{"id":5955,"date":"2016-05-17T12:29:53","date_gmt":"2016-05-17T04:29:53","guid":{"rendered":"http:\/\/rmohan.com\/?p=5955"},"modified":"2016-05-17T12:29:53","modified_gmt":"2016-05-17T04:29:53","slug":"mitigate-ddos-attack-with-ngx_http_limit_req_module-and-fail2ban","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5955","title":{"rendered":"Mitigate DDoS attack with ngx_http_limit_req_module and fail2ban"},"content":{"rendered":"

Mitigate DDoS attack with ngx_http_limit_req_module and fail2ban<\/strong><\/p>\n

The fail2ban do have comprehensive collection of scripts that scan log files and ban IPs that match malicious activities.<\/p>\n

But we are going to look on how to use ngx_http_limit_req_module logs to ban IPs that shows sign of Distributed Denial of Service (DDoS) attack on your website.
\nIt is assumed in this tutorial that Nginx server is installed in your server.<\/p>\n

The following procedures are tested on\u00a0 running Centos 7 64-bit Linux distribution.<\/p>\n

Enable ngx_http_limit_req_module by adding the following script in your Nginx configuration:<\/p>\n

http {
\nlimit_req_zone $binary_remote_addr zone=one:10m rate=1r\/s;
\n…
\nserver {
\n…
\nlimit_req zone=one burst=5;
\n}
\n}<\/p>\n

Restart Nginx server:<\/p>\n

systemctl restart\u00a0 nginx.service<\/p>\n

You will see entry something like this in Nginx error log if there’s abuse detected:<\/p>\n

2015\/08\/27 02:18:05 [error] 21235#21235: *326 limiting requests, excess: 5.297 by zone “one”, client: 91.214.169.44, server: www.webfoobar.com, request: “GET \/node\/8 HTTP\/1.1”, host: “www.webfoobar.com”, referrer: “https:\/\/www.webfoobar.com\/archive\/201502”<\/p>\n

We will use this sample log entry for our fail2ban filter script.
\nInstall fail2ban:<\/p>\n

yum install -y fail2ban<\/p>\n

Create fail2ban filter script based on the Nginx error log entry:<\/p>\n

vi \/etc\/fail2ban\/filter.d\/nginx-ddos.conf<\/p>\n

The content of this filter file:<\/p>\n

[Definition]
\nfailregex = limiting requests, excess:.* by zone.*client:
\nignoreregex =<\/p>\n

We will use the \/etc\/hosts.deny to block the IP of the DDoS attacker so we will need to create new fail2ban action script:<\/p>\n

vi \/etc\/fail2ban\/action.d\/hostsdeny.conf<\/p>\n

Add the following script as its content:<\/p>\n

[Definition]
\nactionstart =
\nactionstop =
\nactioncheck =
\nactionban = IP= &&
\nprintf %%b “: $IP\\n” >>
\nactionunban = IP= && sed -i.old \/ALL:\\ $IP\/d<\/p>\n

[Init]
\nfile = \/etc\/hosts.deny
\ndaemon_list = ALL<\/p>\n

Enable the newly created fail2ban filter:<\/p>\n

vi \/etc\/fail2ban\/jail.local<\/p>\n

Append the following script:<\/p>\n

[nginx-ddos]
\nenabled = true
\nport\u00a0\u00a0\u00a0 = http,https
\nbanaction = hostsdeny
\nfindtime = 120
\nbantime\u00a0 = 7200
\nmaxretry = 30
\nlogpath = %(nginx_error_log)s<\/p>\n

Start the fail2ban service:<\/p>\n

systemctl start fail2ban
\nsystemctl enable fail2ban.service
\nsystemctl list-unit-files | grep fail2ban<\/p>\n

To check the status of this fail2ban filter:<\/p>\n

fail2ban-client status nginx-ddos<\/p>\n

You will see something like this:<\/p>\n

Status for the jail: nginx-ddos
\n|- Filter
\n|\u00a0 |- Currently failed: 18
\n|\u00a0 |- Total failed:\u00a0\u00a0\u00a0\u00a0 770
\n|\u00a0 `- File list:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/log\/nginx\/nginx_error_log
\n`- Actions
\n|- Currently banned: 1
\n|- Total banned:\u00a0\u00a0\u00a0\u00a0 8
\n`- Banned IP list:\u00a0\u00a0 91.214.169.44<\/p>\n

To test if the fail2ban nginx-ddos filter working:<\/p>\n

fail2ban-regex \/var\/log\/nginx\/nginx_error_log \/etc\/fail2ban\/filter.d\/nginx-ddos.conf<\/p>\n

You can use apache-bench to test the whole system:<\/p>\n

ab -n 20 -c 10 http:\/\/www.example.com<\/p>\n

Execute the following command to monitor the fail2ban log:<\/p>\n

watch -n 1 tail -n 20 \/var\/log\/fail2ban.log<\/p>\n

And you will something like this while testing with apache-bench:<\/p>\n","protected":false},"excerpt":{"rendered":"

Mitigate DDoS attack with ngx_http_limit_req_module and fail2ban<\/p>\n

The fail2ban do have comprehensive collection of scripts that scan log files and ban IPs that match malicious activities.<\/p>\n

But we are going to look on how to use ngx_http_limit_req_module logs to ban IPs that shows sign of Distributed Denial of Service (DDoS) attack on your website. It […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5955"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5955"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5955\/revisions"}],"predecessor-version":[{"id":5956,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5955\/revisions\/5956"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}