ISSN (print): 1978-1520, ISSN (online): 2460-7258

IJCCS (Indonesian Journal of Computing and Cybernetics Systems)

Vol.15, No.2, Juli 2021, pp.1~17
ISSN (print): 1978-1520, ISSN (online): 2460-7258
DOI: 10.22146/ijccs.58588

Implementation of Maltrail Sensor and Fail2Ban For

Detection and Prevention System Malware Attack on
Server Network at Diskominfo Sumedang With Push
Notification

Rama Wijaya Shiddiq*1, Rohmat Tulloh2, Nugraha3

1
Diploma Program in Telecommunication , FIT Universitas Telkom, Bandung, Indonesia
2
Department of Technology Telecommunication, FIT Universitas Telkom, Bandung, Indonesia
e-mail: *1ramawijayashiddiq@student.telkomuniversity.ac.id,
2
rohmatth@tass.telkomuniversity.ac.id, 3nugraha.nugraha120472@yahoo.co.id

Abstrak
Dinas Komunikasi dan Informatika Persandian dan Statistik (Diskominfo) Kota
Sumedang, merupakan organisasi pelayanan public yang bertanggung jawab menangani bidang
data dan jaringan komunikasi yang menghubungkan semua lembaga pemerintahan seperti
kelurahan, kecamatan, dan dinas-dinas yang terhubung ke server Diskominfo Sumedang. Tugas
server yaitu melayani semua perangkat jaringan, perlindungan sistem, data, dan peningkatan
kualitas keamanan jaringan, Melihat hal tersebut dibutuhkan sebuah sistem yang dapat
mendeteksi dan memblokir malware-malware yang berusaha masuk ke jaringan server
diskominfo Sumedang. Pada Proyek Akhir ini dirancang suatu sistem implementasi sensor
Maltrail (Malware Trail) dan Fail2Ban untuk mendeteksi dan mencegah serangan malware pada
jaringan server Diskominfo Sumedang dengan push notifikasi, yang merupakan solusi lain dari
permasalahan tersebut. Software yang digunakan untuk melakukan pendeteksian yaitu Maltrail.
Cara kerja dari software ini sebagai sensor yang memindai seluruh aktivitas trafik pada jaringan
server. Kemudian, software yang digunakan untuk melakukan blocking atau pencegahan dari
serangan malware, yaitu Fail2Ban. Sistem tersebut menggunakan bot telegram sebagai push
notifikasi jika ada serangan malware ke server. Dari hasil pengujian malware pada server,
terjadi penurunan throughput sebesar 56,28%, hasil implementasi sistem ini mampu mendeteksi
dan memblokir malware trafik pada jaringan. Kemudian sistem mampu mendeteksi serangan
selain malware yaitu scanning port dengan tingkat ancaman 2,7%. Sehingga sistem mampu
meminimalisir ancaman serangan dan mampu meningkatkan nilai throughput pada jaringan
server Diskominfo Sumedang dengan melihat perbandingan trafik malware sebelum dan sesudah
penerapan sistem.

Kata kunci—Maltrail, Fail2Ban, Malware, Mendeteksi, Mencegah.

Abstract
Diskominfo Sumedang is a public service organization that is responsible for data and
communications that connects all government institutions such as sub-districs, and offiecs that
are connected to the Diskominfo Sumedang Server. The server’s job is to server all devices
connected to the network, such as monitoring all network activity security, system protection,
data, and improving network security quality. Seeing this, the basic needs of Diskominfo
Sumedang, we need a system that can detect and block malware that tries to enter the server
network at Diskominfo Sumedang. In this final, a Maltrail (Malware Trail) sensor and Fail2Ban

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

implementation system is designed to detect and prevent malware attacks on Diskominfo

Sumedang network server with push notifications, which is another solution to this problem. The
software used to detect malware is Maltrail. The way this software works is with sensors that scan
all traffic activities on the server network. Then, the software used to block or prevent malware
attaks, namely Fail2Ban. The system uses telegram bots as notifications if there is a malware
attack on the server. From the result of malware attacks on the server, there was a decrease in
throughput of 56,28%, the results of the implementation of this system were able to detect and
block malware traffic on the network, as a result it did not experience a significant decrease in
throughput. Then the system detects attacks other than malware, namely scanning ports with a
threat level of 2.7%. So that the system is able to minimize the threats of attack and is able to
increase the throughput value on the Diskominfo Sumedang network server by looking at
comparison of malware traffic before and after the implementation system.

Keywords—Maltrail, Fail2Ban, Malware, Detection, Prevention.

1. INTRODUCTION

Network security is very important, especially in today's technological era. Many

agencies or organizations are not aware of and do not care about security-related issues. If you
get an attack and a system crash occurs, a lot of costs must be incurred to repair the system. For
this reason, it is proper to pay more attention to investment in network security, to prevent damage
from the threat of attacks that are currently increasingly diverse. Moreover, when the computer
server is connected to the internet, the attacks will increase. For this reason, it is necessary to
prepare security for and prevent threats to networks and special servers for internet service
providers [1].
One of the main threats on the Internet today is malicious software which is often referred
to as malware. In fact, most Internet security problems are caused by malware. Malware comes
in many forms and variations, such as viruses, worms, botnets, rootkits, Trojan horses, spyware
and other denial tools programs. Every year, many computer systems around the world will be
damaged by malware. It has recently been reported that files, systems, emails and their respective
servers have been infected by a virus. Nonetheless in 2019 attacks by new Ransomware and
PowerShell viruses have increased by 118% and 460% [2]. Anti-virus company Malwarebytes
(2019) releases an annual report on the state of malware worldwide in the journal "2019 States of
Malware". The report states that there were approximately 750 million malware attacks detected
against end-user personal computers during 2017-2018 worldwide. Unfortunately, the increasing
number and diversity of malware makes classic security techniques, such as anti-virus scanners
ineffective, and as a consequence, millions of hosts on the Internet today are infected with
malicious software [3].
Based on this research, a network security system is needed for monitoring and preventing
malware attacks coming in and out of network devices at Diskominfo Sumedang. Based on a
survey conducted, firewall devices that function to block attacks that enter the server sometimes
do not work optimally, the firewall actually blocks the network for accessing employee
applications, then there are incidents regarding files and databases on the Sumedang Diskominfo
server which cannot be accessed due to from malware. Seeing this, another solution is an
additional system that is implemented on the server, namely with Maltrail and Fail2Ban sensors
to minimize attacks that are not blocked by the firewall and as a monitoring system for traffic
malware activities on the Diskominfo Sumedang server network.
Several studies have been conducted relating to Maltrail as a malware monitoring system,
namely [4]-[7].

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

2. DESIGN AND SIMULATION

2.1. Design system

In this design system, an overview of the Maltrail and Fail2Ban sensor implementations
is explained. The following is an overview of the design system that will be made in Figure 1.

Figure 1 Design System

Figure 1 describes the design system on the Maltrail and Fail2Ban sensors, when the
cloud receives a request packet and sends it to the client, the packet will go through a series of
packet scanning stages by the Maltrail sensor based on the database available in its repository. If
the package is indicated to be malware, the Maltrail Sensor will record in the form of a malware
log. Furthermore, the log will be executed by the Fail2Ban system in the form of IP blocking or
packet access restrictions by an IP address on the network. After the IP address is blocked,
Fail2Ban will send the blocking information to the administrator via the Telegram application
which is placed on the server.

2.2. Flowchart Design System

The system flowchart in this design is generally shown in Figure 2.

Gambar 2 Flowchart design system

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17
 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 2 There is a log report reporting condition every hour. If the time shows the turn of
the hour (0 minutes), the system will print a monitoring result report. If not, the system will proceed
to the next stage, namely the change of day.
1. The system will update the repository. Otherwise, the Maltrail system will perform its main
task of monitoring every data packet that passes through the network.
2. Then, if the Maltrail system detects a malware package, Maltrail will record it in the form of
a log, then send the log to the Fail2Ban system to be executed using the IP address blocking
method. Then, the IP address containing the malware is reported to the administrator via
Telegram.
3. Next, if the server is still active, the system will loop or return to the initial stage, namely
checking the clock on the server. Meanwhile, if the server is disabled, the system will
automatically shut down.

2.3. Implementation system

The implementation of the system in this design is shown in Figure 3.

Figure 3 Maltrail system dashboard view

Figure 3 is a display of the Maltrail system dashboard, after logging in the administrator
will enter the Maltrail system dashboard page. Administrators can monitor malware packages that
have been detected by this software on the dashboard page. In addition, the administrator can view
a number of malware information, such as the source and destination IP addresses of the attacker,
the source and destination ports that were skipped, the date and time of the incident, the number of
malware deployment events carried out by the attacker, the protocol used by the attacker, the
identity of the malware, the threat level. malware, and database malware references.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 4 Graphical display on the maltrail system

Figure 4 is a graphic display on the maltrail system, to view detailed information on
malware that was detected, administrators can press the menus on the dashboard by displaying a
graph containing threats (threat level), events (number of events), severity (difficulty level), sources
(sources of malware), and trails (Traces of malware through IP addresses). In addition there is also
a feature to print a table of malware data and view the results of the recapitulation of malware logs.

Figure 5 Rules for integrating Fail2Ban with Telegram

Figure 5 shows the rules for integrating Fail2Ban with Telegram, the Fail2Ban system is
running on a Debian server. In this system there is a "jail" rule which means it can limit access to
IP addresses based on logs sent by Maltrail. In this test, the Fail2Ban rules are applied, namely
maxretry=1, meaning that one time the number of data transfer events with malware sites. In
addition, bantime = 180 is applied, which means that it takes 180 seconds to ban an IP address that
transfers data with malware sites. If it has passed 180 seconds, the IP address will be unbanned by
Fail2Ban, depending on needs.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 6 ryzenware system bot display to telegram administrator

Figure 6 is a Ryzenware bot field-chat display on Telegram which serves to report the state
of the system whether it is active or inactive. If the system status is disabled, the server will report
to the Telegram administrator with the statement “Fail2Ban just stopped”. Meanwhile, if the system
status is active, the server will report to the Telegram administrator with the statement "Fail2Ban
just started".

2.4. Test Results and Discussion

At this stage, testing will be carried out so that the implementation has been carried out
in accordance with the expected goals. The tests were carried out in the form of testing the use of
Maltrail and Fail2Ban as malware traffic monitoring systems and preventing attacks on server
activities using clients. The test is carried out by browsing access to several sites or IP addresses
identified as malware based on data sources from anti-virus companies. Then testing of other
attacks on the server to determine whether the Maltrail and Fail2Ban sensors can detect and
prevent or not. The results will be displayed on the Maltrail website in the form of data tables and
graphs. The following is a table of a number of domain samples and testing of attacks other than
malware will be tested in table 4.1 and table 4.2.

Table 1 Testing with a number of domains

No. Domain IP Address DNS Address Domain Sample
1 facebook 202.124.205.117 Facebook.com Legal (non-malware)
2 hhgg3 23.105.122.40 hhgg3.com Illegal (malware)
3 morphed 63.251.235.82 morphed.ru Illegal (malware)
4 trololo 192.165.67.186 trololo.cu.cc Illegal (malware)
5 fqbtpehkp 216.218.185.162 fqbtpehkp.org Illegal (malware)
6 - 136.161.101.53 - Illegal (malware)

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Table 2 Methods of implementing attacks

Component Name Method

DDos attack Blackbox

Port Scanning Blackbox
Syn flooding BlackBox

Referring to Tables 1 and 2, malware testing was carried out by browsing access to these
domains. As a result, the domains morphed.ru, trololo.cu.cc, hhgg3.com, fqbtpehkp.org have been
suspected and detected as malware. Then, for the site facebook.com allegedly safe and not
detected as malware. Then for testing DDos attacks, port scanning and Syn flooding are carried
out to find out whether the system can detect and block attacks other than malware or not by
maximizing the system in order to prevent suspicious activities that enter the server. As with the
results of the Maltrail report in Figure 7.

Figure 7 Test results of sites indicated by malware

Based on Figure 7 the client tries to access one of the domains in table 1, namely
fqbtpehkp.org with continuous access requests. The domain is accessed by flooding up to 35
events, so that the event exceeds the access limit or maxretry limit set in the Fail2Ban rule, which
is 1 event.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 8 Result of banned IP address by Fail2Ban

Figure 8 is the result of checking the status of the Fail2Ban rule against Maltrail. Based
on Figure 8, it is detected that the IP address of the client trying to access and transfer with the
malware domain is more than the maxretry access limit specified in the Fail2Ban rule, so that the
client IP address, which is 0.0.0.19, is banned by Fail2Ban during the bantime set on Fail2Ban
rule, which is for 180 seconds. This Fail2Ban system does not directly ban IP clients who carry
out malware transactions, but waits for malware logs from Maltrail first. Then if the client
accesses more than the maxretry limit, then the IP is automatically banned.

Figure 9 Blocking report results by Fail2Ban to telegram administrator

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 9 is the result of the blocking report made by Fail2Ban to the Telegram
administrator. Based on Figure 9, the tire report is sent with a banning time of 180 seconds or 3
minutes. The results of the ban are also reported via the Telegram Bot administrator in real-time.
And if the banned IP address has reached 180 seconds, then Fail2Ban will automatically unban
it.

