Failban memiliki fungsi memeriksa log pada /var/log/auth.log atau /var/log/secure untuk mendektesi ada nya ip yang melakukankegiatan yang tidak senonoh :-p . IP si tersangka akan terblock secara otomatis oleh ip tables jika tersangka gagal lokin dalam jangaka waktu beberapa kali 😡
Ubuntu:
sudo apt-get install fail2ban |
Centos:
sudo yum install fail2ban Edit /etc/fail2ban/jail.conf
#si admin nanti di email kalo ada aktifitas yang aneh-aneh action = %(action_mwl)s #Konfigurasi untuk SSH. 3000 adalah lamanya (detik) IP hacker itu akan kita block. [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 3000
Hasil Kerja Failban /var/log/fail2ban:
2012-11-03 11:00:46,909 fail2ban.actions: WARNING [ssh] Ban 172.140.150.6 2012-11-03 11:10:47,475 fail2ban.actions: WARNING [ssh] Unban 172.140.150.6 2012-11-04 04:00:53,286 fail2ban.actions: WARNING [ssh] Ban 64.175.229.250 2012-11-04 04:10:53,801 fail2ban.actions: WARNING [ssh] Unban 64.175.229.250
Ip tables nya
Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 58.17.36.25 0.0.0.0/0 DROP all -- 78.111.96.38 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Hi, The IP 56.17.36.25 has just been banned by Fail2Ban after 3 attempts against ssh. Here are more information about 56.17.36.115: