Guillermo Garron

From my head

Install fail2ban to protect your site from DOS attacks

Written by Guillermo Garron .
Date: 2011-05-29 10:36:30 -0400

DOS attack

Denial of service attacks are meant to load a server to a level where it can’t serve the intended users with the service, we will here see a method to avoid that.

Install fail2ban

You can install it using your distribution package manager in case of Debian or Ubuntu run:

apt-get install fail2ban

as root, or with sudo in Ubuntu’s case.

For Arch Linux

pacman -Sy fail2ban

and So on, depending on the distribution you are using, now to configure it, consider that there are two main configuration files:

  • /etc/fail2ban/fail2ban.conf
  • /etc/fail2ban/jail.conf

I’m going to copy this from other article here in Go2linux.

enabled

Defines whether or not a given section is enabled or nor, its possible values are:

  • false
  • true

filter

This is not used in the default section as it is used to tell fail2ban client what it is looking for in the logfile, its values could be among others:

  • sshd
  • proftpd
  • httpd

basically it is how the service is identified on the log file being parsed

action

This option tells fail2ban what action to take once a rule is broken, could be specified a default action in the default section, and overwritten on each jail section you may need to change the default value.

logpath

With this option we need to pass the file to be parsed, should be taken into account that different distribution has different log files for instance for ssh in:

  • Fedora -> /var/log/secure
  • CentOS -> /var/log/secure
  • Debian -> /var/log/auth
  • Ubuntu -> /var/log/auth
  • Sabayon -> /var/log/messages

If you put a wrong value here, it will not work and will give you no errors.

ignoreip

This option is used to set one or some IPs that should not be blocked, no matter how many times a users fail in login from those IPs, use this with care

maxretry

This option is used to set the limit of retries a user have before he gets blocked

bantime

This option is used to set the time (in seconds) an IP will be banned, maybe a good option could be 5 minutes so, 300 seconds, this will put bots away while also letting legitimate users to try again after the ban time ends

destmail

Use this option to set the email of the person who should receive alerts when an IP is banned

banaction

Use this option to instruct with action will be taking in order to ban an offending IP. ie:

  • iptables — To use Iptables in order to ban the offending IP
  • iptables-new — To ban only new connections
  • iptables-multiport — To ban all ports from the offending IP
  • shorewall — To use Shorewall instead of Iptables

Protocol

Set here the default protocol to ban, TCP or UDP You can read more at: How to configure fail2ban

How to use fail2ban to protect Apache / Nginx / Varnis / Squid / lighthttpd

As you can see, this method will work for any server you have in front of your real web server, or to the actual web server itself, actually this will mainly protect your port 80.

Consider that you will have to adjust the path to your web server, I’ll use varnish in my case.

Edit your /etc/fail2ban/jail.conf file and add this section:

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/varnish/access.log
maxretry = 300
findtime = 300
#ban for 25 hours
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and copy the text below in it:

# Fail2Ban configuration file
#
# Author: http://www.go2linux.org
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^ -.*GET

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Note

Be sure to adjust maxretry and findtime to some values that fits your needs.

  • maxretry Is the maximum times of tries before the originating IP gets blocked.
  • findtiem Is the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.

As you can see in my example, I have set up 300 maxretry and 300 for findtime, so, we need to have 300 GETs from the same IP in a time window of 300 seconds to have the originating IP blocked.

Consider that you will have one GET for each css, js, html, ico and other files that are part of your webpage, so if you have 20 components, some client needs only to load 15 pages in 5 minutes to get blocked. Be sure to adjust those values to fit your needs.

Conclusion

DOS are common ways to attack web server, there are lots of ways to protect your server against that, this is only one of them, be sure to check /var/log/fail2ban.log file to be sure everything is working, and also run this command from time to time: iptables -L to see which IPs are blocked.

One last note, I’m using varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid command to have varnish logs available for this.


permalink

If you enjoyed the article, please share it

twitter | facebook | google+ | linkedin | email | reddit