Use fail2ban to protect nginx from DDOS attack

Recently one of our client server was subjected to DDOS attack. We use Nginx’s Limit Req Module and fail2ban together to thwart this attack.

Installing fail2ban

On Ubuntu/Debian, just run…

apt-get install fail2ban

Configuration

There are 2 parts. First, we need to configure nginx to limit number of requests for IP addresses. Nginx will log info about banned IP into error log. fail2ban will parse nginx error log and ban offending IP addresses.

Nginx configuration

Please follow this post for nginx config part.

fail2ban Configuration

filter config

Create a nginx filter file:

vim /etc/fail2ban/filter.d/nginx-req-limit.conf

Add following content in it:

# Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module

[Definition]

failregex = limiting requests, excess:.* by zone.*client: <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

jail config

Create a new jail config in:

vim /etc/fail2ban/jail.local

If you don’t see jail.local, simply run:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Add following towards end:

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10

findtime and maxretry values are important. Together, they decides how often offending IP’s gets banned. If you make these values smaller, IP’s will get banned more often. Tweak as per your need.

After saving both config files, restart fail2ban using:

service fail2ban restart

Testing

Before you exit from shell, it’s better to make sure if fail2ban is working.

fail2ban logs

You can monitor fail2ban log file:

tail -f /var/log/fail2ban.log

You will see lines like below:

2014-04-28 14:16:02,840 fail2ban.actions: WARNING [nginx-req-limit] Ban 95.211.117.202
2014-04-28 14:16:02,848 fail2ban.actions: WARNING [nginx-req-limit] Ban 78.187.45.204
2014-04-28 14:16:03,857 fail2ban.actions: WARNING [nginx-req-limit] 78.187.45.204 already banned
2014-04-28 14:17:36,952 fail2ban.actions: WARNING [nginx-req-limit] Ban 91.216.201.114

If you don’t see anything that means either misconfiguration or nothing to worry at all. If you think there is something to worry, jump to debugging section below.

fail2ban-client

You can also use fail2ban-client to find out status of a particular jail using following command:

fail2ban-client status nginx-req-limit

This will show:

Status for the jail: nginx-req-limit
|- filter
|  |- File list:    /var/log/nginx/test.com.error.log /var/log/nginx/example.com.error.log
|  |- Currently failed: 6
|  `- Total failed: 389
`- action
   |- Currently banned: 3
   |  `- IP list:   95.211.117.202 78.187.45.204 91.216.201.114 
   `- Total banned: 3

As you can see there are 3 IP’s in jail.

Debugging

If things are not working as expected, you can debug fail2ban config.

Check debug output

Run following command to see config used by fail2ban-server:

fail2ban-client -d

Debug filter

Run following command to see if fail2ban filter works for  a particular log file:

fail2ban-regex /var/log/nginx/example.com.error.log  /etc/fail2ban/filter.d/nginx-req-limit.conf

Output will contain something like following (towards end):

Success, the total number of match is 861

If there are zero match then there could be an issue with regex filter.

How To Set Up Basic HTTP Authentication With Nginx on Ubuntu

Step 1 — Installing Apache Tools

You’ll need the htpassword command to configure the password that will restrict access to the target website. This command is part of the apache2-utils package, so the first step is to install that package.

sudo apt-get install apache2-utils

Step 2 — Setting Up HTTP Basic Authentication Credentials

In this step, you’ll create a password for the user running the website.

That password and the associated username will be stored in a file that you specify. The password will be encrypted and the name of the file can be anything you like. Here, we use the file /etc/nginx/.htpasswd and the username nginx.

To create the password, run the following command. You’ll need to authenticate, then specify and confirm a password.

sudo htpasswd -c /etc/nginx/.htpasswd nginx

You can check the contents of the newly-created file to see the username and hashed password.

cat /etc/nginx/.htpasswd

Example of /etc/nginx/.htpasswd:

nginx:$apr1$ilgq7ZEO$OarDX15gjKAxuxzv0JTrO/

Step 3 — Updating the Nginx Configuration

Now that you’ve created the HTTP basic authentication credential, the next step is to update the Nginx configuration for the target website to use it.

HTTP basic authentication is made possible by the auth_basic and auth_basic_user_filedirectives. The value of auth_basic is any string, and will be displayed at the authentication prompt; the value of auth_basic_user_file is the path to the password file that was created in Step 2.

Both directives should be in the configuration file of the target website, which is normally located in /etc/nginx/sites-available directory. Open that file using nano or your favorite text editor.

sudo nano /etc/nginx/sites-available/default

Under the location section, add both directives:/etc/nginx/sites-available/default.conf

. . .
server_name localhost;

location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules

        auth_basic "Private Property";
        auth_basic_user_file /etc/nginx/.htpasswd;
}
. . .

Save and close the file.

Step 4 — Testing the Setup

To apply the changes, first reload Nginx.

sudo service nginx reload

Now try accessing the website you just secured by going to http://your_server_ip/ in your favorite browser. You should be presented with an authentication window (which says “Private Property”, the string we set for auth_basic), and you will not be able to access the website until you enter the correct credentials. If you enter the username and password you set, you’ll see the default Nginx home page.