Re: How to prevent ddos attack
Posted: 2017/08/24 13:53:09
fail2ban does work. You need to set it up properly. I have mine set to both use an ip blacklist - which is basically the entire world except the sub net I always log in on. Here is a how to => https://zach.seifts.us/posts/2013/07/14 ... persistent That way the login attempt is banned if it is not an approved IP network - AND it is added to the IP blacklist also as redundancy
for others that come along - or if the link above stops working -here are the instructions pasted below. there are some other useful comments on the linked page however by others who have come along
"Fail2ban is great because it looks at logs and if an entry matches a regular expression it will perform an action on the IP address from the log. You can make the actions do pretty much anything, typically the action is an iptables rule that will ban the user. The problem is when you restart the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.
You can make the bans persistent by setting up a blacklist and automatically loading them when fail2ban is restarted. First, you need to create a file to store blacklisted IPs.
sudo touch /etc/fail2ban/ip.blacklist
Then you can either make a copy or edit the /etc/fail2ban/action.d/iptables-multiport.conf file. I prefer to make a copy of it because I version all of my configs.
In the action config file you have a few different directives, we want to focus on 2, the actionstart and actionban. First, when fail2ban bans an IP we want to not only ban it, but we want to add the IP address to the ip.blacklist file.
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist
Then we want to be sure that the iptables rule is added when fail2ban is started, so we add the following lines of code to the actionstart directive:
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
That's it, once you restart fail2ban it will automatically ban all of the IPs in your ip.blacklist file.
for others that come along - or if the link above stops working -here are the instructions pasted below. there are some other useful comments on the linked page however by others who have come along
"Fail2ban is great because it looks at logs and if an entry matches a regular expression it will perform an action on the IP address from the log. You can make the actions do pretty much anything, typically the action is an iptables rule that will ban the user. The problem is when you restart the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.
You can make the bans persistent by setting up a blacklist and automatically loading them when fail2ban is restarted. First, you need to create a file to store blacklisted IPs.
sudo touch /etc/fail2ban/ip.blacklist
Then you can either make a copy or edit the /etc/fail2ban/action.d/iptables-multiport.conf file. I prefer to make a copy of it because I version all of my configs.
In the action config file you have a few different directives, we want to focus on 2, the actionstart and actionban. First, when fail2ban bans an IP we want to not only ban it, but we want to add the IP address to the ip.blacklist file.
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist
Then we want to be sure that the iptables rule is added when fail2ban is started, so we add the following lines of code to the actionstart directive:
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
That's it, once you restart fail2ban it will automatically ban all of the IPs in your ip.blacklist file.