Pada saat kita melakukan monitoring jaringan, seringkali ada orang iseng yang ingin mencoba keamanan sistem kita dengan berbagai macam teknik, salah satunya yaitu brute force. Serangan ini mencoba untuk masuk ke sistem kita dengan menggunakan user dan password acak berulangkali.
Untuk menangkal serangan tersebut, kita perlu mengidentifikasi dulu jenis serangan tersebut.
Pada sistem operasi ubuntu atau linux pada umumnya, aktivitas login user bisa dilihat di /var/log/auth.log.

1. Identifikasi brute-force pada login SSH
Buka terminal konsol, lalu ketikkan perintah berikut:

grep sshd.\*Failed /var/log/auth.log | less

Contoh outputnya sebagai berikut:

· Aug 18 11:00:57 izxvps sshd[5657]: Failed password for root from 95.58.255.62 port 38980 ssh2
· Aug 18 23:08:26 izxvps sshd[5768]: Failed password for root from 91.205.189.15 port 38156 ssh2
· Aug 18 23:08:30 izxvps sshd[5770]: Failed password for nobody from 91.205.189.15 port 38556 ssh2
· Aug 18 23:08:34 izxvps sshd[5772]: Failed password for invalid user asterisk from 91.205.189.15 port 38864 ssh2
· Aug 18 23:08:38 izxvps sshd[5774]: Failed password for invalid user sjobeck from 91.205.189.15 port 39157 ssh2
· Aug 18 23:08:42 izxvps sshd[5776]: Failed password for root from 91.205.189.15 port 39467 ssh2

2. Identifikasi failed connections (antisipasi percobaan user untuk login atau sistem kita sedang di scan):
Gunakan perintah berikut:

grep sshd.*Did /var/log/auth.log | less

Contoh:

·  Aug  5 22:19:10 izxvps sshd[7748]: Did not receive identification string from 70.91.222.121
·  Aug 10 19:39:49 izxvps sshd[1919]: Did not receive identification string from 50.57.168.154
·  Aug 13 23:08:04 izxvps sshd[3562]: Did not receive identification string from 87.216.241.19
·  Aug 17 15:49:07 izxvps sshd[5350]: Did not receive identification string from 211.22.67.238
·  Aug 19 06:28:43 izxvps sshd[5838]: Did not receive identification string from 59.151.37.10

Cara Menangkal Serangan Brute Force Login pada SSH
· Ganti port SSH ke port yang tidak standart (default port ssh adalah 22)
· Atau Install script auto-ban seperti fail2ban

Berikut ini keterangan mengenai fail2ban

Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email.

By default, it comes with filter expressions for various services (sshd, apache, qmail, proftpd, sasl etc.) but configuration can be easily extended for monitoring any other text file. All filters and actions are given in the config files, thus fail2ban can be adopted to be used with a variety of files and firewalls.