We are currently trying out this Fail2Ban rule on one of our server, to block simple (but very upsetting) DOS attacks on Nginx automatically (after 30 seconds).
New filter in /etc/fail2ban/filter.d/nginx-dos.conf:
# Fail2Ban configuration file # # Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest # # Author: Yannick Warnier # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: Regexp to catch a generic call from an IP address. # Values: TEXT # failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
In our jail.local, we have (at the end of the file):
[nginx-dos] # Based on apache-badbots but a simple IP check (any IP requesting more than # 240 pages in 60 seconds, or 4p/s average, is suspicious) # Block for two full days. # @author Yannick Warnier enabled = true port = http,8090 filter = nginx-dos logpath = /var/log/nginx/*-access.log findtime = 60 bantime = 172800 maxretry = 240
Of course, in case you would be logging all resources of your site (images, css, js, etc), it would be really easy to get to those numbers as a normal user. To avoid this, use the access_log off directive of Nginx, like so:
# Serve static files directly location ~* .(png|jpe?g|gif|ico)$ { expires 1y; access_log off; try_files $uri $uri/ @rewrite; gzip off; } location ~* .(mp3)$ { expires 1y; access_log off; gzip off; } location ~* .(css)$ { expires 1d; access_log off; } location ~* .(js)$ { expires 1h; access_log off; }
We’ll see how that works for us… (and report here)
4 Comments
David Kelly
20 November, 2012 at 5:46 pm -Interested to know how it worked out, do you have any results to report?
john
1 December, 2012 at 2:59 pm -hi, for apache how to do it to bypass images, css…? then, i have /var/log/httpd/sb-access_log is that correct to use? OR *access_log at the end is correct? thanks
All nginx access logs from 127.0.0.1 (so can't use fail2ban) | Life with Linux
1 June, 2014 at 8:00 pm -[…] I’m trying to configure fail2ban to block ddos attacks using the chunk shown here. […]
Bloquer les attaques DDOS avec Nginx
25 June, 2014 at 11:06 am -[…] Vous pouvez également suivre l’article de Yannick Warnier qui permet de surveiller les accès sur Nginx avec Fail2Ban […]
Comments are closed.