Best Practice -- Install & Configure Fail2Ban (SSH Protection)

Overview

Fail2Ban adalah intrusion prevention tool yang membaca log service (seperti SSH) dan otomatis melakukan ban IP address jika terdeteksi brute-force attack.

Dokumentasi ini menjelaskan instalasi dan konfigurasi Fail2Ban untuk proteksi SSH (sshd).

1. Install Fail2Ban

sudo apt update
sudo apt install fail2ban -y

Enable dan pastikan service aktif:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban

2. Konfigurasi Best Practice (Jangan Edit jail.conf)

File default: /etc/fail2ban/jail.conf

Best practice: gunakan file override jail.local

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Atau buat manual:

sudo nano /etc/fail2ban/jail.local

3. Konfigurasi Global (Recommended)

Edit file: /etc/fail2ban/jail.local

Tambahkan atau sesuaikan:

[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5
backend  = systemd

Parameter: - bantime : Durasi IP diblokir - findtime : Window waktu perhitungan retry - maxretry : Maksimal percobaan gagal sebelum diban - backend : Gunakan systemd untuk distro modern

4. Enable Protection untuk SSHD

Tambahkan di file yang sama:

[sshd]
enabled  = true
port     = ssh
logpath  = %(sshd_log)s
backend  = systemd
maxretry = 5
bantime  = 1h

Jika menggunakan custom SSH port (misal 2222):

port = 2222

5. Restart & Validasi

Restart service:

sudo systemctl restart fail2ban

Cek jail aktif:

sudo fail2ban-client status

Cek detail sshd:

sudo fail2ban-client status sshd

6. Monitoring & Log

Melihat log Fail2Ban:

sudo journalctl -u fail2ban

Atau:

sudo tail -f /var/log/fail2ban.log

7. Unban IP Manual

Jika terjadi false positive:

sudo fail2ban-client set sshd unbanip <IP_ADDRESS>

Contoh:

sudo fail2ban-client set sshd unbanip 192.168.1.10

8. Hardening Tambahan SSH (Highly Recommended)

Edit konfigurasi SSH:

sudo nano /etc/ssh/sshd_config

Disable Root Login:

PermitRootLogin no

Disable Password Authentication (gunakan SSH Key):

PasswordAuthentication no

Optional -- Ganti default SSH port:

Port 2222

Restart SSH:

sudo systemctl restart ssh

9. Production Hardening Setting (Internet Facing Server)

Contoh konfigurasi lebih ketat:

[DEFAULT]
bantime  = 24h
findtime = 10m
maxretry = 3

Permanent ban:

bantime = -1

10. Security Checklist

Pastikan:

  • SSH tidak mengizinkan root login
  • SSH menggunakan key authentication
  • Fail2Ban aktif dan monitoring sshd
  • Firewall (UFW / iptables) sudah dikonfigurasi
  • Sistem selalu di-update secara berkala

Security is layered, not single control.