Go2Linux | Linux Operating System

A site dedicated to: Linux Operating System

Fail2ban protect web server http DOS attack

Date: 2011-05-29 00:00:00 -0400

Introduction

D.O.S. or (denial of service) attack is according to Wikipedia:

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1]

One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

So, as you can see you can suffer from this kind of attacks on any port where you are serving something, name it email, web content, ftp or any other service running on a port.

But most of the times this kind of attacks are attempted against web servers, and that is the one I'm going to show you how to protect using fail2ban.

Disclaimer I've tried this method in one of my servers that was under attack and it seems to work, but I can not assure that you may block some legitimate users. So please be careful applying this rules if you run a mission critical server, also keep an eye on your logs and iptables rules while testing this (will show you how later).

Install fail2ban

You can install it using your distribution package manager in case of Debian or Ubuntu run:

apt-get install fail2ban

as root, or with sudo in Ubuntu's case.

For Arch Linux

pacman -Sy fail2ban

and So on, depending on the distribution you are using, now to configure it, consider that there are two main configuration files:

  • /etc/fail2ban/fail2ban.conf
  • /etc/fail2ban/jail.conf

I'm going to copy this from other article here in Go2linux.

enabled
Defines whether or not a given section is enabled or nor, its possible values are:
  • false
  • true
filter
This is not used in the default section as it is used to tell fail2ban client what it is looking for in the logfile, its values could be among others:
  • sshd
  • proftpd
  • httpd
basically it is how the service is identified on the log file being parsed
action
This option tells fail2ban what action to take once a rule is broken, could be specified a default action in the default section, and overwritten on each jail section you may need to change the default value.
logpath
With this option we need to pass the file to be parsed, should be taken into account that different distribution has different log files for instance for ssh in:
  • Fedora -> /var/log/secure
  • CentOS -> /var/log/secure
  • Debian -> /var/log/auth
  • Ubuntu -> /var/log/auth
  • Sabayon -> /var/log/messages
If you put a wrong value here, it will not work and will give you no errors.
ignoreip
This option is used to set one or some IPs that should not be blocked, no matter how many times a users fail in login from those IPs, use this with care
maxretry
This option is used to set the limit of retries a user have before he gets blocked
bantime
This option is used to set the time (in seconds) an IP will be banned, maybe a good option could be 5 minutes so, 300 seconds, this will put bots away while also letting legitimate users to try again after the ban time ends
destmail
Use this option to set the email of the person who should receive alerts when an IP is banned
banaction
Use this option to instruct with action will be taking in order to ban an offending IP. ie:
  • iptables --- To use Iptables in order to ban the offending IP
  • iptables-new --- To ban only new connections
  • iptables-multiport --- To ban all ports from the offending IP
  • shorewall --- To use Shorewall instead of Iptables
Protocol
Set here the default protocol to ban, TCP or UDP

You can read more at: How to configure fail2ban

How to use fail2ban to protect Apache / Nginx / Varnis / Squid / lighthttpd

As you can see, this method will work for any server you have in front of your real web server, or to the actual web server itself, actually this will mainly protect your port 80.

Consider that you will have to adjust the path to your web server, I'll use varnish in my case.

Edit your /etc/fail2ban/jail.conf file and add this section:

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/varnish/access.log
maxretry = 300
findtime = 300
#ban for 25 hours
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Now we need to create the filter, to do that, create the file /etc/fail2ban/filter.d/http-get-dos.conf and copy the text below in it:

# Fail2Ban configuration file
#
# Author: http://www.go2linux.org
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^ -.*GET

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Note

Be sure to adjust maxretry and findtime to some values that fits your needs.

  • maxretry Is the maximum times of tries before the originating IP gets blocked.
  • findtiem Is the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.

As you can see in my example, I have set up 300 maxretry and 300 for findtime, so, we need to have 300 GETs from the same IP in a time window of 300 seconds to have the originating IP blocked.

Consider that you will have one GET for each css, js, html, ico and other files that are part of your webpage, so if you have 20 components, some client needs only to load 15 pages in 5 minutes to get blocked. Be sure to adjust those values to fit your needs.

Conclusion

DOS are common ways to attack web server, there are lots of ways to protect your server against that, this is only one of them, be sure to check /var/log/fail2ban.log file to be sure everything is working, and also run this command from time to time: iptables -L to see which IPs are blocked.

One last note, I'm using varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid command to have varnish logs available for this.

If you liked this article please share it.

powered by TinyLetter

If you want to contact me in any other way, please use the contact page.