Pertemuan 9

Keamanan Sistem: Firewall dan Enkripsi

Implementasi firewall, enkripsi data, dan hardening sistem untuk keamanan optimal

Tujuan Pembelajaran

Setelah menyelesaikan praktikum ini, mahasiswa mampu:

  • Memahami konsep dan implementasi firewall menggunakan iptables dan UFW
  • Mengkonfigurasi enkripsi data dengan GPG dan SSL/TLS
  • Melakukan hardening sistem dengan konfigurasi keamanan yang tepat
  • Mengimplementasikan VPN dasar menggunakan OpenVPN
  • Melakukan monitoring dan analisis traffic jaringan

Teori Pendukung

Konsep Firewall
Packet Filtering

Menyaring paket berdasarkan rules tertentu (source/destination IP, port, protocol)

Stateful Inspection

Melacak status koneksi jaringan untuk memutuskan apakah paket diperbolehkan

Network Address Translation (NAT)

Menyembunyikan jaringan internal dari jaringan eksternal

Konsep Enkripsi
Symmetric Encryption

Kunci sama untuk enkripsi dan dekripsi (AES, DES, 3DES)

Asymmetric Encryption

Kunci publik dan privat berbeda (RSA, DSA, ECC)

Digital Certificate

Verifikasi identitas menggunakan Certificate Authority (CA)

Jenis Firewall di Linux
Tool Kelebihan Kekurangan Use Case
iptables Sangat fleksibel, powerful Konfigurasi kompleks Server produksi, network gateway
UFW User-friendly, mudah digunakan Fitur terbatas Desktop, server sederhana
firewalld Dynamic, zone-based Hanya di RHEL/CentOS Enterprise environment
nftables Modern, menggantikan iptables Belum banyak digunakan System modern

Konfigurasi Firewall dengan iptables

1. Basic iptables Concepts
# Tables yang tersedia:
filter # Default table untuk packet filtering
nat # Network Address Translation
mangle # Packet alteration
raw # Connection tracking exemption

# Chains dalam table filter:
INPUT # Paket masuk ke server
OUTPUT # Paket keluar dari server
FORWARD # Paket melalui server (routing)
2. Reset dan Setup Policy Default
# Flush existing rules
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X

# Set default policies (DROP semua incoming)
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
3. Allow Traffic Necessary
# Allow loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

# Allow established and related connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH on custom port
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow DNS queries
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
4. Implementasi NAT dan Port Forwarding
# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# NAT untuk jaringan internal
sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
sudo iptables -A FORWARD -i ens33 -o ens33 -j ACCEPT

# Port forwarding example
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80
5. Save iptables Rules
# Install iptables-persistent
sudo apt install iptables-persistent -y

# Save current rules
sudo netfilter-persistent save
sudo netfilter-persistent reload

Konfigurasi UFW (Uncomplicated Firewall)

1. Install dan Setup UFW
sudo apt install ufw -y
sudo ufw disable # Nonaktifkan sementara

# Reset UFW ke default
sudo ufw --force reset
2. Konfigurasi Basic Rules
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow specific services
sudo ufw allow 2222/tcp comment 'SSH Custom Port'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw allow 53/udp comment 'DNS'

# Enable UFW
sudo ufw --force enable
3. Advanced UFW Configuration
# Rate limiting untuk SSH
sudo ufw limit 2222/tcp

# Allow from specific IP only
sudo ufw allow from 192.168.200.20 to any port 22

# Deny specific IP
sudo ufw deny from 192.168.200.100

# Allow subnet
sudo ufw allow from 192.168.100.0/24
4. Monitoring UFW
sudo ufw status verbose
sudo ufw show added
sudo tail -f /var/log/ufw.log
sudo ufw status numbered # Show with rule numbers

Implementasi Enkripsi dengan GPG

1. Generate GPG Key Pair
gpg --full-generate-key
# Pilih: RSA (1), 4096 bits, 1y expiry

# Atau generate dengan batch mode
gpg --batch --generate-key << EOF Key-Type: RSA Key-Length: 4096 Subkey-Type: RSA Subkey-Length: 4096 Name-Real: Admin Sistem Name-Email: admin@company.local Expire-Date: 1y %commit EOF
2. Manage Keys
# List keys
gpg --list-keys
gpg --list-secret-keys

# Export public key
gpg --armor --export admin@company.local > public.key

# Import public key
gpg --import public.key

# Delete key
gpg --delete-secret-keys admin@company.local
gpg --delete-keys admin@company.local
3. Enkripsi dan Dekripsi File
# Buat file contoh
echo "Data sensitif perusahaan" > confidential.txt

# Enkripsi file untuk recipient tertentu
gpg --encrypt --recipient admin@company.local confidential.txt

# Dekripsi file
gpg --decrypt confidential.txt.gpg > decrypted.txt

# Sign file
gpg --clearsign confidential.txt

# Verify signature
gpg --verify confidential.txt.asc
4. GPG untuk Email dan Backup
# Enkripsi directory untuk backup
tar -czf - /important/data | gpg --encrypt --recipient admin@company.local > backup.tar.gz.gpg

