Untuk lebih memahami fail2ban dalam melakukan pengamanan secarangan brute force attack kita akan mencoba

  1. Gagal login SSHD terus-menerus
  2. Melihat status fail2ban
    #systemctl status fail2ban
    Feb 26 11:09:22 mail5.apasaja.co.id f2b/server[1150]: fail2ban.actions [1150]: NOTICE [sshd] Ban abc.78.161.207
    
  3. Melihat log file terkait
    # cat /var/log/secure | grep abc.78.161.207
    Feb 26 11:09:04 mail5 sshd[14430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.78.161.207  user=root
    Feb 26 11:09:06 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:10 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:14 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:18 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:22 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    
  4. Melihat cara tulis log file
    cat /var/log/secure | tail -30
    Feb 26 11:01:01 mail5 sshd[14305]: Failed password for root from 192.168.41.240 port 49950 ssh2
    Feb 26 11:01:05 mail5 sshd[14305]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Feb 26 11:01:07 mail5 sshd[14305]: Failed password for root from 192.168.41.240 port 49950 ssh2
    Feb 26 11:01:07 mail5 sshd[14305]: error: maximum authentication attempts exceeded for root from 192.168.41.240 port 49950 ssh2 [preauth]
    Feb 26 11:01:07 mail5 sshd[14305]: Disconnecting: Too many authentication failures [preauth]
    Feb 26 11:01:07 mail5 sshd[14305]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=scanner  user=root
    Feb 26 11:01:07 mail5 sshd[14305]: PAM service(sshd) ignoring max retries; 6 > 3
    
    Feb 26 11:01:30 mail5 sshd[14339]: Connection closed by 36.153.0.228 port 30681 [preauth]
    Feb 26 11:03:42 mail5 sshd[14382]: Connection closed by 192.168.41.240 port 49965 [preauth]
    
    Feb 26 11:09:04 mail5 sshd[14430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abc.78.161.207  user=root
    Feb 26 11:09:04 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Feb 26 11:09:06 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:08 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Feb 26 11:09:10 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:12 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Feb 26 11:09:14 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:16 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Feb 26 11:09:18 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    Feb 26 11:09:20 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
    Feb 26 11:09:22 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
    

Untuk pembelajaran lebih lanjut silahkan mengunjungi
1. https://www.fail2ban.org/wiki/index.php/MANUAL_0_8 .
2. https://www.fail2ban.org/wiki/index.php/HOWTOs .
3. https://documentation.online.net/en/dedicated-server/tutorials/security/install-configure-fail2ban .
3. https://idnetter.com/cara-install-dan-konfigurasi-fail2ban/ .
4. https://fail2ban.readthedocs.io/en/latest/filters.html .

Kunjungi www.proweb.co.id untuk menambah wawasan anda.

Debug gagal login terus menerus pada fail2ban