Chu, HuangWei's Blog

前陣子架了一個論壇，但是莫名其妙被 DDoS， 由於來源是大量的 Taiwan IP，所以沒辦法在程式端或是用防火牆 ( iptables ) 去一一阻擋 在網路上找到了 fail2ban 這個工具，目前使用起來覺得還不錯，把相關步驟分享下來 安裝

sudo apt-get install fail2ban

修改設定，由於我是針對 http 的部分做偵測阻擋，所以在 /etc/fail2ban/jail.conf 最後加上一段

[http-get-dos] enabled = true port = http,https filter = http-get-dos # 看要監測哪個 log 檔案，監測的方式會定義在 /etc/fail2ban/filter.d 下 logpath = /var/log/apache2/access.log # 定義在 findtime 時間內最多重試幾次就會被視為不正常 maxretry = 50 # 定義監測區間，單位是秒 findtime = 300 # 定義如果被視為不正常，要做阻擋處理多久，一樣單位是秒 bantime = 6000 # 定義阻擋處理是什麼方式，細節定義在 /etc/fail2ban/action.d action = iptables[name=HTTP, port=http, protocol=tcp]               iptables[name=HTTPS, port=https, protocol=tcp]

定義 filter，因為是新增 [http-get-dos]，所以要相對應也加一個檔案在 /etc/fail2ban/filter.d/http-get-dos.conf

# Fail2Ban configuration file # Author: http://www.go2linux.org [Definition] # Option: failregex # 直接設定之前定義的 logfile 要用什麼 regular expression 去偵測 failregex = ^ -.*\"(GET|POST).* # Option: ignoreregex # 如果有想要例外不處理的 case 也可以寫 regular expression ignoreregex =

全部設定完畢，重跑 fail2ban

sudo /etc/init.d/fail2ban restart

看看 log 有沒有正常跑起來 /var/log/fail2ban.log

2013-11-16 14:09:22,537 fail2ban.server : INFO Stopping all jails 2013-11-16 14:09:23,635 fail2ban.jail : INFO Jail 'http-get-dos' stopped 2013-11-16 14:09:24,574 fail2ban.server : INFO Exiting Fail2ban 2013-11-16 14:09:26,354 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2013-11-16 14:09:27,053 fail2ban.jail : INFO Creating new jail 'http-get-dos' 2013-11-16 14:09:27,053 fail2ban.jail : INFO Jail 'http-get-dos' uses Gamin 2013-11-16 14:09:27,059 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log 2013-11-16 14:09:27,061 fail2ban.filter : INFO Set maxRetry = 50 2013-11-16 14:09:27,068 fail2ban.filter : INFO Set findtime = 300 2013-11-16 14:09:27,071 fail2ban.actions: INFO Set banTime = 6000 2013-11-16 14:09:27,180 fail2ban.jail : INFO Jail 'http-get-dos' started

再來看看 log 有沒有正常運作

2013-11-16 21:44:44,117 fail2ban.actions: WARNING [http-get-dos] Ban 114.40.56.63 2013-11-16 21:44:44,286 fail2ban.actions: WARNING [http-get-dos] Ban 125.224.169.93 2013-11-16 21:44:53,763 fail2ban.actions: WARNING [http-get-dos] 114.40.56.63 already banned 2013-11-16 21:44:54,767 fail2ban.actions: WARNING [http-get-dos] 125.224.169.93 already banned 2013-11-16 23:24:44,414 fail2ban.actions: WARNING [http-get-dos] Unban 114.40.56.63 2013-11-16 23:24:45,977 fail2ban.actions: WARNING [http-get-dos] Unban 125.224.169.93

從 log 的時間上來看可以看到 7 小時以後才正常運作，這個目前我也找不出是什麼原因 另外，解除的機制也正常在 100 分鐘後執行，看起來目前是正常的 收工