Mengamankan Server Cyberpanel dengan Fail2ban dan Firewalld

setelah firewalld berhasil di aktifkan di cyberpanel. dan untuk mengantisipasi serangan dari luar terhadap server kita, perlu di kombinasikan dengan fail2ban. yang tujuannya untuk mendeteksi serangan dan memblokir IP yang di curigai. berikut langkah-langkahnya.

Install Fail2ban

• Silahkan install fail2ban di server cyberpanel terlebih dahulu. dengan menjalankan perintah:

CentOS / RHEL / Rocky / AlmaLinux

sudo dnf install epel-release -y
sudo dnf install fail2ban -y
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Ubuntu / Debian

sudo apt update
sudo apt install fail2ban -y
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Buat parameter untuk memblokir IP secara permanen di Firewalld (drop)

• jalankan perintah berikut:

sudo nano /etc/fail2ban/action.d/firewalld-drop.conf

• isi dengan:

[Definition]
# Saat ban, tambahkan rich-rule permanent drop (IPv4 & IPv6)
actionban = firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' drop" || true
            && firewall-cmd --permanent --add-rich-rule="rule family='ipv6' source address='' drop" || true
            && firewall-cmd --reload || true

# Saat unban, hapus rich-rule permanent drop
actionunban = firewall-cmd --permanent --remove-rich-rule="rule family='ipv4' source address='' drop" || true
              && firewall-cmd --permanent --remove-rich-rule="rule family='ipv6' source address='' drop" || true
              && firewall-cmd --reload || true

• restart Fail2ban

systemctl restart fail2ban

Membuat Filter di Fail2ban

• Copy Jail di Local

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

• Buat Filter Woprdress

Jalankan perintah Berikut:

nano /etc/fail2ban/filter.d/wordpress.conf

isi dengan:

[Definition]
# WordPress brute force & abuse protection for LiteSpeed / CyberPanel

failregex = ^<HOST> - - \[.*\] "(GET|POST|HEAD) /(wp-login\.php).*" (200|401|403|404) .*
            ^<HOST> - - \[.*\] "(GET|POST|HEAD) /(xmlrpc\.php).*" (200|401|403|404) .*
            ^<HOST> - - \[.*\] "(GET|POST|HEAD) /(wp-admin).*" (200|401|403|404) .*
            ^<HOST> - - \[.*\] "(GET|POST|HEAD) /(wp-json).*" (200|401|403|404) .*
            ^<HOST> - - \[.*\] "(GET|POST|HEAD) /(.*\?author=.*)" (200|401|403|404) .*

ignoreregex =
 
restart fail2ban
 
systemctl restart fail2ban
 

• Buat Filter Cyberpanel

Jalankan perintah Berikut:

nano /etc/fail2ban/filter.d/cyberpanel.conf

isi dengan:

[Definition]
failregex = Authentication failed for user .* from <HOST>
ignoreregex =

• Buat Filter untuk Proteksi serangan exploit

Jalankan perintah Berikut:

nano /etc/fail2ban/filter.d/generic-scan.conf

isi dengan:

[Definition]
# pola serangan: akses file sensitif
failregex =  - - .*"(GET|POST) /(config\.json|\.env|settings\.json|wp-config\.php|xmlrpc\.php|phpinfo\.php|\.git|/login)\b

# jangan cocokkan (ignore) jika user-agent termasuk bot terkenal
ignoreregex = .*"(Googlebot|Bingbot|bingpreview|Slurp|Baiduspider|YandexBot|DuckDuckBot|Applebot|facebookexternalhit)".*

restart fail2ban

systemctl restart fail2ban

• Buat Filter untuk memblokir bot yang scaning file wordpress

Jalankan perintah Berikut:

nano /etc/fail2ban/filter.d/wp-probe.conf

isi dengan:

[Definition]
failregex =
    ^ - - \[.*\] "(?:GET|POST) /(wp-login\.php|xmlrpc\.php|wp-admin(?:/|/index\.php)?|wp-includes/[^ ]+|wp-config(?:\.php)?|readme\.html|\.env)\b
    ^ - - \[.*\] ".*" \d+ \d+ "-" ".*(zgrab|masscan|sqlmap|nikto|Shopify Security Inspector|curl|wget|python-requests).*"
    ^ - - \[.*\] "(?:GET|POST) /wp-includes/.*wp-login\.php\b.*" (?:200|301|302|403|404|401)

ignoreregex =

restart fail2ban

systemctl restart fail2ban

Menerapkan Filter Fail2ban

Edit Jail untuk menerapkan filter

sudo nano /etc/fail2ban/jail.local

cari dan ubah bagian:

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

menjadi:

#[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
#port    = ssh
#logpath = %(sshd_log)s
#backend = %(sshd_backend)s

Tambahkan kode berikut di paling bawah:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 5
bantime = -1
action = firewalld-drop[name=sshd]

[cyberpanel]
enabled = true
filter = cyberpanel
port = 8090
logpath = /usr/local/lscp/logs/error.log
maxretry = 5
bantime = -1
action = firewalld-drop[name=cyberpanel]


[wordpress]
enabled = true
filter = wordpress
port = http,https
logpath = /usr/local/lsws/logs/access.log
maxretry = 5
findtime = 600
bantime = -1
action   = firewalld-drop

[generic-scan]
enabled = true
filter = generic-scan
logpath = /usr/local/lsws/logs/access.log
maxretry = 3
findtime = 600
bantime = -1
action = firewalld-drop

[wp-probe]
enabled  = true
filter   = wp-probe
logpath  = /usr/local/lsws/logs/access.log
port     = http,https
maxretry = 5
findtime = 600
bantime  = -1
action   = firewalld-drop

restart fail2ban

systemctl restart fail2ban