Written by Guillermo Garron .
Date: 2011-05-29 10:36:30 -0400
Denial of service attacks are meant to load a server to a level where it can’t serve the intended users with the service, we will here see a method to avoid that.
You can install it using your distribution package manager in case of Debian or Ubuntu run:
apt-get install fail2ban
as root, or with sudo in Ubuntu’s case.
For Arch Linux
pacman -Sy fail2ban
and So on, depending on the distribution you are using, now to configure it, consider that there are two main configuration files:
I’m going to copy this from other article here in Go2linux.
Defines whether or not a given section is enabled or nor, its possible values are:
This is not used in the default section as it is used to tell fail2ban client what it is looking for in the logfile, its values could be among others:
basically it is how the service is identified on the log file being parsed
This option tells fail2ban what action to take once a rule is broken, could be specified a default action in the default section, and overwritten on each jail section you may need to change the default value.
With this option we need to pass the file to be parsed, should be taken into account that different distribution has different log files for instance for ssh in:
- Fedora -> /var/log/secure
- CentOS -> /var/log/secure
- Debian -> /var/log/auth
- Ubuntu -> /var/log/auth
- Sabayon -> /var/log/messages
If you put a wrong value here, it will not work and will give you no errors.
This option is used to set one or some IPs that should not be blocked, no matter how many times a users fail in login from those IPs, use this with care
This option is used to set the limit of retries a user have before he gets blocked
This option is used to set the time (in seconds) an IP will be banned, maybe a good option could be 5 minutes so, 300 seconds, this will put bots away while also letting legitimate users to try again after the ban time ends
Use this option to set the email of the person who should receive alerts when an IP is banned
Use this option to instruct with action will be taking in order to ban an offending IP. ie:
- iptables — To use Iptables in order to ban the offending IP
- iptables-new — To ban only new connections
- iptables-multiport — To ban all ports from the offending IP
- shorewall — To use Shorewall instead of Iptables
Set here the default protocol to ban, TCP or UDP You can read more at: How to configure fail2ban
How to use fail2ban to protect Apache / Nginx / Varnis / Squid / lighthttpd
As you can see, this method will work for any server you have in front of your real web server, or to the actual web server itself, actually this will mainly protect your port 80.
Consider that you will have to adjust the path to your web server, I’ll use varnish in my case.
Edit your /etc/fail2ban/jail.conf file and add this section:
[http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/varnish/access.log maxretry = 300 findtime = 300 #ban for 5 minutes bantime = 600 action = iptables[name=HTTP, port=http, protocol=tcp]
Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and copy the text below in it:
# Fail2Ban configuration file # # Author: http://www.go2linux.org # [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. failregex = ^ -.*GET # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Be sure to adjust maxretry and findtime to some values that fits your needs.
- maxretry Is the maximum times of tries before the originating IP gets blocked.
- findtiem Is the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.
As you can see in my example, I have set up 300 maxretry and 300 for findtime, so, we need to have 300 GETs from the same IP in a time window of 300 seconds to have the originating IP blocked.
Consider that you will have one GET for each css, js, html, ico and other files that are part of your webpage, so if you have 20 components, some client needs only to load 15 pages in 5 minutes to get blocked. Be sure to adjust those values to fit your needs.
DOS are common ways to attack web server, there are lots of ways to protect your server against that, this is only one of them, be sure to check /var/log/fail2ban.log file to be sure everything is working, and also run this command from time to time: iptables -L to see which IPs are blocked.
One last note, I’m using varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid command to have varnish logs available for this.
If you enjoyed the article, please share it