Using fail2ban to protect web servers from DDoS Attacks

Any service endpoint exposed to the public Internet is vulnerable to a large number of attacks by hackers . Your service may be a website 、API Endpoint or any other application layer service . Malicious users and robots will try to invade your system by repeatedly sending higher frequency requests . In this article , I will give you a brief introduction DDoS Attack and use Fail2ban Mitigation solutions .

What is? DDoS attack ？

Distributed denial of service (DDoS) An attack is a malicious attempt , Interrupt the normal traffic of a specific target server or service through a large amount of network traffic from multiple attack sources . This will cause the availability of the site or service to suddenly slow down or become unavailable due to resource exhaustion .

application layer DDoS attack

application layer DDoS The attack is aimed at 7 layer （OSI The first of the model 7 layer ）, The website generates and responds on the server HTTP Deliver on request . for example , Do not handle a large number of concurrent connections （ Open a lot of connections and keep them established ） Your system may run out of new connection capacity . This is similar to refreshing web pages over and over again from many different computers at the same time , A lot of HTTP Request flooding the server .

These attacks are carried out by botnets rather than actual users , Attackers can easily generate a large number of connections and send a large number of requests at a higher frequency . Of these types 7 Layer attacks are hard to defend , Because it is difficult to distinguish malicious traffic from legitimate traffic .

application layer DDoS How to mitigate the attack ？

As I mentioned before , Mitigation section 7 Layer attack is a little complicated . Mitigate application layers that involve discarding or restricting traffic DDoS Attack attempt , We can easily implement some methods , So as to obtain the maximum benefit .

Challenges to requests

Query the request source to check whether it is a robot , This is like the common verification code check when submitting online forms online . Give examples such as javascript Requirements such as level challenges , Can reduce many attacks .

Use Web Application Firewall (WAF)

Web Application firewall is a security enhancement tool , You can do this by placing it on your Web In front of the server to help alleviate the 7 layer DDoS attack . This may serve as your Web The server's reverse proxy , And protect it from certain types of malicious traffic according to a series of rules .WAF A key advantage of is the ability to quickly implement custom rules in response to attacks . You can also maintain IP Reputation database , In order to track and selectively prevent malicious traffic .

Request rate limit

The request rate limit is valid DDoS An important component of mitigation strategies . This will limit the number of requests , And the server will accept . for example , You know that ordinary human users log in to you every second API The endpoint cannot submit login details more than five times , Then you can determine whether any user sends requests more frequently than this may be a malicious attempt . then , You can log in at your API Define a per second on the endpoint 5 Rate limit of , And lock / Block any clients that violate this rule IP.

What is? Fail2ban？

Fail2ban It is an intrusion detection system (IDS), It continuously scans log files （ for example /var/log/nginx/error.log） To find suspicious activities and prohibit IP Or take pre configured actions . Usually ,Fail2ban The operation will update the firewall rules , To reject the detected in the log file within the specified time IP Address , Although you can also configure sending email . Open the box ,Fail2Ban With for various services （Apache、Nginx、SSH etc. ） Filter .

Let's start implementing

Implement this DDoS Mitigation solutions are available from time to time 2 Parts of . First , We need to configure Nginx To limit based on IP Number of requests for address . This will use Nginx modular “ngx_http_limit_req_module”. then Nginx Will be banned IP The information of is recorded in the error log .Fail2ban analysis Nginx Error log , If it finds the same IP There are too many occurrences of , It will create a firewall （iptables） Rules prohibit it x Time .

If you are not familiar with it Nginx And its configuration , Please refer to my previous post ：Nginx Best practices and initial setup .

stay Nginx Enable rate limiting in

Rate limits allow you to limit what users can send in a specific period of time HTTP/HTTPS Number of requests . This can also be used for security purposes , I can help you protect your website from DDoS attack . If you need more information about NGINX Rate limit information , You can view this link Rate Limiting with NGINX.

First , We must define a restricted area . You can have multiple areas , And can be assigned to different location blocks . Add the following line to your  server  or  http  In the context block ：

Let me explain what happened here ：

• $binary_remote_addr – Client's IP Address .
• zone=myzone:20m – “myzone” Is the area name , It allocates memory blocks . under these circumstances ,10m Allocated 10 Megabytes of memory , Enough to process 160,000 A connection .
• rate=5r/s – Define the default number of connections allowed per client . Here it is set to per second 5 A request , The maximum is 10, But you can format it as 30r/m（ Every minute 30 A request ） Set it to slow .

After the area configuration is completed , Apply it to the desired location block .

Let me explain what happened here ：

• burst=10 – Every second IP The number of requests that can be queued , Every IP All in all 10 A request （5 In process ,5 One in line ）.
• nodelay - The queued requests are processed as soon as possible .

Restart Nginx Services to affect changes .

I have made the server public IP Add to my /etc/hosts In the file and named “example.com”, Now the site is loading correctly .

install Fail2ban

Open the box ,fail2ban Configured to prohibit only failed ssh Login attempts IP. therefore , We need to enable some that will be configured to check Nginx Log rules .

To configure Fail2ban General settings for

Once installed fail2ban, Need to configure local configuration file . stay fail2ban in , They are called “ prison ”.jail.conf Use the following command to make a local copy of the file ：

Let me explain what happened here ：

• [nginx-req-limit] – Filter name , You can specify any name for this .
• enabled = true – Enable filter .
• filter = nginx-req-limit – This is from fail2ban The default filter for .
• action = iptables-multiport[name=ReqLimit, port=”http,https”, protocol=tcp] – This is when Nginx error.log Suspicious is found in the file IP when fail2nam The operation that will be triggered .
• logpath = /var/log/nginx/*error.log – We tell fail2ban Which log file needs to be checked for suspicious IP.
• findtime = 300 – fail2ban Limit the search time .（5 minute ）
• maxretry = 3 – IP The maximum number of times that can appear in the log before being prohibited .
• bantime = 3600 – IP How long will it be banned .（1 Hours ）

under these circumstances , If one IP The address in 5 Appear in our error log within minutes 3 Time ,fail2ban It will be banned .

findtime  and   Value matters ,maxretry  Because they decide to be suspicious IP Forbidden frequency . If you adjust these values smaller , The attacker IP Will be banned more frequently . Adjust the value as needed .

if necessary , modify nginx-req-limit Filter my editor nginx-limit-req.conf file .

To complete all fail2ban After the configuration , Restart the service and check the status .

Testing and troubleshooting

Now it's time to verify that the configuration is working as expected . have access to Siege or Apache Benchmark Tool Wait for tools to test , For this test , I will use apache benchmark Tools to test the rate limit on Web pages .

If... Is not installed on your system ab, You must use the package manager of the distribution to install apache2-utils package . If you are using Windows, Please download Apache Binaries .zip file , Then run with the required parameters at the command prompt ab.exe.

Suppose we want to see a web server processing 20 How fast is a request , Run at most at the same time 10 A request ：

Nginx Error log ：

Run the following command to see fail2ban Whether the filter is applicable to the above log files . If the match is zero , Then there may be a problem with the regular expression filter .

Fail2ban journal ：

Fail2ban state ：

Check by using the following command fail2ban state , You can see the ribbon IP list .

To verify Fail2ban Add to iptables The rules of , Please use the following command ：

Now? , If you reload the site , The site will not be able to load , Because it was fail2ban Use iptables prevent .

Manually add / Delete prohibition IP（ Optional ）

You can also manually disable or cancel the prohibition IP Address .

Set up fail2ban To protect your Nginx The server is protected from DDoS The attack is quite simple . however ,fail2ban It provides great flexibility to customize the strategy that suits your security needs .