How to automatically ban IPS that consume too much bandwidth (traffic too high)?

Discussion in 'Installation/Configuration' started by Olivier BOUMATI, Apr 14, 2022.

  1. Olivier BOUMATI

    Olivier BOUMATI New Member

    Hello,
    I have a web server managed by ISPconfig and I regularly see on one of the hosted sites a very important amount of bandwidth consumed by one or some IPs. I add Apache rules to prohibit them but they adapt and change regularly. So I feel like I'm going to spend my time !
    Is there a solution to set up a rule, either at the UFW firewall or at the Fail2ban level to automatically ban these IPS?
    Thank you in advance for your help.
    Olivier Boumati
     
    Olivier BOUMATI, Apr 14, 2022
    #1
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    How do you identify the ips to block? If it is via log files, fail2ban would be a good candidate to look at to automate that. It works in frequency though, if you really need to pick out bandwidth used you might have to write a custom script to do that, or find a different tool.
     
    Jesse Norell, Apr 14, 2022
    #2
  3. Olivier BOUMATI

    Olivier BOUMATI New Member

    I do not know exactly how to identify the IPs, I have a problem and I'm looking for a solution. I'm counting on your good ideas to get there. At first glance, I think that UFW could block certain traffic too frequent but I do not know how to do it, but I think that Fail2ban can also do the same kind of thing, more downstream, but I still do not know how either.
     
    Olivier BOUMATI, Apr 15, 2022
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Ok, fair enough. In your initial post you seem to have identified that the issue is with the bandwidth consumed by the requests of a few specific ip's - how did you determine that? I presume it is either from log files or from monitoring network connections/traffic. However it is you identify those now could be automated to block the ips.

    You might be able to bypass the whole "identify and block" issue; if it always involves one specific site, look into the requests/activity of that site and see what's going on, it might simply have a known vulnerability or backdoor installed, or being used/abused in various ways, and you might be able to fix/remove the entire reason these problematic ips are connecting in the first place.
     
    Jesse Norell, Apr 15, 2022
    #4
  5. Olivier BOUMATI

    Olivier BOUMATI New Member

    Yes, it is by looking at the AWStat analysis results (therefore from the Apache logs) about a particular site that I have identified multiple IPs that download a whole folder containing multiple GB of images. It is not absolutly forbidden, but comparing on "normal" visits, we can easily see that the bandwidth consumed by these IPs is 20 times above average, but these visits explode the bandwidth quota allocated to this site. Normal visits download some pictures and that's all. There, it's a full and recurring download!
     
    Olivier BOUMATI, Apr 15, 2022
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    With that description, I suspect you could just use fail2ban, with a simple regex that would match downloads of these pictures and block at a certain rate (number of matches in a timeframe); ie. maybe in your case the bandwidth can be ignored and just frequency/rate used.
     
    Jesse Norell, Apr 16, 2022
    #6
  7. Olivier BOUMATI

    Olivier BOUMATI New Member

    Thank you I will try...
     
    Olivier BOUMATI, Apr 22, 2022
    #7

Share This Page