SSHD Secure with Fail2Ban

Fail2Ban merupakan salah satu software open source sebagai intrusion prevention sistem yang dikembangkan menggunakan bahasa pemprogramam python. Fail2ban digunakan untuk melakukan monitoring terhadapa log sistem seperti /var/logl/pwdfail, /var/log/auth.log, /var/logl/secure, dan lainnya. Fail2ban bisa juga digunakan untuk mencegah IP Address tertentu yang digunakan untuk akses masuk ke sisterm setelah beberapa kali percobaan menggunakan password yang keliru, hal ini karena fail2ban menggunakan iptables untuk melakukan banned terhadap kegagalan akses. Fail2ban tidak hanya sebatas pada aplikasi SSH seperti Denyhosts, melainkan terhadap semua aplikasi yang menggukanan protokol TCP, seperti aplikasi SMTP, HTTP, dan lainnya.

Install Fail2ban di Centos 6.3
Secara default File2Ban tidak terinstall. Lakukan proses instalasi File2Ban seperti beriku ini :
[root@dl ~]# yum install fail2ban -y
==========================================================================================

Package                                             Arch                                         Version                              Repository                                                   Size

==========================================================================================
Installing:
fail2ban                                            noarch                                      0.8.8-2.el6                         epel                                                                141 k
Installing for dependencies:
gamin-python                                x86_64                                    0.1.10-9.el6                        base                                                                33 k
perl-Digest-SHA                           x86_64                                    1:5.47-127.el6                    base                                                                62 k
python-inotify                               noarch                                     0.9.1-1.el6                          epel                                                                  50 k
shorewall                                        noarch                                     4.5.4-1.el6                          epel                                                                  517 k
shorewall-core                              noarch                                    4.5.4-1.el6                          epel                                                                   64 k
tcp_wrappers                               x86_64                                   7.6-57.el6                           base                                                                    61 k
Transaction Summary
===================================================================================================================
Install 7 Package(s)
Total download size: 928 k
Installed size: 3.2 M
Is this ok [y/N]: y


Konfigurasi Fail2ban

untuk melakukan konfigurasi fil2ban dapat mengunakan editor VI, Nano atau yang lainnya yang sekiranya dikuasi, file utama untuk konfigurasi fail2ban adalah /etc/fail2ban/jail.conf.

[root@dl ~]#vi /etc/fail2ban/jail.conf
Dibawah ini merupakan konfigurasi default dari fail2ban
# Fail2Ban jail specifications file
# Comments: use ‘#’ for comment lines and ‘;’ for inline comments
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file, e.g.:
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
#

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 600
maxretry = 3
backend = auto
usedns = warn

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 5

[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com]
logpath = /var/log/mail.log

[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
logpath = /var/log/sshd.log

[apache-tcpwrapper]
enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6

[postfix-tcpwrapper]
enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/postfix.log
bantime = 300

[vsftpd-notification]
enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

[vsftpd-iptables]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port=”http,https”]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1

[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you@example.com]
logpath = /var/log/apache2/error_log

[php-url-fopen]
enabled = false
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

[lighttpd-fastcgi]
enabled = false
port = http,https
filter = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

[lighttpd-auth]
enabled = false
port = http,https
filter = lighttpd-auth
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name=”SSH,IPFW”, dest=you@example.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file “/var/log/named/security.log” versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# [named-refused-udp]
#
# enabled = false
# filter = named-refused
# action = iptables-multiport[name=Named, port=”domain,953″, protocol=udp]
# sendmail-whois[name=Named, dest=you@example.com]
# logpath = /var/log/named/security.log
# ignoreip = 168.192.0.1

[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port=”domain,953″, protocol=tcp]
sendmail-whois[name=Named, dest=you@example.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

[asterisk-tcp]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port=”5060,5061″, protocol=tcp]
sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
maxretry = 10

[asterisk-udp]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port=”5060,5061″, protocol=udp]
sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
maxretry = 10

[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
Untuk memberikan perlindungan berlapis terhadapa sistem, maka dapat dilakukan perubahan konfigurasi defaul sesuai kebutuhan servers yang ada.

Konfigurasi ssh-iptables pada Fail2Ban
secara default ssh-iptables pada Fail2Ban sudah aktif, maka tidak perlu ada perubahan lagi.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath = /var/log/secure
maxretry = 5

Penjelasan dari setiap baris konfigurasi diatas adalah sebagai berikut:
enable : bagian ini menunjukkan filter ssh aktif atau tidak.
Filter : secara default diatur untuk sshd dan mengacu pada file /etc/fail2ban/filter.d/sshd.conf
Action : bagian ini untuk melakukan banned IP dan mengacu pada file /etc/fail2ban/filter.d/iptables.conf. Untuk memudahkan kontrol tambahkan alamat email untuk melakukan menerima informasi banned IP.
Logpath : file log yang digunakan fail2ban untuk melakukan pelacakan port ssh.
Maxtetry : jumlah maksimal percobaan ke server yang bisa dilakukan sebelum melakukan banned IP.

Menjalankan layana Fail2Ban
[root@dl ~]#chkconfig fail2ban on
[root@dl ~] /etc/init.d/fail2ban start

Verifikasi Aturan Fail2Ban pada iptables
Lakukan pengecekan aturan fail2ban yang secara otomatis ditambahkan pada bagian iptables

[root@dl ~]#/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp — anywhere anywhere tcp dpt:ssh
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh
REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target prot opt source destination
REJECT all — anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere

Chain fail2ban-SSH (1 references)
target prot opt source destination
DROP all — 10.x.x.x anywhere
RETURN all — anywhere anywhere
[root@dl ~]#

Dari hasil pengecekan aturan file2ban behasil melakukan banned IP yang telihat pada bagian Chain fail2ban-SSH diatas.
Melihat Akitfitas Login SSH yang gagal
untuk melihat aktiftas login ssh yang gagal gunakan perintah berikut ini:
[root@dl ~]# cat /var/log/secure |grep ‘Failed password’ | sort | uniq -c
15 Feb 15 16:20:04 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2
15 Feb 15 16:20:08 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2
15 Feb 15 16:20:12 dl sshd[2939]: Failed password for root from 10.x.x.x port 59392 ssh2
15 Feb 15 16:20:20 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2
15 Feb 15 16:20:24 dl sshd[2941]: Failed password for root from 10.x.x.x port 59393 ssh2
[root@dl ~]#

Menghapus IP Address dari Fail2Ban
untuk melakukan penghapus ip address dari aturan fail2ban pada iptables gunakan perintah berikut ini:
[root@dl ~]# /sbin/iptables -D fail2ban-ssh 1

Semoga Sukses

About Sharing Data
Kami hanya ingin berbagi ilmu dan informasi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: