Pertemuan 7

Konfigurasi Layanan SSH dan FTP

Secure remote access dan file transfer services

Tujuan Pembelajaran

Setelah menyelesaikan praktikum ini, mahasiswa mampu:

  • Memahami konsep dan arsitektur layanan SSH (Secure Shell) dan FTP (File Transfer Protocol)
  • Menginstall dan mengkonfigurasi SSH server untuk akses remote yang aman
  • Menginstall dan mengkonfigurasi FTP server (vsftpd) untuk transfer file
  • Melakukan hardening pada layanan SSH dan FTP
  • Melakukan testing dan troubleshooting layanan SSH dan FTP

Teori Pendukung

Konsep SSH (Secure Shell)
Enkripsi End-to-End

Komunikasi terenkripsi antara client dan server

Public Key Authentication

Autentikasi tanpa password menggunakan key pairs

Port Forwarding

Tunnel koneksi melalui SSH yang aman

Konsep FTP (File Transfer Protocol)
Active Mode
Server initiate data connection
Passive Mode
Client initiate data connection
FTPS
FTP dengan SSL/TLS encryption
SFTP
SSH File Transfer Protocol
Perbandingan Protocol File Transfer
Protocol Port Enkripsi Keamanan Penggunaan
FTP 21 (control)
20 (data)		 ❌ Tidak Rendah Internal network only
FTPS 990 (control)
989 (data)		 ✅ SSL/TLS Tinggi Secure file transfer
SFTP 22 (SSH) ✅ SSH Sangat Tinggi Secure shell file transfer
SCP 22 (SSH) ✅ SSH Sangat Tinggi Simple file copy
SSH Key Components
Public Key

Dibagikan ke server untuk autentikasi

ssh-rsa AAAAB3NzaC1yc2E... user@host

Disimpan di: ~/.ssh/authorized_keys

Private Key

Disimpan securely di client machine

-----BEGIN RSA PRIVATE KEY-----

Disimpan di: ~/.ssh/id_rsa

SSH Server Configuration

1. Install OpenSSH Server
sudo apt update
sudo apt install openssh-server -y

# Cek status service
sudo systemctl status ssh
2. Konfigurasi Dasar SSH Server
sudo nano /etc/ssh/sshd_config

# Ubah beberapa setting berikut:
Port 2222 # Mengubah port default untuk mengurangi serangan brute force
PermitRootLogin no # Melarang login langsung sebagai root
PasswordAuthentication yes # Izinkan autentikasi password
PubkeyAuthentication yes # Izinkan autentikasi public key
AllowUsers user1 user2 # Izinkan hanya user tertentu (opsional)

# Simpan dan restart SSH:
sudo systemctl restart ssh
sudo systemctl enable ssh
3. Hardening SSH Server
sudo nano /etc/ssh/sshd_config

# Tambahkan setting keamanan:
MaxAuthTries 3 # Batasi percobaan login
ClientAliveInterval 300 # Set timeout connection
ClientAliveCountMax 2
Protocol 2 # Hanya gunakan protocol 2
PermitEmptyPasswords no
X11Forwarding no

# Restart SSH:
sudo systemctl restart ssh
4. Buat SSH Key Pair untuk Autentikasi yang Lebih Aman
# Pada client, generate key pair
ssh-keygen -t rsa -b 4096 -C "user@client"

# Copy public key ke server
ssh-copy-id -p 2222 user1@192.168.100.10

# Atau manual copy:
cat ~/.ssh/id_rsa.pub | ssh -p 2222 user1@192.168.100.10 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
5. Testing Koneksi SSH dari Client
# Dengan password
ssh -p 2222 user1@192.168.100.10

# Dengan key authentication
ssh -i ~/.ssh/id_rsa -p 2222 user1@192.168.100.10

# Dengan verbose output untuk debugging
ssh -vvv -p 2222 user1@192.168.100.10

FTP Server Configuration (vsftpd)

1. Install vsftpd
sudo apt install vsftpd -y
2. Konfigurasi Dasar vsftpd
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.backup
sudo nano /etc/vsftpd.conf

# Edit konfigurasi:
anonymous_enable=NO # Nonaktifkan akses anonymous
local_enable=YES # Izinkan user lokal login
write_enable=YES # Izinkan upload file
local_umask=022 # Permission untuk file yang diupload
chroot_local_user=YES # User tidak bisa keluar dari home directory
allow_writeable_chroot=YES
pasv_min_port=40000 # Port untuk passive mode
pasv_max_port=50000

# Restart vsftpd:
sudo systemctl restart vsftpd
sudo systemctl enable vsftpd
3. Buat User Khusus untuk FTP
sudo useradd -m ftpuser
sudo passwd ftpuser
# Set home directory permission
sudo chmod 755 /home/ftpuser

# Buat directory untuk upload
sudo mkdir /home/ftpuser/upload
sudo chown ftpuser:ftpuser /home/ftpuser/upload
4. Konfigurasi FTP dengan SSL/TLS (FTPS)
# Generate SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt

# Edit konfigurasi vsftpd
sudo nano /etc/vsftpd.conf

# Tambahkan:
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

sudo systemctl restart vsftpd
5. Testing FTP Server
# Dari client, install FTP client
sudo apt install ftp

# Login ke FTP server
ftp 192.168.100.10
# Masukkan username dan password

# Atau gunakan command line dengan lftp (lebih feature lengkap)
sudo apt install lftp
lftp -u ftpuser,password 192.168.100.10

# Test FTPS connection
lftp -u ftpuser,password ftps://192.168.100.10

Langkah-langkah Praktikum

A. Persiapan Environment
# Pada kedua VM, set hostname dan edit hosts file
# Server
sudo hostnamectl set-hostname server-ssh-ftp.local
echo "192.168.100.10 server-ssh-ftp.local" | sudo tee -a /etc/hosts

# Client
sudo hostnamectl set-hostname client.local
echo "192.168.100.20 client.local" | sudo tee -a /etc/hosts

# Konfigurasi IP static pada server
sudo nano /etc/netplan/01-netcfg.yaml

network:
  version: 2
  ethernets:
    ens33:
      addresses: [192.168.100.10/24]
      gateway4: 192.168.100.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]

sudo netplan apply
B. Implementasi SSH Server dengan Hardening
# Install SSH server
sudo apt install openssh-server -y

# Backup config file
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Konfigurasi SSH security
sudo nano /etc/ssh/sshd_config

# Apply hardening configuration:
Port 2222
PermitRootLogin no
PasswordAuthentication no # Disable password auth after key setup
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers user1 user2

sudo systemctl restart ssh
C. Setup SSH Key Authentication
# Pada client, generate SSH key pair
ssh-keygen -t ed25519 -C "client@example.com"
# Tekan Enter untuk semua prompt (default location dan no passphrase)

# Copy public key ke server
ssh-copy-id -p 2222 user1@192.168.100.10

# Test connection dengan key authentication
ssh -p 2222 user1@192.168.100.10

# Setelah key auth berhasil, disable password authentication
sudo nano /etc/ssh/sshd_config
PasswordAuthentication no
sudo systemctl restart ssh
D. Implementasi FTP Server dengan vsftpd
# Install vsftpd
sudo apt install vsftpd -y

# Konfigurasi vsftpd untuk security
sudo nano /etc/vsftpd.conf

# Basic security configuration:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES
allow_writeable_chroot=YES
user_sub_token=$USER
local_root=/home/$USER/ftp

sudo systemctl restart vsftpd
E. Setup FTP User dan Directory Structure
# Buat user khusus FTP
sudo useradd -m ftpuser
sudo passwd ftpuser

# Setup FTP directory structure
sudo mkdir /home/ftpuser/ftp
sudo chown nobody:nogroup /home/ftpuser/ftp
sudo chmod a-w /home/ftpuser/ftp

# Buat upload directory
sudo mkdir /home/ftpuser/ftp/upload
sudo chown ftpuser:ftpuser /home/ftpuser/ftp/upload

# Test FTP connection
lftp -u ftpuser,password 192.168.100.10
# Di dalam lftp, test commands:
ls
cd upload
put localfile.txt
get remotefile.txt
F. Integrasi SSH dan FTP untuk File Management
# Gunakan SCP/SFTP untuk Transfer File Aman
scp -P 2222 /path/local/file.txt user1@192.168.100.10:/home/user1/

# Copy file dari server ke client
scp -P 2222 user1@192.168.100.10:/home/user1/file.txt /local/path/

# Gunakan SFTP session
sftp -P 2222 user1@192.168.100.10
# SFTP commands:
put localfile.txt
get remotefile.txt
ls
cd directory
rm file.txt
G. Monitoring dan Logging
# Monitor koneksi SSH
sudo netstat -tulnp | grep :2222
sudo ss -tulnp | grep :2222
sudo tail -f /var/log/auth.log | grep ssh

# Monitor koneksi FTP
sudo netstat -tulnp | grep ftp
sudo tail -f /var/log/vsftpd.log

# Check failed login attempts
sudo grep "Failed password" /var/log/auth.log
sudo grep "authentication failure" /var/log/auth.log

Advanced Security Configuration

1. Fail2ban untuk SSH Protection
# Install fail2ban
sudo apt install fail2ban -y

# Konfigurasi jail untuk SSH
sudo nano /etc/fail2ban/jail.local

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Cek status fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
2. Two-Factor Authentication untuk SSH
# Install Google Authenticator PAM module
sudo apt install libpam-google-authenticator -y

# User setup (run as user):
google-authenticator
# Jawab yes untuk semua pertanyaan

# Konfigurasi PAM
sudo nano /etc/pam.d/sshd
# Tambahkan di akhir file:
auth required pam_google_authenticator.so

# Konfigurasi SSH
sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

sudo systemctl restart ssh
3. IPTables Rules untuk SSH dan FTP
# Allow SSH pada port 2222
sudo iptables -A INPUT -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT

