]#

Menghapus IP Address dari Fail2Ban

untuk melakukan penghapus ip address dari aturan fail2ban pada iptables gunakan perintah

berikut ini:

[root@dl ~]# /sbin/iptables -D fail2ban-ssh 1

ruslan@umm.ac.id