Figure 10 Results of DDos attack

Figure 10 is the result of a successful DDos attack on the server sending 10000 bytes.
This test is carried out in order to spend all available bandwidth between the target and the internet
network.

Figure 11 Port scanning results

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 11 is the result of port scanning that was successfully detected by the Maltrail
sensor with an attack intensity of 2.7%, but failed to be blocked by Fail2Ban because of the low
threat level.

Figure 12 Results of syn flooding attack

Figure 12 is the result of a successful syn flooding attack on the server in order to
consume resources from the server so that the server cannot serve traffic that is truly legitimate.
Syn flooding is an attack activity that exploits a three way handshake process on a TCP connection
that utilizes Hyping.

2.5. Result dan Analysis

Figure 13 Wireshark captures traffic data packets on the server

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 13 is an initial view of Wireshark to capture traffic data packets on the server
which is used to measure the results and analysis of malware testing to analyze network
performance. This measurement needs to be done to determine the traffic intensity on the server
when capturing data packets that are indicated as malware.

Figure 14 Wireshark captures encrypted data packets in the form of malware

Figure 14 is a display of Wireshark which managed to capture encrypted data packets in
the form of malware after testing. The measurement is carried out by measuring the comparison
of the throughput value from the test results when the server captures malware data packets
without using the Maltrail and Fail2Ban systems, and when the system is implemented. The
following table shows the results of testing the throughput value of each type of malware on the
server.
Table 3 Conficker Sinkhole Malware Throughput Test Results
No. Throughput without Throughput with
Maltrail & Fail2ban Maltrail & Fail2ban
1 2821 4118
2 7080 10000
3 6167 9787
4 4339 8324
5 5758 7886

Throughput Decrease =
(2821+7080+6167+4339+5758)−(4118+10000+9787+8324+7886)
(2821+7080+6167+4339+5758)
𝑥 100% = 53,32%

The first scenario was carried out to determine whether Maltrail and Fail2Ban
were able to prevent malware data packets on the server by measuring the throughput of
bits per second (bit/s or kbps). In this case, a comparison is made between abnormal
traffic and when Maltrail and Fail2Ban systems are applied. It can be seen in Tables 3, 4,
5 and 6, respectively, the results of the throughput comparison before and after the
implementation of the prevention system.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Table 4 Andromeda Malware Throughput Test Results

No. Throughput without Throughput with
Maltrail & Fail2ban Maltrail & Fail2ban
1 8816 11000
2 6903 7062
3 5632 8557
4 5933 7770
5 4512 5891

Throughput Decrease =
(8816+6903+5632+5933+4512)−(11000+7062+8557+7770+5891)
(8816+6903+5632+5933+4512)
𝑥 100% = 26,68%

Then for all the results of testing for malware types, each experiment is the same,
namely 10–50 attacks without Maltrail and Fail2Ban systems, after that experiments are
applied with Maltrail and Fail2Ban.

Table 5 Test Results Throughput Malware Sinkhole Shadowserver

No. Throughput without Throughput with
Maltrail & Fail2ban Maltrail & Fail2ban
1 4048 4873
2 6039 8266
3 5274 8684
4 6209 10000
5 4679 9198

Throughput Decrease =
(4048+6039+5274+6209+4679)−(4873+8266+8684+10000+9198)
(4048+6039+5274+6209+4679)
𝑥 100% = 56,28%

Table 6 Test Results Throughput Malware Sinkhole Response

No. Throughput without Throughput with
Maltrail & Fail2ban Maltrail & Fail2ban
1 4089 12000
2 4862 8523
3 4985 6991
4 3486 7031
5 4069 6683

Throughput Decrease =
(4089+4862+4985+3486+4069)−(12000+8523+6991+7031+6683)
(4089+4862+4985+3486+4069)
𝑥 100% = 52,13%

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

2.6 Performance Analysis

Network throughput is the success rate of sending messages through a communication
channel. Throughput is usually measured in bits per second (bit/s or kbps), and sometimes in data
packets per second (p/s or pps) or data packets per time slot. Throughput = (RWIN/RTT) where
RWIN is the TCP Receive Window and RTT is the round-trip time for the line.

