Here is a way to protect your LAMP server from a Post Flooding DDoS attack.
- Set up Fail2Ban and IPTables by following instructions here.
- Create a new file named
/etc/fail2ban/filter.d/apache-postflood.confwith the following content:
12345678[Definition]# match these lines to find a login failfailregex = ^<HOST> .*\"POST [^\"]+\"# matches this example line:# 126.96.36.199 - - [16/Dec/2015:11:27:32 +1000] "POST /index.php HTTP/1.0" 302 270 "-" "-"## don't ignore anythingignoreregex =
- Next, add the following to the bottom of
123456789[apache-postflood]enabled = true# block these portsport=http,https# filter in /etc/fail2ban/filter.d/apache-postflood.conffilter = apache-postfloodlogpath = /var/log/apache/*_access_log # or path to your Apache log filesfindtime = 20maxretry = 10
The above will block all IPs which try to post more than 10 times in 20 seconds to your server
- Check your IPTables for the list of blocked IPs by entering
iptables-save. You should see output like the following:
123456789101112131415# Generated by iptables-save v1.4.21 on Thu May 12 22:17:09 2016*filter:INPUT ACCEPT [149:37517]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [137:16186]:fail2ban-apache-postflood - [0:0]:fail2ban-ssh - [0:0]-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh<strong>-A fail2ban-apache-postflood -s 188.8.131.52/32 -j REJECT --reject-with icmp-port-unreachable</strong>-A fail2ban-apache-postflood -j RETURN-A fail2ban-ssh -j RETURNCOMMIT# Completed on Thu May 12 22:17:09 2016