Cara install Fail2ban di linux ubuntu

CARA INSTALL FAIL2BAN DI LINUX UBUNTU

Apa itu Fail2ban

Fail2ban adalah alat yang dapat Anda gunakan untuk mengurangi dampak serangan hacker pada server Anda. Biasanya Anda mengkonfigurasinya untuk memantau file log untuk aktivitas mencurigakan. Kemudian setelah aktivitas melewati ambang batas, Anda dapat meminta aktivitas tersebut mengambil tindakan, seperti memblokir alamat IP sumber di firewall Anda. Ini adalah cara yang baik untuk menghentikan serangan sejak dini, namun tidak sepenuhnya mencegahnya dan anda juga dapat mengirimkan pesan lognya ke email anda.

Instal & konfigurasi fail2ban (untuk Ubuntu)

1. Instalasi Fail2ban:

Also Read:

Cara mengamankan wordpress dengan Fail2ban

Pastikan sistem Anda terhubung ke internet, lalu buka terminal dan jalankan perintah berikut untuk menginstal Fail2ban:

sudo apt update
sudo apt-get instal fail2ban -y

catatan :
untuk menginstall fail2ban di linux ubuntu noble, anda harus download paket fail2bannya, lalu menginstallnya secara manual

wget https://github.com/fail2ban/fail2ban/releases/download/1.1.0/fail2ban_1.1.0-1.upstream1_all.deb

setelah di download lakukan install paketnya, caranya yaitu :

dpkg -i fail2ban_1.1.0-1.upstream1_all.deb

Fail2ban bekerja dengan memiliki file jail yang mereferensikan file log, filter, dan tindakan. Anda dapat melakukannya dengan membuat file jail.local

Also Read:

Cara installasi FTP server di linux ubuntu

2. Konfigurasi Fail2ban:

Setelah instalasi selesai, anda perlu mengkonfigurasi Fail2ban sesuai dengan kebutuhan anda. File  konfigurasi utama Fail2ban adalah “/etc/fail2ban/jail.conf“. Namun, sebaiknya jangan ubah file ini secara langsung, karena file ini dapat ditimpa saat melakukan pembaruan. Sebagai gantinya, gunakan file “/etc/fail2ban/jail.local” untuk mengaturnya.

Also Read:

cara membuat certificate SSL gratis dari let’s encrypt

Salin file konfigurasi default dari jail.conf menjadi jail.local, seperti dibawah ini :

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

kemudian lakukan edit file “jail.local“:

jika ingin mengikuti contoh konfigurasi seperti punya saya, anda harus sudah menginstall openssh-server, apache2, mariadb-server (optional), phpmyadmin, postfix, dovecot, jika semuanya sudah di install, tinggal anda salin saja contoh file konfigurasi jail.local punya saya seperti dibawah ini :

sudo nano /etc/fail2ban/jail.local

lakukan pengaturan jail.local seperti di bawah ini :

Also Read:

Cara menginstall samba server di linux ubuntu noble

[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# Ban for X amount of time
bantime = 604800
findtime = 3600
sender = fail2ban@lemabang.com
destemail = admin@lemabang.com
action = %(action_mwl)s
banaction = iptables-multiport
maxretry = 5
ignoreip = 127.0.0.1/8 192.168.1.254 
[sshd]
enabled = true
filter = sshd
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-auth]
enabled = true
port     = http,https
filter = apache-auth
logpath  = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-badbots]
enabled = true
port     = http,https
filter = apache-badbots
logpath  = %(apache_access_log)s
findtime = 5m
bantime  = 48h
maxretry = 3
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-noscript]
enabled = true
port     = http,https
filter = apache-noscript
logpath  = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-overflows]
enabled = true
port     = http,https
filter = apache-overflows
logpath  = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-nohome]
enabled = true
port     = http,https
filter = apache-nohome
logpath  = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-botsearch]
enabled = true
port     = http,https
filter = apache-botsearch
logpath  = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-fakegooglebot]
enabled = true
port     = http,https
filter = apache-fakegooglebot
logpath  = %(apache_access_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-modsecurity]
enabled = true
port     = http,https
filter = apache-modsecurity
logpath  = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[apache-shellshock]
enabled = true
port    = http,https
filter = apache-shellshock
logpath = %(apache_error_log)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[courier-smtp]
enabled = true
port     = smtp,465,submission
filter = courier-smtp
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[postfix]
enabled = true
filter = postfix
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[postfix-rbl]
enabled = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[sendmail-auth]
enabled = true
port    = submission,465,smtp
filter   = sendmail-auth
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[dovecot]
enabled = true
filter = dovecot
port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[postfix-sasl]
enabled = true
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[perdition]
enabled = true
port   = imap,imaps,pop3,pop3s
filter   = perdition
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
findtime = 5m
maxretry = 3
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254
[phpmyadmin-syslog]
enabled = true
port    = http,https
filter = phpmyadmin-syslog
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
findtime = 5m
maxretry = 2
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254

Jangan lupa disimpan, jika menggunakan editor nano simpan dengan cara menekan tombol pada keyboard : CTRL + X secara bersamaan lalu tekan Y dan ENTER.

Keterangan :

ignoreip = 192.168.1.254 ( adalah ip address komputer yang kalian gunakan untuk mengakses server kalian, ip address 192.168.1.254 adalah ip private, jika kalian mempunyai ip public static contoh: 172.168.243.165 maka silakan ganti ip address 192.168.1.254. gunanya supaya kalian tidak terkena banned secara otomatis ketika kalian salah memasukkan password sewaktu kalian mengakses server kalian lewat ssh atau login phpmyadmin atau yang lainnya.

[DEFAULT]
# Ban for X amount of time
bantime = 604800
findtime = 3600
sender = fail2ban@lemabang.com
destemail = admin@lemabang.com
action = %(action_mwl)s
banaction = iptables-multiport
maxretry = 5
ignoreip = 127.0.0.1/8 192.168.1.254 


note : 
sesuaikan dengan alamat email kalian, edit tulisan sender dan destemail dengan email yang kalian punya:

sender = fail2ban@lemabang.com
destemail = admin@lemabang.com

fungsi keterangan diatas, jika ada alert log dari fail2ban maka akan dikirimkan otomatis ke email kalian.

untuk yang mengunakan NGINX, konfigurasi fail2bannya seperti ini :

[nginx-http-auth]
# mode = normal
enabled = true
filter = nginx-http-auth
port    = http,https
logpath = %(nginx_error_log)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254


[nginx-limit-req]
enabled = true
filter = nginx-limit-req
port    = http,https
logpath = %(nginx_error_log)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254

[nginx-botsearch]
enabled = true
filter = nginx-botsearch
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254

[nginx-bad-request]
enabled = true
filter = nginx-bad-request
port    = http,https
logpath = %(nginx_access_log)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254

[nginx-forbidden]
enabled = true
filter = nginx-forbidden
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254


[php-url-fopen]
enabled = true
filter = php-url-fopen
port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s
maxretry = 3
findtime = 5m
bantime = 48h
ignoreip = 127.0.0.1/8 192.168.1.254

setelah melakukan konfigurasi pada file jail.local, langkah selanjutnya adalah melakukan edit pada file fail2ban.conf, caranya yaitu :

sudo nano /etc/fail2ban/fail2ban.conf

lakukan perubahan isi dari file fail2ban.conf, pada llowipv6 = off

jangan lupa di simpan untuk menerapkan perubahan pada file fail2ban.conf.

3. Restart Fail2ban:

setelah berhasil melakukan konfigurasi fail2ban, langkah selanjutnya adalah restart service fail2ban caranya yaitu :

sudo systemctl restart fail2ban

untuk melihat  fail2ban apakah berjalan atau error lakukan perintah seperti ini : sudo systemctl status fail2ban

root@mail:~# sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-05-24 06:27:59 WIB; 1 day 3h ago
       Docs: man:fail2ban(1)
   Main PID: 771 (fail2ban-server)
      Tasks: 41 (limit: 9396)
     Memory: 29.1M (peak: 40.6M)
        CPU: 11min 4.944s
     CGroup: /system.slice/fail2ban.service
             └─771 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

May 24 06:27:59 mail systemd[1]: Started fail2ban.service - Fail2Ban Service.
May 24 06:27:59 mail fail2ban-server[771]: Server ready