SSH
Gunakan layanan fail2ban
untuk memblokade serangan SSH Bruteforce dari berbagai negara.
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/local.conf
sudo vi /etc/fail2ban/local.conf
# Add ignoreip e.g. 127.0.0.1/8 36.0.0.1/8
sudo service fail2ban restart
Block SSH Bruteforce
sudo vi /etc/fail2ban/jail.local
.
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
ignoreip = 127.0.0.1/8
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
Detect 404 requests using Fail2ban
Create sample log.
vi /tmp/404.log
Paste.
221.0.183.42 - - [03/Oct/2018:01:37:17 +0700] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 5618 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
Create new filter.
sudo vi /etc/fail2ban/filter.d/apache-404.conf
Paste.
[Definition]
failregex = ^<HOST>.*(404|444|403|400).*$
ignoreregex =
Test.
$ sudo fail2ban-regex /tmp/404.log /etc/fail2ban/filter.d/apache-404.conf
Running tests
=============
Use failregex filter file : apache-404, basedir: /etc/fail2ban
Use log file : /tmp/404.log
Use encoding : UTF-8
Results
=======
Failregex: 1 total
|- #) [# of hits] regular expression
| 1) [1] ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 1 lines, 0 ignored, 1 matched, 0 missed
[processed in 0.00 sec]
Add new rule.
sudo vi /etc/fail2ban/jail.local
Paste.
# detect apache overflow attempts
[apache-404]
enabled = true
filter = apache-404
action = iptables-multiport[name=overflows, port="http,https"]
logpath = /var/log/httpd/access_log
bantime = 3600
maxretry = 1
ignoreip = 127.0.0.1
Adjust date.
sudo apt install tzdata &&
sudo dpkg --reconfigure tzdata &&
sudo systemctl restart rsyslog &&
sudo systemctl restart nginx &&
sudo systemctl restart fail2ban
Verify.
sudo failban-client status apache2-404