[SOLVED] How to stop lots of http requests to the same folder from different IPs with fail2ban

razor7 · Jun 29, 2016

Hi, a few days ago I noticed my internet conenction very slow and my home server with ISPConfig pretty loaded, so I started to check the logs and review the /server-status apache page and realized that I was under some kind of DDoS attack. I realized that because in the logs of a client site (other_vhosts_access.log) I had lots of entries pointing to a joomla! installation trying to access the joomla! home dir and the /administrator folder (here is where you access admin backend in joomla!).

Is there a way to stop this using fail2ban? I'm a bit confused if fail2ban will work because the attack seems to be originated from several different IPs.

Thanks in advise!

Environment:

Fail2Ban version: 0.9.3-1

OS: Ubuntu 16.04 LTS

ISPConfig: 3.1b1

Relevant lines from log file (excerpt):

it.validhost.com:443 66.249.75.248 - - [28/Jun/2016:09:15:42 -0300] "GET /folder/tienda-online/mas-productos/jvarcade HTTP/1.1" 200 5971 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 94.45.149.107 - - [28/Jun/2016:09:43:47 -0300] "GET /folder/administrator/ HTTP/1.1" 200 7279 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 78.30.248.235 - - [28/Jun/2016:12:45:47 -0300] "GET /folder/administrator/ HTTP/1.1" 200 6520 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 78.30.248.235 - - [28/Jun/2016:12:45:47 -0300] "GET /folder/administrator/ HTTP/1.1" 200 6520 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 78.30.248.235 - - [28/Jun/2016:12:45:48 -0300] "GET /folder/administrator/ HTTP/1.1" 200 2387 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 5.141.210.29 - - [28/Jun/2016:13:32:45 -0300] "GET /folder/administrator/ HTTP/1.1" 200 6520 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 5.141.210.29 - - [28/Jun/2016:13:32:45 -0300] "GET /folder/administrator/ HTTP/1.1" 200 6520 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 5.141.210.29 - - [28/Jun/2016:13:32:46 -0300] "GET /folder/administrator/ HTTP/1.1" 200 2387 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
it.validhost.com:443 66.249.69.170 - - [25/Jun/2016:08:45:39 -0300] "GET /folder/index.php?option=com_k2&view=item&id=116:desarrollo-para-intranet-operativa-nextel&Itemid=1173&lang=es HTTP/1.1" 200 13325 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.69.168 - - [25/Jun/2016:08:50:01 -0300] "GET /folder/tienda-online/virtuemart-3/medios-de-envio HTTP/1.1" 200 13354 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.66.175 - - [25/Jun/2016:09:12:11 -0300] "GET /folder/servicios/e-commerce-virtuemart HTTP/1.1" 200 13678 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.79.143 - - [25/Jun/2016:11:04:19 -0300] "GET /folder/es/servicios/e-commerce-virtuemart HTTP/1.1" 303 4256 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.132 - - [25/Jun/2016:11:04:20 -0300] "GET /folder/servicios/e-commerce-virtuemart HTTP/1.1" 200 13518 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.132 - - [25/Jun/2016:14:44:15 -0300] "GET /folder/tienda-online/mas-productos/redshop/plugin-de-pagos-mercadopago-para-redshop-/recommend.html?tmpl=component HTTP/1.1" 200 7217 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.244 - - [25/Jun/2016:15:00:13 -0300] "GET /folder/tienda-online/mas-productos/redshop/por,nombre?tmpl=component HTTP/1.1" 200 7215 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.248 - - [25/Jun/2016:15:00:22 -0300] "GET /folder/components/com_virtuemart/assets/css/jquery.fancybox-1.3.4.css?vmver=9204 HTTP/1.1" 200 6051 "https://it.validhost.com/folder/tienda-online/mas-productos/redshop/por,nombre?tmpl=component" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.248 - - [25/Jun/2016:15:01:38 -0300] "GET /folder/tienda-online/mas-productos/redshop/dirDesc?tmpl=component HTTP/1.1" 200 7209 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.132 - - [25/Jun/2016:15:03:46 -0300] "GET /folder/tienda-online/mas-productos/redshop/por,precio?tmpl=component HTTP/1.1" 200 7214 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.244 - - [25/Jun/2016:15:15:30 -0300] "GET /folder/tienda-online/mas-productos/redshop/por,nombre/dirDesc?tmpl=component HTTP/1.1" 200 7220 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.244 - - [25/Jun/2016:15:16:29 -0300] "GET /folder/tienda-online/mas-productos/redshop/por,precio/dirDesc?tmpl=component HTTP/1.1" 200 7219 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
it.validhost.com:443 66.249.75.248 - - [25/Jun/2016:15:18:28 -0300] "GET /folder/tienda-online/mas-productos/redshop/por,orden?tmpl=component HTTP/1.1" 200 7219 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Click to expand...

till · Jun 29, 2016

You can use the apache module mod_evasive for that.

razor7 · Jun 30, 2016

Hi @till ! Thanks for the suggestion, but I thought that it would be better to use fail2ban because is promoted and enforced in the perfect server tutorials.

Any hints to use fail2ban to repeal this attack?

till · Jun 30, 2016

Fail2ban is not an anti ddos tool while mod_evasive is a anti ddos module for apache, so you compare apples with pies here.

razor7 · Jun 30, 2016

Ok, will look into it! thanks!

gexacor · Jul 3, 2016

razor7 said: ↑

Is there a way to stop this using fail2ban? I'm a bit confused if fail2ban will work because the attack seems to be originated from several different IPs.
Click to expand...

You can try use fail2ban of course but I'm using it to protect my SSH access for the most of the time.
I can suggest you to create a .htaccess and block that directory from outside for now

Other than that you can use Apache mod_evasive

razor7 · Jul 6, 2016

Thanks switched to mod_evasive!

Log in or Sign up

[SOLVED] How to stop lots of http requests to the same folder from different IPs with fail2ban

razor7 Member

till Super Moderator Staff Member ISPConfig Developer

razor7 Member

till Super Moderator Staff Member ISPConfig Developer

razor7 Member

gexacor New Member

razor7 Member

Share This Page

Log in or Sign up

[SOLVED] How to stop lots of http requests to the same folder from different IPs with fail2ban

razor7 Member

till Super Moderator Staff Member ISPConfig Developer

razor7 Member

till Super Moderator Staff Member ISPConfig Developer

razor7 Member

gexacor New Member

razor7 Member

Share This Page

Useful Searches