Optimasi Keamanan Web Server Terhadap Serangan Brute-Force Menggunakan Penetration Testing

Penulis

  • Fahmi Fachri Universitas Ma’arif Nahdlatul Ulama, Kebumen

DOI:

https://doi.org/10.25126/jtiik.20231015872

Abstrak

Peningkatan serangan siber dan pencurian data sensitive menjadi topik utama yang sering dibahas saat ini, karena semakin banyak aplikasi berorientasi pengguna dengan memberikan semua informasinya dikerahkan ke web. Uji coba penetrasi diartikan sebagai upaya resmi dalam mengeksploitasi system  dengan tujuan mencari kelemahan yang ada pada web server serta meningkatkan keamanan system. Pengujian penetrasi ini dilakukan pada web server yang merupakan Sistem Informasi Akademik pada perguruan tinggi. Metode yang digunakan dalam penelitian ini mencakup Intelligence Gathering, Vulnerability Analysis, Exploitation, Post Exploitation, Reporting. Hasil Penelitian menampilkan terdapat tiga kategori kelemahan, 5 kerentanan dalam level High, 164 kerentanan dalam level Medium, 52 kerentanan di level Low. Terbukanya beberapa port yang masih terbuka dan menyebabkan penyusup dengan mudah masuk kedalam system untuk melakukan serangan Brute Force atau yang lainnya. Hasil uji coba simulasi serangan pada server berhasil dilakukan dengan mendapatkan username dan password, hal ini tentunya berbahaya system dapat diambil alih oleh penyusup. Optimalisasi keamanan pada system dilakukan perbaikan dengan mengkonfigurasi File2ban yang ada pada server untuk mencegah dan menutup akses penyusup agar tidak bisa masuk kedalam system, hal tersebut sudah dilakukan dan berhasil menolak attacker untuk masuk kedalam sytem. Berdasarkan perolehan data pada perbaikan web server ini telah sesuai dengan harapan yang diinginkan peneliti.

 

Abstract

The increase in cyber attacks and theft of sensitive data is a major topic that is often discussed today, as more and more user-oriented applications by providing all their information are deployed to the web. Penetration testing is defined as an official attempt to exploit the system with the aim of finding weaknesses in the web server and improving system security. This penetration test is carried out on a web server which is an Academic Information System at a university. The methods used in this research include Intelligence Gathering, Vulnerability Analysis, Exploitation, Post Exploitation, Reporting. The results of the study show that there are three categories of weaknesses, 5 vulnerabilities at the High level, 164 vulnerabilities at the Medium level, 52 vulnerabilities at the Low level. The opening of several ports that are still open and causes intruders to easily enter the system to carry out Brute Force attacks or others. The results of the simulation trial of the attack on the server were successfully carried out by obtaining a username and password, this is of course dangerous that the system can be taken over by intruders. Optimization of security on the system was repaired by configuring File2ban on the server to prevent and close access to intruders so that they could not enter the system, this has been done and succeeded in refusing the attacker to enter the system. Based on the data obtained on the repair of this web server, it is in accordance with the expectations of the researchers


Downloads

Download data is not yet available.

Referensi

ABDUR RAHMAN, M., AMJAD, M., AHMED, B., & SAEED SIDDIK, M. 2020. Analyzing web application vulnerabilities: An empirical study on e-commerce sector in Bangladesh. PervasiveHealth: Pervasive Computing Technologies for Healthcare, 5–10. https://doi.org/10.1145/3377049.3377107

AMANKWAH, R., CHEN, J., KUDJO, P. K., & TOWEY, D. 2020. An empirical comparison of commercial and open-source web vulnerability scanners. Software - Practice and Experience, 50(9), 1842–1857. https://doi.org/10.1002/spe.2870

ANGELINI, M., BLASILLI, G., CATARCI, T., LENTI, S., & SANTUCCI, G. 2019. Vulnus: Visual vulnerability analysis for network security. IEEE Transactions on Visualization and Computer Graphics, 25(1), 183–192. https://doi.org/10.1109/TVCG.2018.2865028