# Dekripsi backup
gpg --decrypt backup.tar.gz.gpg | tar -xzf -

Konfigurasi SSL/TLS dengan OpenSSL

1. Generate Certificate Authority (CA)
# Buat direktori untuk CA
sudo mkdir /etc/ssl/ca
cd /etc/ssl/ca

# Generate CA private key
sudo openssl genrsa -out ca.key 4096

# Generate CA certificate
sudo openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
-subj "/C=ID/ST=West Sumatra/L=Padang/O=Techninovate/CN=Techninovate CA"
2. Generate Server Certificate
# Generate server private key
sudo openssl genrsa -out server.key 2048

# Generate certificate signing request (CSR)
sudo openssl req -new -key server.key -out server.csr \
-subj "/C=ID/ST=West Sumatra/L=Padang/O=Techninovate/CN=firewall-server.local"

# Sign certificate dengan CA
sudo openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt
3. Verify Certificates
sudo openssl verify -CAfile ca.crt server.crt
sudo openssl x509 -in server.crt -text -noout # View certificate details
sudo openssl rsa -in server.key -check -noout # Verify private key
4. Implementasi di Web Server
# Untuk Apache
sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/
sudo chmod 600 /etc/ssl/private/server.key

# Untuk Nginx
sudo cp server.crt /etc/nginx/ssl/
sudo cp server.key /etc/nginx/ssl/
sudo chmod 600 /etc/nginx/ssl/server.key

Implementasi VPN dengan OpenVPN

1. Install OpenVPN
sudo apt update
sudo apt install openvpn easy-rsa -y
2. Setup PKI (Public Key Infrastructure)
# Copy easy-rsa scripts
sudo cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa

# Initialize PKI
sudo ./easyrsa init-pki
sudo ./easyrsa build-ca nopass
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
sudo ./easyrsa gen-dh
3. Generate Client Certificates
sudo ./easyrsa gen-req client1 nopass
sudo ./easyrsa sign-req client client1

# Generate TLS auth key
sudo openvpn --genkey --secret pki/ta.key
4. Konfigurasi OpenVPN Server
sudo nano /etc/openvpn/server.conf

# Isi konfigurasi:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
5. Start OpenVPN Service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server

Monitoring dan Analisis Keamanan

1. Monitor Network Traffic
sudo apt install tshark -y
sudo tshark -i ens33 -f "tcp port 80" -V
sudo tshark -i ens33 -Y "http.request" -T fields -e http.host -e http.request.uri
2. Analyze Firewall Logs
sudo tail -f /var/log/ufw.log
sudo grep -i "drop" /var/log/kern.log
sudo journalctl -u ufw --since "1 hour ago"
3. Check for Suspicious Activities
# Check failed login attempts
sudo grep "Failed password" /var/log/auth.log
sudo grep "authentication failure" /var/log/auth.log

# Check listening ports
sudo netstat -tulnp | grep LISTEN
sudo ss -tulnp

# Check processes and network connections
sudo lsof -i
sudo ps aux | grep -E "(ssh|ftp|telnet)"
4. Security Scanning dengan Nmap
sudo apt install nmap -y

# Scan server dari client
nmap -sS -sV -O 192.168.200.10
nmap -p- --min-rate 1000 192.168.200.10 # Scan semua port
nmap --script vuln 192.168.200.10 # Vulnerability scan

Tugas dan Evaluasi

  1. Jelaskan perbedaan antara firewall stateful dan stateless!
  2. Apa keuntungan menggunakan UFW dibandingkan iptables langsung?
  3. Kapan sebaiknya menggunakan enkripsi symmetric dan asymmetric?
  4. Bagaimana cara memverifikasi bahwa koneksi VPN berjalan dengan aman?
  5. Buat skenario: Perusahaan membutuhkan firewall yang membatasi akses SSH hanya dari IP tertentu, serta enkripsi untuk data sensitif. Tulis konfigurasi lengkapnya!

Security Best Practices

Firewall Best Practices
  • Default deny all incoming traffic
  • Hanya buka port yang diperlukan
  • Gunakan rate limiting untuk SSH
  • Implementasi geolocation blocking jika perlu
  • Regular audit firewall rules
  • Gunakan application-level filtering
Encryption Best Practices
  • Gunakan strong encryption algorithms (AES-256)
  • Rotate keys secara berkala
  • Secure key storage dengan permissions yang tepat
  • Gunakan certificate expiration
  • Implementasi perfect forward secrecy
  • Audit encryption strength secara berkala

Case Study: E-commerce Security

#!/bin/bash
# Script hardening untuk server e-commerce

echo "Implementing security measures for e-commerce server..."

# 1. Firewall configuration
ufw enable
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw allow 25/tcp comment 'SMTP'
ufw allow 465/tcp comment 'SMTPS'
ufw allow 993/tcp comment 'IMAPS'

# 2. Rate limiting untuk SSH
ufw limit 22/tcp

# 3. Enable logging
ufw logging on

# 4. Install and configure fail2ban
apt install fail2ban -y
systemctl enable fail2ban
systemctl start fail2ban

# 5. SSL certificate setup
apt install certbot python3-certbot-nginx -y
certbot --nginx -d example.com -d www.example.com

echo "Security implementation completed!"
Pertemuan 8
Pertemuan 10