Labels

Memblokir IP yang Coba-coba Brute Force Attack di Centos 7

Saya pernah punya server di US. Server ini saya manage sendiri (maksudnya biar murah), tapi apa daya, server diserang habis-habisan sama hacker dan dipake buat spam. Hasilnya, server saya diblokir sedunia. Akun saya di Datacenter dibekukan. Sekarang terpaksa install ulang server. 

Akhirnya, belajar di dunia maya buat memblokir IP yang coba-coba melakukan brute force attack. Brute force attack ini yang awal mula jadi biang celah keamanan. Entah kenapa password dengan bahasa Indonesia, gabungan huruf besar dan kecil, ditambah karakter khusus dan angka bisa tembus. Emang lagi apes. Soal ini emang tergantung keberuntungan sih.

Nah, nemu nih, satu tools kecil, namanya fail2ban. Langsung cus, ini cara pasang dan pakainya di Centos 7.

Install EPEL

$ sudo yum install epel-release

Install fail2ban

$ sudo yum install fail2ban fail2ban-systemd

Konfigurasikan fail2ban

$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$ sudo nano /etc/fail2ban/jail.local

Tambahkan file jail untuk melindungi sshd

$ sudo nano /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 3
bantime = 86400
Jalankan service Fail2Ban
$ systemctl enable firewalld
$ systemctl start firewalld

$ systemctl enable fail2ban
$ systemctl start fail2ban

Verifikasi dan Cara Menggunakan

Lakukan tracking untuk melihat percobaan login (brute force) yang pernah ada di server.

$ sudo cat /var/log/secure | grep 'Failed password'
Apr 13 16:30:59 [localhost] sshd[30635]: Failed password for root from 121.15.7.26 port 51222 ssh2
Apr 13 16:31:37 [localhost] sshd[30689]: Failed password for root from 178.60.163.89 port 33316 ssh2
Apr 13 16:31:40 [localhost] sshd[30695]: Failed password for root from 49.235.121.128 port 60928 ssh2
Apr 13 16:31:43 [localhost] sshd[30711]: Failed password for root from 34.93.237.166 port 42104 ssh2
Apr 13 16:31:45 [localhost] sshd[30715]: Failed password for root from 103.140.83.20 port 47424 ssh2
Apr 13 16:32:02 [localhost] sshd[30740]: Failed password for root from 117.51.155.121 port 50534 ssh2

Cara melihat IP yang sudah kena ban

$ sudo iptables -L -n
Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  178.176.30.211       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  121.15.7.26          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  49.235.121.128       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  183.56.201.142       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  114.67.74.5          0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  106.12.221.83        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  122.51.236.130       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     all  --  139.198.5.79         0.0.0.0/0            reject-with icmp-port-unreachable

Melihat status fail2ban

$ sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd

Cara unban IP address

$ sudo fail2ban-client set sshd unbanip IPADDRESS

Contoh log yang dihasilkan /var/log/fail2ban

2020-04-13 16:59:42,431 fail2ban.filter         [1343]: INFO    [sshd] Found 189.4.1.12 - 2020-04-13 16:59:42
2020-04-13 16:59:47,461 fail2ban.filter         [1343]: INFO    [sshd] Found 202.238.61.137 - 2020-04-13 16:59:47
2020-04-13 16:59:47,602 fail2ban.filter         [1343]: INFO    [sshd] Found 181.31.101.35 - 2020-04-13 16:59:47
2020-04-13 17:00:07,167 fail2ban.filter         [1343]: INFO    [sshd] Found 103.140.83.20 - 2020-04-13 17:00:07
2020-04-13 17:00:07,366 fail2ban.actions        [1343]: WARNING [sshd] 103.140.83.20 already banned
2020-04-13 17:00:10,826 fail2ban.filter         [1343]: INFO    [sshd] Found 122.51.236.130 - 2020-04-13 17:00:10
2020-04-13 17:00:11,166 fail2ban.filter         [1343]: INFO    [sshd] Found 64.227.25.173 - 2020-04-13 17:00:11
2020-04-13 17:00:11,706 fail2ban.filter         [1343]: INFO    [sshd] Found 49.234.187.66 - 2020-04-13 17:00:11
2020-04-13 17:00:11,789 fail2ban.actions        [1343]: WARNING [sshd] 49.234.187.66 already banned
2020-04-13 17:00:12,855 fail2ban.filter         [1343]: INFO    [sshd] Found 122.51.236.130 - 2020-04-13 17:00:12
2020-04-13 17:00:13,208 fail2ban.actions        [1343]: WARNING [sshd] 122.51.236.130 already banned
2020-04-13 17:00:16,500 fail2ban.filter         [1343]: INFO    [sshd] Found 114.67.74.5 - 2020-04-13 17:00:16
2020-04-13 17:00:21,108 fail2ban.filter         [1343]: INFO    [sshd] Found 183.56.201.142 - 2020-04-13 17:00:21
Labels:

Comments

Post a Comment