Lewati ke konten
Kembali ke Blog
Linux Security SSH

Cara Install dan Konfigurasi Fail2Ban untuk Keamanan SSH

Hendra Wijaya
Β· Β· 6 menit baca

Fail2Ban adalah intrusion prevention software yang melindungi server dari brute-force attacks. Dengan monitoring log files dan banning IP yang mencurigakan, Fail2Ban secara signifikan meningkatkan keamanan server Anda.

1. Instalasi Fail2Ban

Install pada Berbagai Distro

# Ubuntu/Debian
sudo apt update
sudo apt install fail2ban -y

CentOS/RHEL/Rocky Linux


sudo yum install epel-release -y
sudo yum install fail2ban -y


Fedora


sudo dnf install fail2ban -y


Arch Linux


sudo pacman -S fail2ban


Verifikasi instalasi


fail2ban-server --version
fail2ban-client --version

Start dan Enable Service

# Start fail2ban
sudo systemctl start fail2ban

Enable start otomatis saat boot


sudo systemctl enable fail2ban


Check status


sudo systemctl status fail2ban


Verifikasi fail2ban berjalan


sudo fail2ban-client status

2. Konfigurasi Dasar Fail2Ban

Struktur Konfigurasi

/etc/fail2ban/
β”œβ”€β”€ fail2ban.conf       # Konfigurasi utama
β”œβ”€β”€ jail.conf           # Jail konfigurasi default
β”œβ”€β”€ jail.local          # Jail konfigurasi custom (override)
β”œβ”€β”€ filter.d/           # Filter directory
β”‚   β”œβ”€β”€ sshd.conf
β”‚   └── apache-auth.conf
└── action.d/           # Action directory
    β”œβ”€β”€ iptables-multiport.conf
    └── sendmail-whois.conf

Konfigurasi Jail untuk SSH

# Backup file default
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.backup

Buat konfigurasi custom


sudo nano /etc/fail2ban/jail.local

Isi file:

[DEFAULT]
# "ignoreip" dapat berisi daftar IP yang di-whitelist
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 10.0.0.0/8

"bantime" adalah durasi ban dalam detik (1 jam = 3600)


bantime = 3600


"findtime" adalah jendela waktu untuk menghitung attempts


findtime = 600


"maxretry" adalah jumlah attempts sebelum ban


maxretry = 3


Backend untuk monitoring log (auto, systemd, gamin, polling)


backend = systemd


Email notification (opsional)


destemail = [email protected]
sender = [email protected]
mta = sendmail


Default action


action = %(action_)s


[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600


Custom action untuk SSH


action = %(action_mw)s

Konfigurasi untuk Service Lain

# Apache/Nginx
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
maxretry = 3

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3


MySQL/MariaDB


[mysqld-auth]
enabled = true
port = 3306
filter = mysqld-auth
logpath = /var/log/mysql/error.log
maxretry = 3


vsftpd


[vsftpd]
enabled = true
port = ftp,ftp-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3

3. Advanced Configuration

Custom Filter untuk Application Spesifik

# Buat filter custom untuk aplikasi Anda
sudo nano /etc/fail2ban/filter.d/myapp.conf

[Definition]
failregex = ^.*Failed login attempt from <HOST>.*$
            ^.*Invalid credentials from <HOST>.*$
            ^.*Authentication failed for .* from <HOST>.*$

ignoreregex = ^.
Successful login from <HOST>.$


datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s
%%z)?
^[^
]\s{SYSLOGTIMESTAMP[ :]:<DATE-ISO>}

Rate Limiting dengan Recidive

# Jail untuk repeat offenders
sudo nano /etc/fail2ban/jail.local

[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
action = %(action_abuseipdb)s[abuseipdb_apikey="YOUR_API_KEY", abuseipdb_category="18,22"]
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d

Action Custom untuk Notifikasi

sudo nano /etc/fail2ban/action.d/notify.conf

[Definition]
# Notification command
actionstart = 
actionstop = 
actioncheck = 
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
              From: Fail2Ban <<sender>>
              To: <dest>

          Hi,

          The jail &lt;name&gt; has just banned &lt;ip&gt; for &lt;failures&gt; failed authentication attempts.