Througput pada Serangan Malware

Sinkhole Conficker
12000
10000
8000
Kbps

6000
4000
2000
0
1 2 3 4 5
Pengujian

Throughput tanpa mailtrail & fail2ban (Kbps)

Throughput dengan mailtrail & fail2ban (Kbps)

Figure 15 Graph of throughput on sinkhole conficker malware attacks

Figure 15 shows a large comparison of the average throughput for five traffic states on a
network with a sinkhole conficker malware attack. When the normal state is not applied to the
system, the throughput for each receive parameter is lower than the state after the system has been
implemented. Conficker sinkhole malware has a high threat level, resulting in a significant
decrease in throughput on the server network.

Througput pada Serangan Malware

Andromeda
12000
10000
8000
Kbps

6000
4000
2000
0
1 2 3 4 5
Pengujian

Throughput tanpa mailtrail & fail2ban (Kbps)

Throughput dengan mailtrail & fail2ban (Kbps)

Figure 16 Graph of throughput on andromeda malware attack

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

Figure 16 shows a large comparison of the average throughput for five traffic states on a
network with andromeda malware attacks. This type of andromeda malware has capabilities like
trojan malware, which is able to download other types of malware from the control server side
and has a high threat level. This results in a significant decrease in throughput on the server
network

Througput pada Serangan Malware

Sinkhole Shadowserver
12000
10000
8000
Kbps

6000
4000
2000
0
1 2 3 4 5
Pengujian

Throughput tanpa mailtrail & fail2ban (Kbps)

Throughput dengan mailtrail & fail2ban (Kbps)

Figure 17 Graph of throughput on shadowserver sinkhole malware attack

Figure 17 shows a large comparison of the average throughput for five traffic states on
the network with shadowserver sinkhole malware attacks. This shadowserver sinkhole has the
same attack properties as the conficker type.

Througput pada Serangan Malware

Sinkhole Response
15000

10000
Kbps

5000

0
1 2 3 4 5
Pengujian

Throughput tanpa mailtrail & fail2ban (Kbps)

Throughput dengan mailtrail & fail2ban (Kbps)

Figure 18 Graph of throughput on a sinkhole response malware attack

Figure 18 shows the comparison of the average throughput for five traffic conditions on
the network with sinkhole response malware attacks. From all the experiments that have been
carried out with each of the five states, the system was able to significantly increase throughput
by utilizing the prevention systems from Maltrail and Fail2Ban.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

2.7 CPU utilization on Server

The second scenario was carried out to find out whether the Maltrail and Fail2Ban
systems were able to reduce the impact of attacks on servers for malware attacks and attacks other
than malware. The following is the CPU utilization utilization for malware attacks in Table 7.

Table 7 CPU utilization server without Maltrail and Fail2Ban

attack Average CPU Usage (%)

Sinkhole Conficker 59,52

Andromeda 56,83
Sinkhole Shadowserver 49.55
Sinkhole Response 42,25

Table 7 shows a comparison of CPU utilization without using Maltrail and Fail2Ban,
aiming to find out whether the system is able to reduce the impact of attacks on CPU usage on
the server.

Table 8 CPU utilization server with Maltrail and Fail2Ban

Attack Average CPU Usage (%)

Sinkhole Conficker 14,91

Andromeda 7,8
Sinkhole Shadowserver 13,34
Sinkhole Response 11,61

Table 8 shows a comparison of CPU utilization using Maltrail and Fail2Ban, it can be
seen in the table above that the system is able to reduce the impact of attacks on CPU usage on
the server.

Table 9 CPU utilization servers with attacks other than malware

Attack Average CPU Usage (%)

DDos Attack 60,52

Syn Flooding 97,86
Port Scanning 0,7

Based on Table 9 shows the comparison of CPU utilization with attacks other than
malware, CPU utilization will continue to increase to 100% if there is an attack with a very high
threat level.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

3. RESULT AND DISCUSSION

3.1. Research Result

In this test, the aim is to compare the impact of malware on network traffic, especially
traffic speed after being infected with malware without system implementation and after system
implementation. To measure the throughput in this analysis, the data taken is the average number
of Kbit/s.

Table 10 Results of throughput measurements

1 Kbit/s Throughput
No Types of Malware Decrease Percentage
1 Sinkhole Conficker 53,32%
2 Andromeda 26,68%
3 Sinkhole Shadowserver 56,28%
4 Sinkhole Response 52,13%

Table 10 is the percentage decrease in malware throughput on the server network, the
result is a decrease in throughput of 56.28%. Meanwhile, malware traffic has a fairly low
throughput of 26.68%. The decrease in throughput by a large percentage will cause congestion to
network traffic. The results of the implementation of the Maltrail and Fail2Ban systems are able
to minimize malware attacks by looking at the comparison of throughput values before and after
system implementation.

