Fail2ban and nginx: blocking unwanted traffic to a specific URL
Good day!
A few days ago I noticed suspicious activity on one of my websites, caused by brute force. It happened just when files with several millions mailboxes and passwords got into the network. After a ban of several addresses in iptables, the attackers began to pick passwords from a large number of addresses and it became inconvenient to ban them manually. As this problem has been solved I will tell under a cat.
It is possible that “common truths” will be described below for some, but for me the similar functionality of fail2ban was new and very helpful. The following “how-to” is true for redhat-based-linux, but can easily be adapted to any distribution.
')
If rpmforge is not connected, then we connect it:
Pre-configure the module in nginx limit_req :
Add to http section {}
You can select specific parameters of the zone for yourself individually; they are described in the help for the module.
In the server {} section, add a location that captures the url that receives malicious traffic (in my case, this is / auth /):
Or, for example, for wordpress:
We check that we were not mistaken anywhere and restart nginx:
If everything is properly configured and malicious traffic is still coming to the server, then nignx error-log will write entries like this:
This means that connection limits per second for attackers began to act.
Next, go directly to the lock - install fail2ban:
Create your favorite editor file /etc/fail2ban/filter.d/nginx-req-limit.conf with the contents:
We take the default jail.conf
And add to the end:
Pick up the parameters for themselves, more about them here.
We edit /etc/fail2ban/action.d/sendmail.conf, adding the necessary addresses to dest and sender (it will be sent if you have configured sendmail on the server)
Run fail2ban:
We look in the log:
tail -f /var/log/fail2ban.log
If there are records like:
then everything goes as it should and the attackers successfully get into the ban.
PROFIT!
PS And how do you use fail2ban? :)
A few days ago I noticed suspicious activity on one of my websites, caused by brute force. It happened just when files with several millions mailboxes and passwords got into the network. After a ban of several addresses in iptables, the attackers began to pick passwords from a large number of addresses and it became inconvenient to ban them manually. As this problem has been solved I will tell under a cat.
It is possible that “common truths” will be described below for some, but for me the similar functionality of fail2ban was new and very helpful. The following “how-to” is true for redhat-based-linux, but can easily be adapted to any distribution.
')
If rpmforge is not connected, then we connect it:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt rpm -i rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm Pre-configure the module in nginx limit_req :
Add to http section {}
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s; You can select specific parameters of the zone for yourself individually; they are described in the help for the module.
In the server {} section, add a location that captures the url that receives malicious traffic (in my case, this is / auth /):
location /auth/ { limit_req zone=one burst=10 nodelay; try_files $uri /index.php?q=$uri&$args; } Or, for example, for wordpress:
location = /wp-login.php { limit_req zone=one burst=10 nodelay; include fastcgi_params; fastcgi_pass 127.0.0.1:9000; } We check that we were not mistaken anywhere and restart nginx:
nginx -t && service nginx restart If everything is properly configured and malicious traffic is still coming to the server, then nignx error-log will write entries like this:
2014/09/11 02:15:11 [error] 17515#0: *1977466 limiting requests, excess: 10.540 by zone "one", client: 93.170.112.10, server: , request: "GET /auth/ HTTP/1.1", host: "" This means that connection limits per second for attackers began to act.
Next, go directly to the lock - install fail2ban:
yum install fail2ban -y Create your favorite editor file /etc/fail2ban/filter.d/nginx-req-limit.conf with the contents:
[Definition] failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "[^"]+", client: <HOST> ignoreregex = We take the default jail.conf
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local And add to the end:
[nginx-req-limit] enabled = true filter = nginx-req-limit action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] logpath = /var/log/nginx/*error.log findtime = 600 bantime = 7200 maxretry = 10 Pick up the parameters for themselves, more about them here.
We edit /etc/fail2ban/action.d/sendmail.conf, adding the necessary addresses to dest and sender (it will be sent if you have configured sendmail on the server)
Run fail2ban:
service fail2ban start We look in the log:
tail -f /var/log/fail2ban.log
If there are records like:
2014-09-10 21:32:20,575 fail2ban.actions: WARNING [nginx-req-limit] Ban 178.92.194.221 2014-09-10 21:37:33,136 fail2ban.actions: WARNING [nginx-req-limit] Ban 37.144.59.125 then everything goes as it should and the attackers successfully get into the ban.
PROFIT!
PS And how do you use fail2ban? :)
Source: https://habr.com/ru/post/236859/
All Articles