After setting limit_req
and limit_conn
in nginx did you enable them in the virtualhost? As in:
server {
# ...
location / {
limit_req zone=one;
limit_conn addr 10;
# ...
}
}
Also, fail2ban is a log parser for auto creating dynamic rules in the firewall (iptables). You can create a filter and action in fail2ban which filters the origin IP of the 404 and blocks them after a number of attempts, or you can filter the limit_req and limit_conn logs so you can ban those IPs instead (blocking the 404 clients IP might cause some unwanted blocks).
vim /etc/fail2ban/jail.d/nginx.conf
Copy this:
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10
findtime
is the time in seconds for the occurrences in maxretry
, in this case it would trigger after 10 events in 10 minutes (600 seconds).
bantime
is the time to blacklist the IP in the firewall. Also in seconds. In this case it would block the offending IP for 2 hours (7200 seconds).
logpath
is the error log you configured for your virtualhost in nginx.
Make sure that jail.conf
includes the jail.d/*.conf
reference and restart the service:
service fail2ban restart
This should help you avoid DDoS attacks.
Another option worth considering is using a CDN as stated in the comment above. Cloudflare has a nice free version which can help a lot, it has a Web Application Firewall that blocks some of the bad bots and stuff. The pro/business versions have more options, but cost money.