Untuk lebih memahami fail2ban dalam melakukan pengamanan secarangan brute force attack kita akan mencoba
- Gagal login SSHD terus-menerus
- Melihat status fail2ban
#systemctl status fail2ban Feb 26 11:09:22 mail5.apasaja.co.id f2b/server[1150]: fail2ban.actions [1150]: NOTICE [sshd] Ban abc.78.161.207
- Melihat log file terkait
# cat /var/log/secure | grep abc.78.161.207 Feb 26 11:09:04 mail5 sshd[14430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.78.161.207 user=root Feb 26 11:09:06 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:10 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:14 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:18 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:22 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
- Melihat cara tulis log file
cat /var/log/secure | tail -30 Feb 26 11:01:01 mail5 sshd[14305]: Failed password for root from 192.168.41.240 port 49950 ssh2 Feb 26 11:01:05 mail5 sshd[14305]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 26 11:01:07 mail5 sshd[14305]: Failed password for root from 192.168.41.240 port 49950 ssh2 Feb 26 11:01:07 mail5 sshd[14305]: error: maximum authentication attempts exceeded for root from 192.168.41.240 port 49950 ssh2 [preauth] Feb 26 11:01:07 mail5 sshd[14305]: Disconnecting: Too many authentication failures [preauth] Feb 26 11:01:07 mail5 sshd[14305]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=scanner user=root Feb 26 11:01:07 mail5 sshd[14305]: PAM service(sshd) ignoring max retries; 6 > 3 Feb 26 11:01:30 mail5 sshd[14339]: Connection closed by 36.153.0.228 port 30681 [preauth] Feb 26 11:03:42 mail5 sshd[14382]: Connection closed by 192.168.41.240 port 49965 [preauth] Feb 26 11:09:04 mail5 sshd[14430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abc.78.161.207 user=root Feb 26 11:09:04 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 26 11:09:06 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:08 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 26 11:09:10 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:12 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 26 11:09:14 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:16 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 26 11:09:18 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2 Feb 26 11:09:20 mail5 sshd[14430]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Feb 26 11:09:22 mail5 sshd[14430]: Failed password for root from abc.78.161.207 port 51016 ssh2
Untuk pembelajaran lebih lanjut silahkan mengunjungi
1. https://www.fail2ban.org/wiki/index.php/MANUAL_0_8 .
2. https://www.fail2ban.org/wiki/index.php/HOWTOs .
3. https://documentation.online.net/en/dedicated-server/tutorials/security/install-configure-fail2ban .
3. https://idnetter.com/cara-install-dan-konfigurasi-fail2ban/ .
4. https://fail2ban.readthedocs.io/en/latest/filters.html .
Kunjungi www.proweb.co.id untuk menambah wawasan anda.
Debug gagal login terus menerus pada fail2ban
