Fail2ban protect Apache from DDOS Attack
How to: CentOS – fail2ban protect Apache from DDOS Attack
Edit your /etc/fail2ban/jail.conf file and add this section:
Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and copy the text below in it:
vim /etc/fail2ban/filter.d/http-get-dos.conf
# Fail2Ban configuration file
# Author: http://www.go2linux.org
[Definition]
PLEASE NOTE:
Be sure to adjust maxretry, findtime and bantime to values that fits your needs.
- maxretry Is the maximum amount of requests before the originating IP gets blocked.
- findtiem Is the time window (in seconds) to check for the amount of maxretries before the IP gets blocked
- bantime is the amount of time the IP will be blocked
As you can see in my example, I have set up 500 maxretry and 120 for findtime, so, we need to have 500 GETs from the same IP in a time window of 120 seconds to have the originating IP blocked.
Remember that you will have one GET for each css, js, html, ico and other files that are part of your webpage, so if you have 20 components, some client needs only to load 15 pages in 5 minutes to get blocked. Be sure to adjust those values to fit your needs.
How to Find your perfect Maxentry + Findtime value for DDOS attacks:
To find the perfect value you will need to try out values and keep an eye on it.
I also ran a command to check the top requests on my server
awk ‘/Mar/2013/ {print $1};’ /var/log/virtualmin/domain.com_access_log | sort | uniq -c | sort -rn | head
And got this output:
12662 1xx.82.138.121 << DDOS
7413 4x.114.213.100 << DDOS
1475 12x.6x.14x.66 << Normal User
1343 124.118.150.10 << Normal User
1210 106.187.46.12 << Normal User
621 222.80.134.173 << Normal User
587 120.68.157.250 << Normal User
561 218.31.0.5 << Normal User
500 110.154.161.222 << Normal User
From that I could see what would be a normal amount for a very active user on my site – about 1475 hits
I then went into the log and filtered by the users IP “12x.6x.14x.66″ and checked how long it too the user to do 500 GET requests.
In my case the user took the user about 38min to do 500 GET requests – so he would not have been banned with my rule of 2min / 120 seconds.
While the DDOS user did 500 GET requests in less than 2 seconds – and THATS what I want to ban!
How to check if Fail2ban is working and if its blocking DDOS attacks:
You will need to test a few things:
1. If the Fail2ban filter is working on your system
2. If Fail2ban is blocking the IP after your Maxentry value in your Findtime timeframe
So lets check – If the Fail2ban filter is working on your system – with this command
fail2ban-regex /path/to/logfile /etc/fail2ban/filter.d/http-get-dos.conf
Then if you can see that IPS are being picked up (It should pick up every GET entry) then its working.
So then lets check – if Fail2ban is blocking the IP after your Maxentry value in your Findtime timeframe
The easiest way to do this is use Apaches AB testing tool.
Run this command for a different CentOS server that has Apache installed
ab -n 1000 -c 2 http://www.domaini.com/
The IP should be banned after 500 GET retries
Then you can just restart the fail2ban service to unban yourself.
If you are not banned check that you did not exclude the IP in the jail.conf
Credit http://kiteplans.info/2013/03/18/centos-virtualminfail2ban-protect-apache-from-ddos-attack/