1

I am hit with 404 queries and this is bringing down my machine. Close to all of my pages are http cached and I have some basic Dos protection with 

limit_conn_zone $http_x_forwarded_for zone=addr:10m;
limit_conn addr 8;

limit_req_zone $http_x_forwarded_for zone=one:10m rate=2r/s;
limit_req zone=one burst=50;

client_body_timeout 5s;
client_header_timeout 5s;
send_timeout 10s;

What can I do to prevent these 404 attacks besides the above?

Quintin Par
  • 4,293
  • 10
  • 46
  • 72
  • Use fail2ban. I use [fail2ban with CloudFlare](https://www.photographerstechsupport.com/aws-amazon-web-services/protecting-amazon-linux-server-fail2ban-cloudflare-wordpress/), so once an IP is registered as bad they can't even contact my server. – Tim May 07 '18 at 05:45
  • @tim Is there a way to programmatically associate IPs at fault from nginx to fail2ban? – Quintin Par May 07 '18 at 07:59
  • I don't know. Typically fail2ban monitors logs, and if it sees patterns of requests that match the patterns you define it prevents and connections from that IP to your server being established. The link I shared takes that one step further, and stops them at the CDN. For that to work you have to only accept connections from your CDN, which I do with AWS security groups. – Tim May 07 '18 at 08:11
  • fail2ban ships with several filters for nginx, and with those you could make your own as well. – Michael Hampton May 14 '18 at 06:44
  • The answer to https://serverfault.com/questions/849854/fail2ban-blocking-behaviours-depending-on-the-status-code seems to be quite appropriate here. Just set up the fail regex to detect specific status codes. – dakini May 14 '20 at 09:31

1 Answers1

3

After setting limit_req and limit_conn in nginx did you enable them in the virtualhost? As in:

server {
    # ...
    location / {
        limit_req zone=one;
        limit_conn addr 10;

    # ...
    }
}

Also, fail2ban is a log parser for auto creating dynamic rules in the firewall (iptables). You can create a filter and action in fail2ban which filters the origin IP of the 404 and blocks them after a number of attempts, or you can filter the limit_req and limit_conn logs so you can ban those IPs instead (blocking the 404 clients IP might cause some unwanted blocks).

vim /etc/fail2ban/jail.d/nginx.conf

Copy this:

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10
  • findtime is the time in seconds for the occurrences in maxretry, in this case it would trigger after 10 events in 10 minutes (600 seconds).
  • bantime is the time to blacklist the IP in the firewall. Also in seconds. In this case it would block the offending IP for 2 hours (7200 seconds).
  • logpathis the error log you configured for your virtualhost in nginx.

Make sure that jail.conf includes the jail.d/*.conf reference and restart the service:

service fail2ban restart

This should help you avoid DDoS attacks.

Another option worth considering is using a CDN as stated in the comment above. Cloudflare has a nice free version which can help a lot, it has a Web Application Firewall that blocks some of the bad bots and stuff. The pro/business versions have more options, but cost money.

Leo
  • 1,833
  • 8
  • 17