Categories
Server Administration

Apache Post Flooding Protection using Fail2Ban and IPTables

Here is a way to protect your LAMP server from a Post Flooding DDoS attack.

Steps:

  1. Set up Fail2Ban and IPTables by following instructions here.
  2. Create a new file named /etc/fail2ban/filter.d/apache-postflood.conf with the following content:
    [Definition]
    # match these lines to find a login fail
    failregex = ^ .*\"POST [^\"]+\"
    # matches this example line:
    # 202.120.209.38 - - [16/Dec/2015:11:27:32 +1000] "POST /index.php HTTP/1.0" 302 270 "-" "-"
    #
    # don't ignore anything
    ignoreregex =
    
  3. Next, add the following to the bottom of /etc/fail2ban/jail.local
    [apache-postflood]
    enabled = true
    # block these ports
    port=http,https
    # filter in /etc/fail2ban/filter.d/apache-postflood.conf
    filter = apache-postflood
    logpath = /var/log/apache/*_access_log # or path to your Apache log files
    findtime = 20
    maxretry = 10

    The above will block all IPs which try to post more than 10 times in 20 seconds to your server

  4. Check your IPTables for the list of blocked IPs by entering iptables-save. You should see output like the following:
    # Generated by iptables-save v1.4.21 on Thu May 12 22:17:09 2016
    *filter
    :INPUT ACCEPT [149:37517]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [137:16186]
    :fail2ban-apache-postflood - [0:0]
    :fail2ban-ssh - [0:0]
    -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A fail2ban-apache-postflood -s 91.200.12.26/32 -j REJECT --reject-with icmp-port-unreachable
    -A fail2ban-apache-postflood -j RETURN
    -A fail2ban-ssh -j RETURN
    COMMIT
    # Completed on Thu May 12 22:17:09 2016