SSH:Konfigurasi dengan Fail2ban: Difference between revisions
No edit summary |
|||
| Line 1: | Line 1: | ||
*Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail. | *Begin by creating a new file within the same directory called jail.local. You can then add the necessary security configurations for the sshd jail. | ||
<syntaxhighlight lang="shell"> | |||
vim /etc/fail2ban/jail.local | |||
</syntaxhighlight> | |||
*You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service. | *You can explore the options that Fail2Ban provides to customize the security and blocking of the SSH service. | ||
| Line 29: | Line 30: | ||
*With the information in table above you can create the jail.local configuration for OpenSSH server (sshd). Once you have entered the configuration options, the values used in this guide example are listed in the sample file below. | *With the information in table above you can create the jail.local configuration for OpenSSH server (sshd). Once you have entered the configuration options, the values used in this guide example are listed in the sample file below. | ||
<syntaxhighlight lang="shell" line="1"> | |||
[sshd] | |||
enabled = true | |||
port = ssh | |||
filter = sshd | |||
logpath = /var/log/auth.log | |||
maxretry = 3 | |||
findtime = 300 | |||
bantime = 3600 | |||
ignoreip = 127.0.0.1 | |||
</syntaxhighlight> | |||
*After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command: | *After you have specified the configuration options and their respective values, save the file and restart the Fail2Ban service with the following command: | ||
<syntaxhighlight lang="shell"> | |||
sudo systemctl restart fail2ban.service | |||
</syntaxhighlight> | |||
*After restarting the OpenSSH server service, Fail2Ban uses this new configuration and the jail for the sshd service is activated and runs. | *After restarting the OpenSSH server service, Fail2Ban uses this new configuration and the jail for the sshd service is activated and runs. | ||
*You can now test this functionality by re-enabling PasswordAuthentication in the OpenSSH Configuration file found in <code>/etc/ssh/sshd_config</code>. Do this by changing the value from no to yes using the text editor of your choice. Make sure these lines are uncommented. | *You can now test this functionality by re-enabling PasswordAuthentication in the OpenSSH Configuration file found in <code>/etc/ssh/sshd_config</code>. Do this by changing the value from no to yes using the text editor of your choice. Make sure these lines are uncommented. | ||
<syntaxhighlight lang="shell" line="1"> | |||
#To disable tunneled clear text passwords, change to no here! | #To disable tunneled clear text passwords, change to no here! | ||
PasswordAuthentication yes | |||
PermitEmptyPasswords no | |||
</syntaxhighlight> | |||
*This allows users to use passwords for authentication in addition to SSH key-pairs. Fail2Ban automatically detects brute-force attempts on SSH and blocks the users automatically. This greatly improves the security of both password based authentication and the server and is useful for user accounts that do not have administrator privileges. | *This allows users to use passwords for authentication in addition to SSH key-pairs. Fail2Ban automatically detects brute-force attempts on SSH and blocks the users automatically. This greatly improves the security of both password based authentication and the server and is useful for user accounts that do not have administrator privileges. | ||