3.2. Results of monitoring and security analysis on the server

Table 11 Results of monitoring and security analysis on the server

Test Result
Component Name Detected Blocked
Maltrail Fail2Ban Notification Sent
DDos attack No No No
Port Scanning Yes No No
Syn Flooding No No No

Table 11 is a summary of the results of monitoring and securing attacks on the server for
3 types of attacks. Of the three attacks, Maltrail System only managed to detect port scanning and
Fail2Ban did not block it because the attack rate was quite low.

4. CONCLUSION

Based on the results of the design, testing and analysis that has been done, some
conclusions can be drawn as follows:
1. Based on the results of functionality testing on the features on the implemented system,
such as displaying graphs, malware logs, printing monitoring data results, for the success
rate of Maltrail and Fail2Ban systems have succeeded in detecting and blocking malware
attacks. It can be concluded that all functions are 100% running well as they should.
2. From the results of testing the attack category other than malware, the results of the DDos
attack test are 0%, Syn Flooding 0%, and the Maltrail system successfully detects port
scanning with a threat level of 2.7%. Maltrail software is currently unable to detect attacks
other than malware such as DDos attacks and Syn flooding.

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17

 ISSN (print): 1978-1520, ISSN (online): 2460-7258

3. Based on the results and analysis of the measurement of the traffic malware intensity on
the server network, the largest throughput decline in the shadowserver sinkhole malware
type reached 56.28%. While the throughput value of malware with a fairly low value
obtained 26.8%. From these results, the impact of malware on traffic intensity has
decreased considerably throughput value, but the results of the implementation of Maltrail
and Fail2Ban systems have succeeded in preventing attacks by comparing throughput
values before and after system implementation. so the system will increase security and
network throughput on the server.

REFERENCE

[1] Riki Triansyah, Dian Novianto. 2017. Prototype Keamanan Jaringan

Menggunakan Teknik Demilitarized Zone (DMZ) Dengan Sistem Opreasi
Linux.
[2] Mariwan Ahmed Hama Saeed. 2020. Malware in computer systems: Problems
and Solutions. Vol. 9, No. 1, 2020, Pp. 1-8.
[3] Kujawa A, Wendy Z, Jovi U, Jerome S, William T, Pieter A, Chris B. 2019.2019
State of Malware. California (US): Malwarebytes Corporation. 6—7.
[4] Hudzaifah, Anang S, Devie RS. 2018. Membangun Sistem Monitoring
Malicious Traffic di Jaringan dengan Maltrail. Bandung (ID): Telkom
University. Vol 4 No.3: 2018.
[5] Parita Chandrakant Parekh, Prof. Jayshree Upadhyay. 2018. Detecting and
Blocking Encrypted Anonymous Traffic using Deep Packet Inspection. Vol-4
Issue-2 2020.
[6] Sudahrshan N, P.Dass. 2019. Malicious Traffic Detection System using Publicy
Available Blacklist’s. Volume-8 Issue-6S, August 2019.
[7] Adib Fakhri Muhtadi, Ahmad Almaarif. 2020. Analysis of Malware Impact on
Network Traffic using Behavior-based Detection Technique. Vol. 1, No.1,
April 2020, pp. 17-25.
[8] Stampar M. 2016. Malicious Traffic Detection System. Github. [diakses 10
Februari 2021]. Tersedia pada: https://github.com/stamparm/maltrail.
[9] Kurniawan I, Ferry Mulyanto, Fuad Nandiasa. 2016. Sistem Pencegah Serangan
Bruteforce pada Ubuntu Server dengan menggunakan Fail2Ban. Bandung (ID)
[10] Riki Andri Yusda, 2018. Rancang Bangun Jaringan Client Server Berbasis
Linux Debian 6.0.
[11] Anglano C, Massimo C, Marco G. 2017. Forensic Analysis of Telegram
Messenger on Android Smartphones”. Alessandria (IT): DiSIT–Computer
Science Institute, Università del Piemonte Orientale. Vol 23: 31—49.
https://doi.org/10.1016/j.diin.2017.09.002.
[12] Kurniawan, A. (2012). Network Forensic. Yogyakarta: Andi Offset.
[13] Diskominfo, “arti lambang kominfo” Indonesian, 10 agustus 2017. [online].
[Diakses 2021].

IJCCS Vol. 15, No. 2, Juli 2021 : 1 – 17