0

I'm using right the mod_evasive of Apache so I can reduce the probability of DOS. The problem that I had is that the application behind the reverse proxy(which is our server apache) is very weak and is developed so that one page loads 200 files (css,js and so on). So when I use a script like https://github.com/rohitchormale/hulk/blob/master/hulk.py, I succeed at killing the application because the script generates many unique URI for the attack and because I was obliged to allow more than 300 pages (* 10 possible clients having the same ip) per second.

So a solution that I have thought about is blacklisting an ip when it receives a x number of 404 error in one second. Is it possible to do that?

rsabir
  • 191
  • 1
  • 2
  • 10

1 Answers1

0

As Sven suggested in his comment, Fail2ban allows such behaviour by analysing the logs of Apache. So let me remind you my goal: Prevent a user from accessing my server if he triggered a certain number of 404 error or any other error. Here what I did in my settings:

In /etc/fail2ban/jail.conf:

[http-error-dos]  
enabled = true
port = http,https
filter = http-error-dos
logpath = /var/log/httpd/*acces*log #change it to put your path
maxretry = 20
findtime = 100
bantime = 600  #ban for 10 minutes
action = iptables[name=HTTP, port=http, protocol=tcp]

In /etc/fail2ban/filter.d/http-error-dos.conf:

# Fail2Ban configuration file
failregex = <HOST>.* HTTP/.*\" [13456789][1023456789]{2,2}.*

Make sure to change failregex depending on your log's format.

rsabir
  • 191
  • 1
  • 2
  • 10