if fail2ban fails to ban:

https://dwaves.de/2017/07/27/centos7-replaced-firewall-iptables-with-firewalld-iptables-vs-nftables-benchmark-performance-comparison-scalability-when-facing-ddos-scenarios/

but also whole companies from israel are offering tools to nuke off your webserver with “rented” DDoS attacks

vim /etc/fail2ban/jail.local; # add those lines:

[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
findtime = 600

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 3
findtime = 600

[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 2
findtime = 600

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 2
findtime = 600

:wq # save and quit

# restart fail2ban

/etc/init.d/fail2ban restart

iptables -L

Send Reports via Mail

You might want fail2ban report on filter action.

Too see who is trying to DDoS or bruteforce your box.

 

  • [apache] : this jail is used to block failed login attempts.
  • [apache-noscript] : this jail is used to block remote clients who are searching for scripts on the website to execute.
  • [apache-overflows] : this jail is used to block clients who are attempting to request suspicious URLs.
  • [apache-noscript] : this jail is used to block remote clients who are searching for scripts on website to execute.
  • [apache-badbots] : this jail is used to block malicious bot requests.

Note : You can find the details of each rule described below.

  • enabled : this option means Apache protection is on.
  • port : this option specifies the services that fail2ban monitors.
  • filter : this option refers the config file located in the /etc/fail2ban/filter.d/ directory.
  • logpath : this option specifies the location of log file.
  • bantime : this option specifies the number of seconds that a remote host will be blocked from the server.
  • maxretry : this option specifies the number of failed login attempts before a remote host is blocked for the length of the ban time.
  • ignoreip : this option allows you to whitelist certain IP addresses from blocking.

Creditzs: https://www.maketecheasier.com/fail2ban-protect-apache-ddos/

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin