What is a good way to detect DoS and DDoS in Fail2Ban?
Solution 1
It can be hard to see the difference of good or bad guys, just by checking rate of requests per second. You would need to run the script on Your environment to see how many requests from a single IP address per 5 minutes (example) is "normal" for Your website, before making the final decision.
Once you have figured out the normal rate, it should be possible to count GET and/or POST (depending on your logfile analysis) with your script.
It is though possible to find other suspicious activities in the logfiles to filter, like scanning for scripts or executables etc. (GET/POST that "hopefully" causes an error in a well configured web server ;-) )
I have used this external fail-2-ban-link on my own systems.
Solution 2
A good setup is to check multiple connections within 1 second. I believe that 100 connections in 1 second is something very suspicious and should be blocked.
As you use Apache, I recommend also using mod_evasive along with fail2ban.
Using mod_evasive.
Using fail2ban.
Related videos on Youtube
04 : 49
24 : 23
11 : 52
03 : 20
01 : 34
John Doe
Updated on September 18, 2022Comments
-
John Doe over 1 year
I am configuring Fail2Ban on my Ubuntu web server to prevent it from being a victim of DoS / DDoS. I don't want to use Cloudflare because I have to route my DNS over and use their SSl cert.
Currently, I found a script online that checks for more than 1 HTTP
HEADrequest per second, or more than 1 request toxmlrpc.phpper second. I don't think it's sufficient protection, as these aren't the only kinds of requests that people can employ to execute a DDoS attack.I'm looking at restricting the number of
GET/POSTrequests a given IP can make in a short window, but I'm not sure how I should set the restriction, since big pages that load a lot of Javascript, CSS or images will make a lot ofGETrequests in a short amount of time. Should I be looking at limitingGET/POSTrequests, or should I be looking at something else? Why? -
John Doe over 5 yearsThanks for the numbers. Doesn't
mod_evasivelook for the same thing as Fail2Ban though? I'm exploring usingmod_securityandmod_evasive, but sincemod_evasivecounts request rates too, I'm thinking that withmod_evasiveI won't need a DDoS module with Fail2Ban. -
Matthias Bloch about 3 yearsIt depends. You can makefail2banlook for anything that is in a log. If you have it look for errors written bymod_evasive, or if you give it the same "rules" asmod_evasive, then yes.fail2bancan still be useful, i.e. by changing blocking rules on a firewall, so the requests not even hitapache.