[SOLVED] How to stop lots of http requests to the same folder from different IPs with fail2ban

Discussion in 'Installation/Configuration' started by razor7, Jun 29, 2016.

  1. razor7

    razor7 Member

    Hi, a few days ago I noticed my internet conenction very slow and my home server with ISPConfig pretty loaded, so I started to check the logs and review the /server-status apache page and realized that I was under some kind of DDoS attack. I realized that because in the logs of a client site (other_vhosts_access.log) I had lots of entries pointing to a joomla! installation trying to access the joomla! home dir and the /administrator folder (here is where you access admin backend in joomla!).

    Is there a way to stop this using fail2ban? I'm a bit confused if fail2ban will work because the attack seems to be originated from several different IPs.

    Thanks in advise!

    Environment:

    • Fail2Ban version: 0.9.3-1
    • OS: Ubuntu 16.04 LTS
    • ISPConfig: 3.1b1

    Relevant lines from log file (excerpt):

     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can use the apache module mod_evasive for that.
     
  3. razor7

    razor7 Member

    Hi @till ! Thanks for the suggestion, but I thought that it would be better to use fail2ban because is promoted and enforced in the perfect server tutorials.

    Any hints to use fail2ban to repeal this attack?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Fail2ban is not an anti ddos tool while mod_evasive is a anti ddos module for apache, so you compare apples with pies here.
     
  5. razor7

    razor7 Member

    Ok, will look into it! thanks!
     
  6. gexacor

    gexacor New Member

    You can try use fail2ban of course but I'm using it to protect my SSH access for the most of the time.
    I can suggest you to create a .htaccess and block that directory from outside for now

    Other than that you can use Apache mod_evasive
     
  7. razor7

    razor7 Member

    Thanks switched to mod_evasive!
     

Share This Page