hi all, Yesterday, i'd try a little test to attack my ISPConfig server with slowloris ddos. I have enable apache banning rules before doing little test. This is my jail.conf : Code: [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 When i starting attack my server with slowloris, web server is down, and fail2ban is didnt do anything here apache error.log (a hundred lines actually) : Code: [...] [Fri Jun 25 22:07:38 2010] [error] [client 111.222.333.444] request failed: error reading the headers [Fri Jun 25 22:07:38 2010] [error] [client 111.222.333.444] request failed: error reading the headers [Fri Jun 25 22:07:39 2010] [error] [client 111.222.333.444] request failed: error reading the headers [Fri Jun 25 22:07:41 2010] [error] [client 111.222.333.444] request failed: error reading the headers [...] My question is : is it possible to prevent ddos attack such as slowloris with fail2ban? Or maybe any other suggestion to prevent this attack? any help is really appreciated
I think it should be possible as fail2ban detects anomalies in log files with regular expressions. I'am not a fail2ban expert, so I'am notable to tell you in detail on how to write that rule, but I think it should be possible. Maybe you find the solution already by looking at the other apache filter definitions.
okay Till, thanks for your fast reply. I'll try to find another regex apache rules first, and if i found something useful, i will write here. but, if there are any other suggestions or someone have already found a way, would be greatly appreciated