Few months ago one of my server was under DDoS attack. The below steps helped me recover and prevent this attack.
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.
My configuration consists of a Debian system with Nginx web server.
Let's start with the installation of fail2ban on Debian/Ubuntu.
apt-get install fail2ban
By default fail2ban reads the .conf file which can be used as a good starting point. If any changes are required, it is best to do the modification in a .local file which then overrides the .conf file.
Create a Nginx filter file to block IP's:
The directory filter.d contains mainly regular expressions which are used to detect break-in attempts, password failures, etc.
Add the following contents in it
# Fail2Ban configuration file [Definition] failregex = limiting requests, excess:.* by zone.*client: <HOST> # Option: ignoreregex # Notes: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT ignoreregex =
Now configure the request limit in nginx configuration as below.
sudo nano /etc/nginx/nginx.conf
Add the below contents in it.
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
Create a new jail config file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And add the following contents in it
[nginx-request-limit] enabled = true filter = nginx-request-limit action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] logpath = /var/log/nginx/*error.log findtime = 600 bantime = 7200 maxretry = 10
Tweak the above configuration as per your need.
Save and restart fail2ban
service fail2ban restart
To check if the settings are running, we use fail2ban-client
fail2ban-client status nginx-request-limit
To see configurations used by fail2ban server