Salin dan Bagikan
Linux Security SSH
Cara Install dan Konfigurasi Fail2Ban untuk Keamanan SSH - Tutorial lengkap setup Fail2Ban untuk proteksi brute force attack pada SSH dan service lainnya. …

Cara Install dan Konfigurasi Fail2Ban untuk Keamanan SSH

Cara Install dan Konfigurasi Fail2Ban untuk Keamanan SSH

Fail2Ban adalah intrusion prevention software yang melindungi server dari brute-force attacks. Dengan monitoring log files dan banning IP yang mencurigakan, Fail2Ban secara signifikan meningkatkan keamanan server Anda.

1. Instalasi Fail2Ban

Install pada Berbagai Distro

# Ubuntu/Debian
sudo apt update
sudo apt install fail2ban -y

# CentOS/RHEL/Rocky Linux
sudo yum install epel-release -y
sudo yum install fail2ban -y

# Fedora
sudo dnf install fail2ban -y

# Arch Linux
sudo pacman -S fail2ban

# Verifikasi instalasi
fail2ban-server --version
fail2ban-client --version

Start dan Enable Service

# Start fail2ban
sudo systemctl start fail2ban

# Enable start otomatis saat boot
sudo systemctl enable fail2ban

# Check status
sudo systemctl status fail2ban

# Verifikasi fail2ban berjalan
sudo fail2ban-client status

2. Konfigurasi Dasar Fail2Ban

Struktur Konfigurasi

/etc/fail2ban/
├── fail2ban.conf       # Konfigurasi utama
├── jail.conf           # Jail konfigurasi default
├── jail.local          # Jail konfigurasi custom (override)
├── filter.d/           # Filter directory
│   ├── sshd.conf
│   └── apache-auth.conf
└── action.d/           # Action directory
    ├── iptables-multiport.conf
    └── sendmail-whois.conf

Konfigurasi Jail untuk SSH

# Backup file default
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

# Buat konfigurasi custom
sudo nano /etc/fail2ban/jail.local

Isi file:

[DEFAULT]
# "ignoreip" dapat berisi daftar IP yang di-whitelist
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 10.0.0.0/8

# "bantime" adalah durasi ban dalam detik (1 jam = 3600)
bantime = 3600

# "findtime" adalah jendela waktu untuk menghitung attempts
findtime = 600

# "maxretry" adalah jumlah attempts sebelum ban
maxretry = 3

# Backend untuk monitoring log (auto, systemd, gamin, polling)
backend = systemd

# Email notification (opsional)
destemail = admin@example.com
sender = fail2ban@example.com
mta = sendmail

# Default action
action = %(action_)s

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

# Custom action untuk SSH
action = %(action_mw)s

Konfigurasi untuk Service Lain

# Apache/Nginx
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3

# MySQL/MariaDB
[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 3

# vsftpd
[vsftpd]
enabled = true
port = ftp,ftp-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3

3. Advanced Configuration

Custom Filter untuk Application Spesifik

# Buat filter custom untuk aplikasi Anda
sudo nano /etc/fail2ban/filter.d/myapp.conf

[Definition]
failregex = ^.*Failed login attempt from <HOST>.*$
            ^.*Invalid credentials from <HOST>.*$
            ^.*Authentication failed for .* from <HOST>.*$

ignoreregex = ^.*Successful login from <HOST>.*$

datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
              ^[^
]*\s{SYSLOGTIMESTAMP[ :]:<DATE-ISO>}

Rate Limiting dengan Recidive

# Jail untuk repeat offenders
sudo nano /etc/fail2ban/jail.local

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
action = %(action_abuseipdb)s[abuseipdb_apikey="YOUR_API_KEY", abuseipdb_category="18,22"]
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d

Action Custom untuk Notifikasi

sudo nano /etc/fail2ban/action.d/notify.conf

[Definition]
# Notification command
actionstart = 
actionstop = 
actioncheck = 
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
              From: Fail2Ban <<sender>>
              To: <dest>
              
              Hi,
              
              The jail <name> has just banned <ip> for <failures> failed authentication attempts.
              
              Regards,
              Fail2Ban" | <mailcmd> -t <dest> 2>/dev/null
              
actionunban = 

[Init]
mailcmd = /usr/bin/mail

4. Monitoring dan Management

Check Fail2Ban Status

# Status overall
sudo fail2ban-client status

# Status specific jail
sudo fail2ban-client status sshd

# Lihat banned IPs
sudo fail2ban-client status sshd | grep "Banned IP list"

# Detail banned IP
sudo fail2ban-client status sshd | grep -A 10 "Banned IP list"

# Check log
sudo tail -f /var/log/fail2ban.log

Manual Management

# Ban IP secara manual
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

# Set bantime secara dinamis
sudo fail2ban-client set sshd bantime 7200

# Set maxretry secara dinamis
sudo fail2ban-client set sshd maxretry 5

# Reload konfigurasi tanpa restart
sudo fail2ban-client reload

# Restart fail2ban
sudo systemctl restart fail2ban

Lihat Active Bans dengan iptables

# List all fail2ban chains
sudo iptables -L fail2ban-ssh -n --line-numbers

# Atau dengan nftables
sudo nft list chain inet fail2ban input

# Statistik
sudo fail2ban-client status sshd | grep -E "Currently|Total"

5. Integration dengan Tools Lain

Integrasi dengan AbuseIPDB

# Tambahkan ke jail.local
[DEFAULT]
action = %(action_abuseipdb)s[abuseipdb_apikey="your-api-key", abuseipdb_category="18,22"]

Slack/Discord Notifications

# Buat action untuk webhook
sudo nano /etc/fail2ban/action.d/slack-notify.conf

[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = curl -X POST -H 'Content-type: application/json' \
              --data '{"text":"IP <ip> has been banned from <name> after <failures> failed attempts"}' \
              https://hooks.slack.com/services/YOUR/WEBHOOK/URL
actionunban = curl -X POST -H 'Content-type: application/json' \
              --data '{"text":"IP <ip> has been unbanned from <name>"}' \
              https://hooks.slack.com/services/YOUR/WEBHOOK/URL

[Init]

Kesimpulan

Fail2Ban adalah komponen penting dalam defense-in-depth security strategy. Dengan konfigurasi yang tepat, Fail2Ban dapat mencegah brute-force attacks dan mengurangi noise dalam log files.

Checklist Keamanan Fail2Ban:

  • Whitelist trusted IPs (kantor, VPN, static IPs)
  • Set maxretry yang sesuai (biasanya 3-5)
  • Monitor banned IPs secara berkala
  • Review logs untuk false positives
  • Update konfigurasi sesuai kebutuhan aplikasi
  • Backup konfigurasi sebelum modifikasi

Peringatan Penting:

  • Selalu whitelist IP kantor/VPN Anda
  • Test konfigurasi di staging terlebih dahulu
  • Monitor untuk false positives setelah deploy
  • Pertimbangkan menggunakan key-based authentication untuk SSH

Alternatif Tools:

  • SSHGuard: Alternatif lightweight untuk SSH protection
  • DenyHosts: Python-based log analyzer
  • SSH Brute Force Blocker: Simple iptables-based solution
  • CrowdSec: Modern, collaborative intrusion prevention

Artikel Terkait

Link Postingan : https://www.tirinfo.com/cara-install-konfigurasi-fail2ban-keamanan-ssh/

Hendra WIjaya
Tirinfo
4 minutes.
3 February 2026