3 minute read

Setelah login ke-3 minggu ini di server disambut dengan pesan:

Last failed login: Tue Feb 20 04:55:06 EST 2018 from 152.204.32.178 on ssh:notty
There were 116 failed login attempts since the last successful login.
Last login: Sun Feb 18 23:54:46 2018 from 180.xxx.xxx.xxx

Ngeray… 😱.

Diatas merupakan indikasi bahwa server kita sedang di brute force attack. Banyak cara untuk antisipasinya, salah satunya dengan fail2ban. Tutorial ini diterapkan di kontainer OpenVZ dengan distro CentOS 7.4.1708 yang menggunakan kernel 2.6.32-042stab125.5. Repo YUM EPEL terpasang dan aktif. Untuk firewall menggunakan firewalld.

Install fail2ban dengan perintah:

yum install fail2ban-firewalld

Buat sebuah file konfigurasi /etc/fail2ban/jail.local yang isinya:

[sshd]
enabled = true
banaction = firewallcmd-new

Pastikan fail2ban dijalankan saat server startup:

systemctl enable fail2ban

Kemudian jalankan service fail2ban:

systemctl start fail2ban

Cek konfigurasi apakah sudah sesuai:

fail2ban-client -v -d
INFO Loading configs for fail2ban under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
INFO Loading configs for jail under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/jail.conf']
INFO Loading files: ['/etc/fail2ban/paths-fedora.conf']
INFO Loading files: ['/etc/fail2ban/paths-common.conf']
INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
INFO Loading files: ['/etc/fail2ban/jail.d/00-firewalld.conf']
INFO Loading files: ['/etc/fail2ban/jail.local']
INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-fedora.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/00-firewalld.conf', '/etc/fail2ban/jail.local']
INFO Loading configs for filter.d/sshd under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf']
INFO Loading configs for action.d/firewallcmd-new under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/action.d/firewallcmd-new.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/firewallcmd-new.conf']
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]
['add', 'sshd', 'systemd']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'addignoreip', '127.0.0.1/8']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'bantime', 600]
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'findtime', 600]
['set', 'sshd', 'maxlines', '10']
['set', 'sshd', 'addfailregex', '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:error|fatal): (?:PAM: )?)?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*(?: \[preauth\])?\s*$']
['set', 'sshd', 'addfailregex', '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:error|fatal): (?:PAM: )?)?User not known to the underlying authentication module for .* from <HOST>\s*(?: \[preauth\])?\s*$']
..
CONTENT TRUNCATED
..
['set', 'sshd', 'action', 'firewallcmd-new', 'actionstop', 'firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>\nfirewall-cmd --direct --remove-rules ipv4 filter f2b-<name>\nfirewall-cmd --direct --remove-chain ipv4 filter f2b-<name>']
['set', 'sshd', 'action', 'firewallcmd-new', 'actionstart', 'firewall-cmd --direct --add-chain ipv4 filter f2b-<name>\nfirewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN\nfirewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'sshd', 'action', 'firewallcmd-new', 'actionunban', 'firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>']
['set', 'sshd', 'action', 'firewallcmd-new', 'actioncheck', "firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-<name>$'"]
['set', 'sshd', 'action', 'firewallcmd-new', 'protocol', 'tcp']
['set', 'sshd', 'action', 'firewallcmd-new', 'chain', 'INPUT']
['set', 'sshd', 'action', 'firewallcmd-new', 'lockingopt', '-w']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/name', 'default']
['set', 'sshd', 'action', 'firewallcmd-new', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/lockingopt', '-w']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/port', 'ssh']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/protocol', 'tcp']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/lockingopt', '-w']
['set', 'sshd', 'action', 'firewallcmd-new', 'port', 'ssh']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/chain', 'INPUT']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/name', 'default']
..
CONTENT TRUNCATED
..
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/protocol', 'tcp']
['set', 'sshd', 'action', 'firewallcmd-new', 'bantime', '600']
['set', 'sshd', 'action', 'firewallcmd-new', 'iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/__name__', 'Init']
['set', 'sshd', 'action', 'firewallcmd-new', 'returntype', 'RETURN']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/returntype', 'RETURN']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/__name__', 'Init']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/returntype', 'RETURN']
['set', 'sshd', 'action', 'firewallcmd-new', 'name', 'sshd']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/port', 'ssh']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/chain', 'INPUT_direct']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/iptables', 'iptables <lockingopt>']
['start', 'sshd']

Kalau hasilnya seperti diatas bisa dipastikan rule untuk sshd sudah aktif.

Cek log fail2ban:

tail /var/log/fail2ban.log
2018-02-20 20:34:51,778 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:34:53,500 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:34:55,847 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:34:58,145 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:00,389 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:00,761 fail2ban.actions [22638]: NOTICE [sshd] Ban 79.126.95.33
2018-02-20 20:35:03,001 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:05,364 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:05,365 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:45:01,671 fail2ban.actions [22638]: NOTICE [sshd] Unban 79.126.95.33

Sudah ada yang kena ban, terus diunban lagi setelah 10 menit hehe. Kalau perlu konfigurasi bantime ditambah lagi saja, misal jadi 6000 dari default 600.

vi /etc/fail2ban/jail.local
[sshd]
enabled = true
banaction = firewallcmd-new
bantime = 6000

Kalau kita cek di firewalld fail2ban ini memang menyisipkan rule baru untuk port ssh:

firewall-cmd --direct --get-all-rules
ipv4 filter f2b-sshd 1000 -j RETURN
ipv4 filter INPUT 0 -m state --state NEW -p tcp -m multiport --dports ssh -j f2b-sshd

Semoga bermanfaat. Jangan lupa dishare. 😊

Comments