You shall not pass - Fail2ban

linux Dec 26, 2018

Few months ago one of my server was under DDoS attack. The below steps helped me recover and prevent this attack.

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. Written in the Python programming language, it is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, for example, iptables or TCP Wrapper.

My configuration consists of a Debian system with Nginx web server.

Let's start with the installation of fail2ban on Debian/Ubuntu.
apt-get install fail2ban

Configuring fail2ban

By default fail2ban reads the .conf file which can be used as a good starting point. If any changes are required, it is best to do the modification in a .local file which then overrides the .conf file.
Create a Nginx filter file to block IP's:
The directory filter.d contains mainly regular expressions which are used to detect break-in attempts, password failures, etc.
nano /etc/fail2ban/filter.d/nginx-request-limit.conf
Add the following contents in it

# Fail2Ban configuration file 
[Definition]  
failregex = limiting requests, excess:.* by zone.*client: <HOST>  
# Option: ignoreregex 
# Notes: regex to ignore. If this regex matches, the line is ignored. 
# Values: TEXT 
ignoreregex =

Now configure the request limit in nginx configuration as below.
sudo nano /etc/nginx/nginx.conf
Add the below contents in it.
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;

Create a new jail config file:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And add the following contents in it

[nginx-request-limit]  
enabled = true 
filter = nginx-request-limit 
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] 
logpath = /var/log/nginx/*error.log 
findtime = 600 
bantime = 7200 
maxretry = 10

Tweak the above configuration as per your need.
Save and restart fail2ban
service fail2ban restart

Testing
To check if the settings are running, we use fail2ban-client
fail2ban-client status nginx-request-limit

Debugging
To see configurations used by fail2ban server
fail2ban-client -d

E

Cyber Security Professional • Offensive Infrastructure • Anime Addict • Love to Travel • Co-creater of rescure.fruxlabs.com •