1

I have a server hosting multiple domains and protected by Fail2Ban with WP Fail2Ban and wordpress-hard + wordpress-soft rules.

Recently I notice that our server is heavily loaded and seems like we are under heavy brute force attack. I can see that Fail2Ban is doing its job by banning a lot of IPs, but the server is still busy banning IP and I need a better solution to bring down the load.

I notice that from Apache server status page (Refer print screen), seems like the abnormal requests are all coming from Client -> static.vnpt.vn. I queried the IP of this domain (203.162.0.78) and banned it via UFW/IPTables but it doesn't work, massive requests from the same domain are still showing in Apache server status page. I also tried to ban it in .htaccess but it doesn't work too.

My question is it possible to ban a client based on the client's domain in Apache server status page? If yes, what I did wrong and how?

Kenaz Chan
  • 11
  • 1
  • You need a firewall / DDOS solution outside your server. I use CloudFlare free plan, and have Fail2Ban update the CloudFlare firewall rules. My article [here](https://www.photographerstechsupport.com/aws-amazon-web-services/protecting-amazon-linux-server-fail2ban-cloudflare-wordpress/) which has a couple of tweaks from the original, original source [here](https://guides.wp-bullet.com/integrate-fail2ban-cloudflare-api-v4-guide/). I'd make this an answer but I can't be bothered writing it out the way SF wants it. – Tim Jan 29 '19 at 06:44
  • Simply putting CloudFlare or another CDN / WAF in front of your server would solve the problem. If you could change your server IP at the same time you change to CloudFlare that would help a lot, as attackers already know your IP, so they'll keep attacking it. In AWS this would probably be automatically mitigated by AWS Shield. – Tim Jan 29 '19 at 06:45
  • CloudFlare probably does not work for us. We've thousands of domains on that server and most of those domains NS are hosted by different owners. It is hard to automate the setup process for all domains on CF. – Kenaz Chan Jan 29 '19 at 07:26
  • One option could be to get a second server running as a reverse proxy, using the original IP. Run fail2ban on that reverse proxy, sending valid requests to the existing server with a new IP. This could break things if you're doing something like shared hosting. You might need a hardware firewall or some kind of a transparent proxy service front of it, but nothing comes to mind right now. This is one of the problem with a single server, you have less flexibility than say cloud hosted platforms and all the tools that go with them - at significant cost. – Tim Jan 29 '19 at 07:40

0 Answers0