          Regards,
          Fail2Ban&quot; | &lt;mailcmd&gt; -t &lt;dest&gt; 2&gt;/dev/null
actionunban = 
[Init]
mailcmd = /usr/bin/mail
4. Monitoring dan Management
Check Fail2Ban Status
# Status overall
sudo fail2ban-client status

Status specific jail


sudo fail2ban-client status sshd


Lihat banned IPs


sudo fail2ban-client status sshd | grep "Banned IP list"


Detail banned IP


sudo fail2ban-client status sshd | grep -A 10 "Banned IP list"


Check log


sudo tail -f /var/log/fail2ban.log

Manual Management
# Ban IP secara manual
sudo fail2ban-client set sshd banip 192.168.1.100

Unban IP


sudo fail2ban-client set sshd unbanip 192.168.1.100


Set bantime secara dinamis


sudo fail2ban-client set sshd bantime 7200


Set maxretry secara dinamis


sudo fail2ban-client set sshd maxretry 5


Reload konfigurasi tanpa restart


sudo fail2ban-client reload


Restart fail2ban


sudo systemctl restart fail2ban

Lihat Active Bans dengan iptables
# List all fail2ban chains
sudo iptables -L fail2ban-ssh -n --line-numbers

Atau dengan nftables


sudo nft list chain inet fail2ban input


Statistik


sudo fail2ban-client status sshd | grep -E "Currently|Total"

5. Integration dengan Tools Lain
Integrasi dengan AbuseIPDB
# Tambahkan ke jail.local
[DEFAULT]
action = %(action_abuseipdb)s[abuseipdb_apikey="your-api-key", abuseipdb_category="18,22"]

Slack/Discord Notifications
# Buat action untuk webhook
sudo nano /etc/fail2ban/action.d/slack-notify.conf



[Definition]
actionstart = 
actionstop = 
actioncheck = 
actionban = curl -X POST -H 'Content-type: application/json' \
              --data '{"text":"IP <ip> has been banned from <name> after <failures> failed attempts"}' \
              https://hooks.slack.com/services/YOUR/WEBHOOK/URL
actionunban = curl -X POST -H 'Content-type: application/json' \
              --data '{"text":"IP <ip> has been unbanned from <name>"}' \
              https://hooks.slack.com/services/YOUR/WEBHOOK/URL

[Init]

Kesimpulan
Fail2Ban adalah komponen penting dalam defense-in-depth security strategy. Dengan konfigurasi yang tepat, Fail2Ban dapat mencegah brute-force attacks dan mengurangi noise dalam log files.
Checklist Keamanan Fail2Ban:
– Whitelist trusted IPs (kantor, VPN, static IPs)
– Set maxretry yang sesuai (biasanya 3-5)
– Monitor banned IPs secara berkala
– Review logs untuk false positives
– Update konfigurasi sesuai kebutuhan aplikasi
– Backup konfigurasi sebelum modifikasi
Peringatan Penting:
– Selalu whitelist IP kantor/VPN Anda
– Test konfigurasi di staging terlebih dahulu
– Monitor untuk false positives setelah deploy
– Pertimbangkan menggunakan key-based authentication untuk SSH
Alternatif Tools:
SSHGuard: Alternatif lightweight untuk SSH protection
DenyHosts: Python-based log analyzer
SSH Brute Force Blocker: Simple iptables-based solution
CrowdSec: Modern, collaborative intrusion prevention

Ditulis oleh

Hendra Wijaya
Artikel Sebelumnya Panduan Lengkap Text Processing dengan AWK di Linux Artikel Selanjutnya Cara Setup Firewall dengan UFW di Ubuntu untuk Keamanan Optimal

Artikel Terkait

Cara Mengatasi Error 53 Saat Akses NFS Linux di Windows (Penyebab & Solusi Lengkap)

April 21, 2026

Cara Akses NFS Linux di Windows (Lengkap + Alternatif Termudah)

April 21, 2026

Tutorial Konfigurasi Fail2ban Ubuntu: Keamanan SSH

Februari 4, 2026

Tinggalkan Komentar

Email tidak akan ditampilkan.