# Allow FTP
sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 40000:50000 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 40000:50000 -m state --state ESTABLISHED -j ACCEPT
4. Audit dan Monitoring Script
cat > /usr/local/bin/ssh_audit.sh << 'EOF'
#!/bin/bash
# SSH Security Audit Script
echo "=== SSH SECURITY AUDIT ==="
echo "SSH Service Status: $(systemctl is-active ssh)"
echo "SSH Port: $(grep ^Port /etc/ssh/sshd_config)"
echo "Root Login: $(grep ^PermitRootLogin /etc/ssh/sshd_config)"
echo "Password Auth: $(grep ^PasswordAuthentication /etc/ssh/sshd_config)"
echo "Failed Logins (last hour): $(grep "Failed password" /var/log/auth.log | grep "$(date -d '1 hour ago' '+%b %d %H:')" | wc -l)"
echo "Current SSH Connections: $(netstat -tulnp | grep :22 | wc -l)"
EOF

chmod +x /usr/local/bin/ssh_audit.sh

Troubleshooting

1. SSH Troubleshooting
# Cek status service
sudo systemctl status ssh

# Cek konfigurasi syntax
sudo sshd -t

# Debug SSH connection dari client
ssh -vvv -p 2222 user1@192.168.100.10

# Cek firewall rules
sudo ufw status
sudo iptables -L -n
2. FTP Troubleshooting
# Cek status service
sudo systemctl status vsftpd

# Test koneksi FTP dari local
ftp localhost

# Cek FTP logs
sudo tail -f /var/log/vsftpd.log

# Cek directory permissions
ls -la /home/ftpuser/
ls -la /home/ftpuser/ftp/
3. Common Issues dan Solutions
Masalah Penyebab Solusi
SSH Connection refused Service tidak jalan, port salah, firewall systemctl status ssh
netstat -tulnp | grep ssh
ufw allow 2222
Permission denied (publickey) Key tidak ada, wrong permissions chmod 600 ~/.ssh/id_rsa
chmod 700 ~/.ssh
Check authorized_keys
FTP login failed Wrong credentials, chroot issue passwd ftpuser
Check vsftpd.conf chroot settings
FTP passive mode failed Firewall block passive ports ufw allow 40000:50000/tcp
Check pasv_min/max_port

Tugas dan Evaluasi

  1. Jelaskan perbedaan antara FTP, FTPS, dan SFTP!
  2. Mengapa perlu mengubah port default SSH? Apa keuntungan dan kerugiannya?
  3. Bagaimana cara membatasi akses SSH hanya untuk user tertentu?
  4. Apa yang dimaksud dengan chroot dalam konteks FTP? Mengapa penting?
  5. Buat skenario: Sebuah perusahaan membutuhkan layanan transfer file yang aman untuk 10 user. Setiap user harus terkunci di home directory-nya dan transfer file harus dienkripsi. Tulis konfigurasi lengkapnya!

Case Study: Implementasi untuk Tim Developer

Setup SSH dan FTP untuk Tim Developer
#!/bin/bash
# Script setup SSH dan FTP untuk tim developer
echo "Setting up secure remote access for developers..."

# Create developer group and users
sudo groupadd developers
for i in {1..5}; do
  sudo useradd -m -G developers dev$i
  sudo passwd dev$i
done

# SSH Configuration for developers
sudo nano /etc/ssh/sshd_config.d/developers.conf
echo "AllowGroups developers" | sudo tee -a /etc/ssh/sshd_config.d/developers.conf
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config.d/developers.conf
echo "PubkeyAuthentication yes" | sudo tee -a /etc/ssh/sshd_config.d/developers.conf

# FTP Configuration for file sharing
sudo nano /etc/vsftpd.conf
sudo echo "local_root=/home/$USER/ftp" >> /etc/vsftpd.conf
sudo echo "user_config_dir=/etc/vsftpd/user_conf" >> /etc/vsftpd.conf

# Create user config directory
sudo mkdir /etc/vsftpd/user_conf
for i in {1..5}; do
  echo "local_root=/home/dev$i/ftp" | sudo tee /etc/vsftpd/user_conf/dev$i
done

# Restart services
sudo systemctl restart ssh vsftpd
echo "Setup completed for developer team!"

Security Best Practices

SSH Best Practices
  • Gunakan key authentication daripada password
  • Ubah port default dari 22
  • Disable root login
  • Gunakan fail2ban untuk brute force protection
  • Limit user access dengan AllowUsers/AllowGroups
  • Monitor auth logs secara berkala
FTP Best Practices
  • Gunakan FTPS atau SFTP daripada FTP plain
  • Implementasi chroot untuk semua users
  • Disable anonymous access
  • Gunakan strong passwords
  • Monitor transfer logs
  • Regularly update vsftpd
Security Checklist
SSH Security Checklist:
  • ✅ Port changed from default 22
  • ✅ Root login disabled
  • ✅ Password authentication disabled
  • ✅ Fail2ban installed and configured
  • ✅ Firewall rules in place
  • ✅ Regular security updates
Pertemuan 6
Pertemuan 8