3 minute read

Setelah login ke-3 minggu ini di server disambut dengan pesan:

Last failed login: Tue Feb 20 04:55:06 EST 2018 from 152.204.32.178 on ssh:notty
There were 116 failed login attempts since the last successful login.
Last login: Sun Feb 18 23:54:46 2018 from 180.xxx.xxx.xxx

Ngeray… 😱.

Diatas merupakan indikasi bahwa server kita sedang di brute force attack. Banyak cara untuk antisipasinya, salah satunya dengan fail2ban. Tutorial ini diterapkan di kontainer OpenVZ dengan distro CentOS 7.4.1708 yang menggunakan kernel 2.6.32-042stab125.5. Repo YUM EPEL terpasang dan aktif. Untuk firewall menggunakan firewalld.

Install fail2ban dengan perintah:

yum install fail2ban-firewalld

Buat sebuah file konfigurasi /etc/fail2ban/jail.local yang isinya:

[sshd]
enabled = true
banaction = firewallcmd-new

Pastikan fail2ban dijalankan saat server startup:

systemctl enable fail2ban

Kemudian jalankan service fail2ban:

systemctl start fail2ban

Cek konfigurasi apakah sudah sesuai:

fail2ban-client -v -d

INFO Loading configs for fail2ban under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
INFO Loading configs for jail under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/jail.conf']
INFO Loading files: ['/etc/fail2ban/paths-fedora.conf']
INFO Loading files: ['/etc/fail2ban/paths-common.conf']
INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
INFO Loading files: ['/etc/fail2ban/jail.d/00-firewalld.conf']
INFO Loading files: ['/etc/fail2ban/jail.local']
INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-fedora.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/00-firewalld.conf', '/etc/fail2ban/jail.local']
INFO Loading configs for filter.d/sshd under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf']
INFO Loading configs for action.d/firewallcmd-new under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/action.d/firewallcmd-new.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/firewallcmd-new.conf']
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]
['add', 'sshd', 'systemd']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'addignoreip', '127.0.0.1/8']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'bantime', 600]
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'findtime', 600]
['set', 'sshd', 'maxlines', '10']
['set', 'sshd', 'addfailregex', '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:error|fatal): (?:PAM: )?)?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*(?: \[preauth\])?\s*$']
['set', 'sshd', 'addfailregex', '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel: \[ *\d+\.\d+\]\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:(?:error|fatal): (?:PAM: )?)?User not known to the underlying authentication module for .* from <HOST>\s*(?: \[preauth\])?\s*$']
..
CONTENT TRUNCATED
..
['set', 'sshd', 'action', 'firewallcmd-new', 'actionstop', 'firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>\nfirewall-cmd --direct --remove-rules ipv4 filter f2b-<name>\nfirewall-cmd --direct --remove-chain ipv4 filter f2b-<name>']
['set', 'sshd', 'action', 'firewallcmd-new', 'actionstart', 'firewall-cmd --direct --add-chain ipv4 filter f2b-<name>\nfirewall-cmd --direct --add-rule ipv4 filter f2b-<name> 1000 -j RETURN\nfirewall-cmd --direct --add-rule ipv4 filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'sshd', 'action', 'firewallcmd-new', 'actionunban', 'firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype>']
['set', 'sshd', 'action', 'firewallcmd-new', 'actioncheck', "firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-<name>$'"]
['set', 'sshd', 'action', 'firewallcmd-new', 'protocol', 'tcp']
['set', 'sshd', 'action', 'firewallcmd-new', 'chain', 'INPUT']
['set', 'sshd', 'action', 'firewallcmd-new', 'lockingopt', '-w']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/name', 'default']
['set', 'sshd', 'action', 'firewallcmd-new', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/lockingopt', '-w']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/port', 'ssh']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/protocol', 'tcp']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/lockingopt', '-w']
['set', 'sshd', 'action', 'firewallcmd-new', 'port', 'ssh']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/chain', 'INPUT']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/name', 'default']
..
CONTENT TRUNCATED
..
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/protocol', 'tcp']
['set', 'sshd', 'action', 'firewallcmd-new', 'bantime', '600']
['set', 'sshd', 'action', 'firewallcmd-new', 'iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/__name__', 'Init']
['set', 'sshd', 'action', 'firewallcmd-new', 'returntype', 'RETURN']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/returntype', 'RETURN']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/__name__', 'Init']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/returntype', 'RETURN']
['set', 'sshd', 'action', 'firewallcmd-new', 'name', 'sshd']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/port', 'ssh']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/chain', 'INPUT_direct']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'firewallcmd-new', 'known/known/iptables', 'iptables <lockingopt>']
['start', 'sshd']

Kalau hasilnya seperti diatas bisa dipastikan rule untuk sshd sudah aktif.

Cek log fail2ban:

tail /var/log/fail2ban.log

2018-02-20 20:34:51,778 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:34:53,500 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:34:55,847 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:34:58,145 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:00,389 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:00,761 fail2ban.actions [22638]: NOTICE [sshd] Ban 79.126.95.33
2018-02-20 20:35:03,001 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:05,364 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:35:05,365 fail2ban.filter [22638]: INFO [sshd] Found 79.126.95.33
2018-02-20 20:45:01,671 fail2ban.actions [22638]: NOTICE [sshd] Unban 79.126.95.33

Sudah ada yang kena ban, terus diunban lagi setelah 10 menit hehe. Kalau perlu konfigurasi bantime ditambah lagi saja, misal jadi 6000 dari default 600.

vi /etc/fail2ban/jail.local

[sshd]
enabled = true
banaction = firewallcmd-new
bantime = 6000

Kalau kita cek di firewalld fail2ban ini memang menyisipkan rule baru untuk port ssh:

firewall-cmd --direct --get-all-rules

ipv4 filter f2b-sshd 1000 -j RETURN
ipv4 filter INPUT 0 -m state --state NEW -p tcp -m multiport --dports ssh -j f2b-sshd

Semoga bermanfaat. Jangan lupa dishare. 😊

Comments

You May Also Enjoy

Hope for 2024

1 minute read

I haven’t write anything for two years. It seem Jekyll also has declared dead 😱. At least there still active development on Jekyll repository so not all hope...

Resume Blogging

less than 1 minute read

It’s been a while since my last post. Lot of thing happens, and I haven’t setup Jekyll in this machine.

Melanjutkan Blogging

less than 1 minute read

Sudah lumayan lama juga dari terakhir posting disini. Banyak hal yang terjadi, dan masih belum sempat juga setup Jekyll di mesin ini.

Service 6 Bulan Honda Brio

3 minute read

Hari Selasa kemarin 5 November jadwalnya Honda Brio service 10000 KM atau 6 bulan. Karena di odometer sendiri baru nunjukin angka 3000 KM lebih sedikit, maka...