4

I am configuring Fail2Ban on my Ubuntu web server to prevent it from being a victim of DoS / DDoS. I don't want to use Cloudflare because I have to route my DNS over and use their SSl cert.

Currently, I found a script online that checks for more than 1 HTTP HEAD request per second, or more than 1 request to xmlrpc.php per second. I don't think it's sufficient protection, as these aren't the only kinds of requests that people can employ to execute a DDoS attack.

I'm looking at restricting the number of GET / POST requests a given IP can make in a short window, but I'm not sure how I should set the restriction, since big pages that load a lot of Javascript, CSS or images will make a lot of GET requests in a short amount of time. Should I be looking at limiting GET / POST requests, or should I be looking at something else? Why?

John Doe
  • 323
  • 3
  • 16

2 Answers2

2

It can be hard to see the difference of good or bad guys, just by checking rate of requests per second. You would need to run the script on Your environment to see how many requests from a single IP address per 5 minutes (example) is "normal" for Your website, before making the final decision.

Once you have figured out the normal rate, it should be possible to count GET and/or POST (depending on your logfile analysis) with your script.

It is though possible to find other suspicious activities in the logfiles to filter, like scanning for scripts or executables etc. (GET/POST that "hopefully" causes an error in a well configured web server ;-) )

I have used this external fail-2-ban-link on my own systems.

Ingvar J
  • 511
  • 2
  • 7
2

A good setup is to check multiple connections within 1 second. I believe that 100 connections in 1 second is something very suspicious and should be blocked.

As you use Apache, I recommend also using mod_evasive along with fail2ban.

Using mod_evasive.

Using fail2ban.

Tom
  • 289
  • 3
  • 13
  • Thanks for the numbers. Doesn't `mod_evasive` look for the same thing as Fail2Ban though? I'm exploring using `mod_security` and `mod_evasive`, but since `mod_evasive` counts request rates too, I'm thinking that with `mod_evasive` I won't need a DDoS module with Fail2Ban. – John Doe Nov 17 '18 at 06:56
  • It depends. You can make `fail2ban` look for anything that is in a log. If you have it look for errors written by `mod_evasive`, or if you give it the same "rules" as `mod_evasive`, then yes. `fail2ban` can still be useful, i.e. by changing blocking rules on a firewall, so the requests not even hit `apache`. – Matthias Bloch Feb 28 '21 at 13:43