BIN IBRAHIM, A., & KANT, S. 2018. Penetration Testing Using SQL Injection to Recognize the Vulnerable Point on Web Pages. International Journal of Applied Engineering Research, 13(8), 5935–5942. http://www.ripublication.com

CHIPHER. 2020, JULY. A Complete Guide to the Phases of Penetration Testing. 2020 5th International Conference on Computer and Communication Systems, ICCCS 2020. https://cipher.com/blog/a-complete-guide-to-the-phases-of-penetration-testing/

DIVYA, K. V., JATTI, A., JOSHI, P. R., & KRISHNA, S. D. 2019. Progress in Advanced Computing and Intelligent Engineering. In Progress in Advanced Computing and Intelligent Engineering (Vol. 714).

Springer Singapore. https://doi.org/10.1007/978-981-13-0224-4

GEDE, S. S. A. 2020. Evaluasi Keamanan Website Lembaga X Melalui Penetration Testing Menggunakan Framework ISSAF. Jurnal Ilmiah Merpati, 8(2), 113–124.

HOSSAIN, M. D., OCHIAI, H., DOUDOU, F., & KADOBAYASHI, Y. 2020. SSH and FTP brute-force attacks detection in computer networks: Lstm and machine learning approaches. 2020 5th International Conference on Computer and Communication Systems, ICCCS 2020, 491–497. https://doi.org/10.1109/ICCCS49078.2020.9118459

IBNU MUAKHORI, SUNARDI, A. F. 2020. Jurnal Mantik Modules Jurnal Mantik. 3(4), 444–450.

KHORMALI, A., PARK, J., ALASMARY, H., ANWAR, A., SAAD, M., & MOHAISEN, D. 2021. Domain name system security and privacy: A contemporary survey. Computer Networks, 185, 107699. https://doi.org/10.1016/j.comnet.2020.107699

KOTHIA, A., SWAR, B., & JAAFAR, F. 2019. Knowledge Extraction and Integration for Information Gathering in Penetration Testing. Proceedings - Companion of the 19th IEEE International Conference on Software Quality, Reliability and Security, QRS-C 2019, 330–335. https://doi.org/10.1109/QRS-C.2019.00068

KRISHNAN, S., & WEI, M. 2019. SCADA testbed for vulnerability assessments, penetration testing and incident forensics. 7th International Symposium on Digital Forensics and Security, ISDFS 2019, 1–6. https://doi.org/10.1109/ISDFS.2019.8757543

LUSTICK, I. S., & TETLOCK, P. E. 2021. The simulation manifesto: The limits of brute‐force empiricism in geopolitical forecasting. Futures & Foresight Science, 3(2), 1–22. https://doi.org/10.1002/ffo2.64

MCKINNEL, D. R., DARGAHI, T., DEHGHANTANHA, A., & CHOO, K. K. R. 2019. A systematic literature review and meta-analysis on artificial intelligence in penetration testing and vulnerability assessment. Computers and Electrical Engineering, 75, 175–188. https://doi.org/10.1016/j.compeleceng.2019.02.022

MENG, H., WOLF, M., IVIE, P., WOODARD, A., HILDRETH, M., & THAIN, D. 2015. A case study in preserving a high energy physics application with Parrot. Journal of Physics: Conference Series, 664(3). https://doi.org/10.1088/1742-6596/664/3/032022

MUTEMWA, M., MTSWENI, J., & ZIMBA, L. 2019. Integrating a security operations centre with an organization’s existing procedures, policies and information technology systems. 2018 International Conference on Intelligent and Innovative Computing Applications, ICONIC 2018, December. https://doi.org/10.1109/ICONIC.2018.8601251

