Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
RevengeFNF Posted December 16, 2015 Posted December 16, 2015 Im trying to create a rule in fail2ban to ban IP's that try to http flood the server. Like pressing F5 in the browser for several time. So, in jail.local i add the following code: [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/nginx/domains/test.log maxretry = 10 findtime = 1 #ban for 5 minutes bantime = 600 action = iptables[name=HTTP, port=http, protocol=tcp] Then inside the filter.d folder, i created the file http-get-dos.conf with the following code: [Definition] failregex = ^<HOST> -.*GET.*/ ignoreregex = ^<HOST> -.*GET.*/uploads So this will check for 10 GET's in a second but will ignore GET to the uploads folder, where it comes the css and js files .I think its pretty safe. I run the following command to test if the regex works with the nginx access log: fail2ban-regex /var/log/nginx/domains/test.log /etc/fail2ban/filter.d/http-get-dos.conf /etc/fail2ban/filter.d/http-get-dos.conf The result is this one: Running tests ============= Use failregex filter file : http-get-dos, basedir: /etc/fail2ban Use ignoreregex filter file : http-get-dos, basedir: /etc/fail2ban Use log file : /var/log/nginx/domains/test.log Use encoding : UTF-8 Results ======= Failregex: 2053 total |- #) [# of hits] regular expression | 1) [2053] ^<HOST> -.*GET.*/ `- Ignoreregex: 967 total |- #) [# of hits] regular expression | 1) [967] ^<HOST> -.*GET.*/uploads `- Date template hits: |- [# of hits] date format | [3075] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 3075 lines, 967 ignored, 2053 matched, 55 missed [processed in 1.93 sec] Ignored line(s): too many to print. Use --print-all-ignored to print all 967 lines Missed line(s): too many to print. Use --print-all-missed to print all 55 lines So, its working. I restart fail2ban and im going to hammer my test server to check if i get banned. But i notice im not banned. If i run the command "fail2ban-client status http-get-dos", returns this: Status for the jail: http-get-dos |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: Its not getting anything... Does anyone know what i might be doing wrong?
Tracy Perry Posted December 25, 2015 Posted December 25, 2015 Easiest.. install CSF and use the CT_LIMIT parameter in the config file. # To disable this feature, set this to 0 CT_LIMIT = "50" # Leave this option empty to count all ports against CT_LIMIT CT_PORTS = "80,443" It's a hard ceiling though and can't be applied to certain paths.
RevengeFNF Posted December 25, 2015 Author Posted December 25, 2015 I managed to solve my issue. It was because of the new log journal in centos 7.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.