fail2ban DDOS

Discussion in 'Installation/Configuration' started by Lodivod, Sep 4, 2018.

Tags:
  1. Lodivod

    Lodivod Member

    Hello, will anyone advise how to configure fail2ban against ddos attacks on websites?
    I found only these modules:
    [apache] - watch http/s authentication
    [apache-overflows] - watch long and suspicious URLs
    [apache-badbots] - stop some known malicious bot request patterns
    [apache-nohome] - ban users' home directories
     
    Lodivod, Sep 4, 2018
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Me too.
    Today I looked at the logs to see what are the myriad not not found lines. I would like to make fail2ban block repeated 404 requests from the same IP.
     
    Taleman, Sep 4, 2018
    #2
  3. sam117

    sam117 New Member

    Hi
    First of all default configuration fail2ban for apache has no action and ban parameters. You must set it manualy in jail.conf:
    [apache-auth]
    action = iptables[name=apache-auth, port=https,http , protocol=tcp]
    port = http,https
    logpath = %(apache_error_log)s
    bantime = 864000
    maxretry = 2
    findtime = 89000
    Default action is parsing systemd, if you want to parse logs directly in /var/log, you must set backend = polling in jail.conf. To check systemd logs:
    #journalctl -u HTTPD

    Second part is filtering log messeges. Check it by fail2ban-regexp :
    #fail2ban-regex [SOURCE LOG FILE OR LINE] [REGEXPR file or line]
    #fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
    #fail2ban-regex "[04-Sep-2018 15:53:34 +0300]: <dc1dario> IMAP Error: Login failed for ***@****u from 194.186.82.194. AUTHENTICATE PLAIN: Authentication failed. in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197 (POST /webmail/?_task=login?_task=login&_action=login)" "(.*) Login failed for (.*) from <HOST>(.*)\."​
    Default regexpression you can find at /etc/fail2ban/filter.d/[JAILNAME].conf
    of course your local iptables must by enabled
    Third part is action. By default its simple add ip to ban chains in iptables, but you can customise it for anything, ban, unban, log, mail, making coffe.... any linux comand.
    In my config action = iptables - is iptebles-multiport which create ban chain with multiport parameter, its allow to ban 2 or more ports per ip.
    Also in jail.conf by default action=action_ which not sending mail. You must change it to action_mv or action_mvl or make new one if you need so.
    action scripts you can find in action.d folder.
     
    Last edited: Sep 6, 2018
    sam117, Sep 6, 2018
    #3

Share This Page