POHAN, Y. A., YUNUS, Y., & SUMIJAN, S. 2020. Improving Webserver Security for Local Tax Reporting Applications Using Standard Penetration Testing Execution Methods. Jurnal Sistim Informasi Dan Teknologi, 3, 7–10. https://doi.org/10.37034/jsisfotek.v3i1.83

PRAMADITYA, H. 2016. Brute Force Password Cracking Dengan Menggunakan Graphic Processing Power. Jurnal Teknologi Dan Manajemen Informatika, 2(1). https://doi.org/10.26905/jtmi.v2i1.615

PRASETYO, K. A., IDHOM, M., & WAHANANI, H. E. 2020. Pada Multiple Server Dengan Menggunakan. 1(3), 789–796.

RAPLEY, A., BELLEKENS, X., SHEPHERD, L. A., & MCLEAN, C. 2018. Mayall: A framework for desktop javascript auditing and post-exploitation analysis. Informatics, 5(4). https://doi.org/10.3390/informatics5040046

RIADI, I., YUDHANA, A., & W, Y. 2020. Analisis Keamanan Website Open Journal System Menggunakan Metode Vulnerability Assessment. Jurnal Teknologi Informasi Dan Ilmu Komputer, 7(4), 853. https://doi.org/10.25126/jtiik.2020701928

SADASIVAM, G. K., HOTA, C., & ANAND, B. 2018. Towards Extensible and Adaptable Methods in Computing. In Towards Extensible and Adaptable Methods in Computing. Springer Singapore. https://doi.org/10.1007/978-981-13-2348-5

SADIGH, D., LANDOLFI, N., SASTRY, S. S., SESHIA, S. A., & DRAGAN, A. D. 2018. Planning for cars that coordinate with people: leveraging effects on human actions for planning and active information gathering over human internal state. Autonomous Robots, 42(7), 1405–1426. https://doi.org/10.1007/s10514-018-9746-1

SANDRA, S., STIAWAN, D., & HERYANTO, A. 2016. Visualisasi Serangan Brute Force Menggunakan Metode K-Means dan Naïve Bayes. Proceeding - Annual Research Seminar Proceeding, 2(1), 315–320.

SEEMA, R., & RITU, N. 2019. Penetration Testing Using Metasploit Framework : an Ethical Approach. International Research Journal of Engineering and Technology(IRJET), 06(08), 538–542. https://doi.org/2395-0056

STIAWAN, D., IDRIS, M. Y., ABDULLAH, A. H., ALQURASHI, M., & BUDIARTO, R. 2016. Penetration testing and mitigation of vulnerabilities windows server. International Journal of Network Security, 18(3), 501–513. http://joiv.org/index.php/joiv/article/view/190

UDJAJA, Y. 2018. EKSPANPIXEL BLADSY STRANICA: Performance Efficiency Improvement of Making Front-End Website Using Computer Aided Software Engineering Tool. Procedia Computer Science, 135, 292–301. https://doi.org/10.1016/j.procs.2018.08.177

WU, K. T., CHOU, S. H., CHEN, S. W., TSAI, C. T., & YUAN, S. M. 2018. Application of machine learning to identify Counterfeit Website. ACM International Conference Proceeding Series, 321–324. Https://doi.org/10.1145/3282373.3282407

ZEEBAREE, S. R. M., JACKSI, K., & ZEBARI, R. R. 2020. Impact analysis of SYN flood DDoS attack on HAProxy and NLB cluster-based web servers. Indonesian Journal of Electrical Engineering and Computer Science, 19(1), 505–512. https://doi.org/10.11591/ijeecs.v19.i1.pp505-512.

Diterbitkan

28-02-2023

Terbitan

Bagian

Ilmu Komputer

Cara Mengutip

Optimasi Keamanan Web Server Terhadap Serangan Brute-Force Menggunakan Penetration Testing. (2023). Jurnal Teknologi Informasi Dan Ilmu Komputer, 10(1), 51-58. https://doi.org/10.25126/jtiik.20231015872