If some one tried force burst attack on my website, how can I block them?
Ideally, I want to block an IP if I have many http/Apache requests in a second.
Asked
Active
Viewed 4.2k times
3 Answers
18
fail2ban is an easy-to-implement solution in these cases.
Add a block-all-dem-noobs.conf file to your filter.d directory, something like this
[Definition]
failregex = ^<HOST> -.*"GET.*
Translation: a RegExp to find GET requests
Then create a new entry in your jail.conf, something like this
[block-all-dem-noobs]
enabled = true
port = http,https
filter = block-all-dem-noobs
logpath = /var/log/httpd/access.log
maxretry = 100
findtime = 5
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Translation: Look through my access.log file, then block for 600 seconds (10 minutes) the IP addresses that made 100 requests in 5 seconds
One major drawback, though, is that this might produce false positives for NATed users, as they'll all appear as one IP address to you.
Adi
- 43,808
- 16
- 135
- 167
-
1After apply your config: Starting fail2ban: ERROR NOK: ("No 'host' group in '^ -.*GET'",) I change the failregex to: failregex = ^(?P
1.2.3.4) -.*GET See http://serverfault.com/questions/516675/how-to-add-a-jail-for-specific-ips-in-fail2ban – shakaran Nov 28 '16 at 14:49 -
1Is this answer up to date? – Bruno Philipe Aug 16 '17 at 02:23
-
@BrunoPhilipe I believe it is. In my opinion, fail2ban has proven itself to be a timeless solution, like SSH or HTTP themselves. It's fast, introduces minimal overhead, and gets the job done with simple rules. It's probably worth it to check. I've also just fixed the filter since it wasn't extracting the host originally. It should now be working. – Adi Aug 16 '17 at 08:34
-
@Adi Indeed it worked, but like @shakaran said, you need a HOST capture group. I fixed mine with `failregex = ^(?P
[^\s]+) -.*GET`. Thanks! – Bruno Philipe Aug 16 '17 at 13:03 -
After `fail2ban start` got `fail2ban.actions.action: ERROR iptables -N fail2ban-HTTP#012iptables -A fail2ban-HTTP -j RETURN#012iptables -I INPUT -p tcp --dport http -j fail2ban-HTTP returned 200` After replacing `iptables` by `iptables-multiport` it worked (see [https://serverfault.com/a/919822/388334]). – Atafar Jun 05 '19 at 10:39
-
I don't think fail2ban is the right tool for the job here. See https://serverfault.com/a/761679/301208 for details. Try mod_evasive and/or mod_qos instead. – ctrueden Mar 04 '20 at 20:29
10
fail2ban can be configured to do this. You can configure it to trigger on a regex match in a logfile and if it happens too many times per minute (not sure if it goes to second resolution but just multiply whatever you were thinking per second by 60) and it can drop the client IP into the iptables packet filter or whatever other action you want taken. Or you can use the iptables recent module and adapt what I've done here for SIP brute force attacks to use with your web server:
# Deal with SIP brute forcing iptables -N SIP_WHITELIST # home iptables -A SIP_WHITELIST -s 1.2.3.0/24 -m recent --remove --name SIP -j ACCEPT # voip provider iptables -A SIP_WHITELIST -s 4.5.6.0/24 -m recent --remove --name SIP -j ACCEPT # remote location iptables -A SIP_WHITELIST -s 7.8.9.0/24 -m recent --remove --name SIP -j ACCEPT iptables -N SIP_BRUTEFORCE iptables -A SIP_BRUTEFORCE -m recent --set --name SIP iptables -A SIP_BRUTEFORCE -p udp --dport 5060 -m state --state NEW -j SIP_WHITELIST iptables -A SIP_BRUTEFORCE -m recent --update --seconds 30 --hitcount 3 --name SIP -j LOG iptables -A SIP_BRUTEFORCE -m recent --update --seconds 30 --hitcount 3 --name SIP -j DROP iptables -A INPUT -p udp --dport 5060 -m state --state NEW -j SIP_BRUTEFORCE
Christian
- 103
- 4
Tracy Reed
- 618
- 4
- 5
3
You can configure Apache mod_evasive module. This module provides a very basic function by keeping a hash table of IPs and pages requested and when a threshold level is exceeded on a target page or site it will “block” the IP with a 403 “Forbidden” error. For configuration details you read "How to Stop an Apache DDoS Attack with mod_evasive".
Ali Ahmad
- 4,784
- 8
- 35
- 61