前陣子架了一個論壇,但是莫名其妙被 DDoS,
由於來源是大量的 Taiwan IP,所以沒辦法在程式端或是用防火牆 ( iptables ) 去一一阻擋
在網路上找到了 fail2ban 這個工具,目前使用起來覺得還不錯,把相關步驟分享下來

安裝
sudo apt-get install fail2ban

修改設定,由於我是針對 http 的部分做偵測阻擋,所以在 /etc/fail2ban/jail.conf 最後加上一段
[http-get-dos]

enabled = true
port = http,https
filter = http-get-dos
# 看要監測哪個 log 檔案,監測的方式會定義在 /etc/fail2ban/filter.d 下
logpath = /var/log/apache2/access.log
# 定義在 findtime 時間內最多重試幾次就會被視為不正常
maxretry = 50
# 定義監測區間,單位是秒
findtime = 300
# 定義如果被視為不正常,要做阻擋處理多久,一樣單位是秒
bantime = 6000
# 定義阻擋處理是什麼方式,細節定義在 /etc/fail2ban/action.d
action = iptables[name=HTTP, port=http, protocol=tcp]
              iptables[name=HTTPS, port=https, protocol=tcp]

定義 filter,因為是新增 [http-get-dos],所以要相對應也加一個檔案在 /etc/fail2ban/filter.d/http-get-dos.conf
# Fail2Ban configuration file
# Author: http://www.go2linux.org
[Definition]

# Option: failregex
# 直接設定之前定義的 logfile 要用什麼 regular expression 去偵測

failregex = ^ -.*\"(GET|POST).*

# Option: ignoreregex
# 如果有想要例外不處理的 case 也可以寫 regular expression

ignoreregex =

全部設定完畢,重跑 fail2ban
sudo /etc/init.d/fail2ban restart

看看 log 有沒有正常跑起來 /var/log/fail2ban.log
2013-11-16 14:09:22,537 fail2ban.server : INFO Stopping all jails
2013-11-16 14:09:23,635 fail2ban.jail : INFO Jail 'http-get-dos' stopped
2013-11-16 14:09:24,574 fail2ban.server : INFO Exiting Fail2ban
2013-11-16 14:09:26,354 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2013-11-16 14:09:27,053 fail2ban.jail : INFO Creating new jail 'http-get-dos'
2013-11-16 14:09:27,053 fail2ban.jail : INFO Jail 'http-get-dos' uses Gamin
2013-11-16 14:09:27,059 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2013-11-16 14:09:27,061 fail2ban.filter : INFO Set maxRetry = 50
2013-11-16 14:09:27,068 fail2ban.filter : INFO Set findtime = 300
2013-11-16 14:09:27,071 fail2ban.actions: INFO Set banTime = 6000
2013-11-16 14:09:27,180 fail2ban.jail : INFO Jail 'http-get-dos' started

再來看看 log 有沒有正常運作
2013-11-16 21:44:44,117 fail2ban.actions: WARNING [http-get-dos] Ban 114.40.56.63
2013-11-16 21:44:44,286 fail2ban.actions: WARNING [http-get-dos] Ban 125.224.169.93
2013-11-16 21:44:53,763 fail2ban.actions: WARNING [http-get-dos] 114.40.56.63 already banned
2013-11-16 21:44:54,767 fail2ban.actions: WARNING [http-get-dos] 125.224.169.93 already banned
2013-11-16 23:24:44,414 fail2ban.actions: WARNING [http-get-dos] Unban 114.40.56.63
2013-11-16 23:24:45,977 fail2ban.actions: WARNING [http-get-dos] Unban 125.224.169.93

從 log 的時間上來看可以看到 7 小時以後才正常運作,這個目前我也找不出是什麼原因
另外,解除的機制也正常在 100 分鐘後執行,看起來目前是正常的

收工

    文章標籤

    Ubuntu DDoS fail2ban iptables

    全站熱搜

    ieon 發表在 痞客邦 留言(2) 人氣()