Well, I love your results anyway.
For the past 48 (and counting) one of the web servers that I’m responsible for has been getting assaulted by what I can only guess is a bot-net of some kind.
The server has been getting a mega crap-ton of connections that look like this in the log:
[RANDOM IP ADDRESS] - - [05/Sep/2013:13:37:49 -0400] "POST / HTTP/1.1" 200 26001 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Basically a lot of zombie computers are connecting to my server and trying send it information. This causes the server to stop, react and then deny the attempt. Which is what it’s supposed to do, but thousands of these attempts are happening every hour. This has had the effect of preventing the server from doing it job to those of us who might actually want to see what the web server is offering.
To use a buzz-word: My server has been the victim of a Distributed Denial of Service Attack (or DDoS for short).
So, fail2ban to the rescue. In the past 2 hours since I’ve activated fail2ban, I’ve blocked more than 7000 unique IP addresses and that number is still climbing.
But to make that work, I had to create my own custom filter for fail2ban. And, in the hopes that it may help someone else, I’m putting my settings here.
In /etc/fail2ban/jail.conf, I added this stanza to activate the new filter:
enabled = true
port = http,https
filter = apache-postflood
action = iptables-multiport[name=apache-postflood, port="http,https", protocol=tcp]
logpath = /var/log/apache*/*.access.log
maxretry = 2
And then the filter itself, which is stored in /etc/fail2ban/filters.d/apache-postflood.conf:
# Fail2Ban configuration file
# $Revision: 1 $
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
failregex = ^<HOST> -.*."POST"*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
Basically this parses the apache access logs for two entries from the same IP address in a 5 minute span. If fail2ban finds that, then the IP address is banned. Using this, my server has went from being non-responsive to able to handle normal requests. All while dealing with the DDoS.
So I say again: fail2ban, I LOVE YOU!