I was an Apache user for some 9-10 years and switched everything to Nginx
about 8 months ago and have never looked back. Nginx has built in rate
limiting functions that mod_evasive can’t come even close to. I am not
knocking blocking IP’s at firewall level but firewall rules that rate limit
all connections like below are also extremely likely to block valid users
especially when running Wordpress sites that open multiple connections for
just one user viewing 2-3 pages.
If you really want a solution that will work now and forever I highly
suggest you take some time and learn Nginx, it’s super easy to switch to,
it’s unbreakable and rock solid and their ways of configuring and testing
config’s outmatches anything Apache has been able to do up to this day.
Just my ten cents
Happy New Year to you all
From: Grant <emailgr...@gmail.com> <emailgr...@gmail.com>
Reply: Grant <emailgr...@gmail.com> <emailgr...@gmail.com>
Date: 30 December 2016 at 2:36:16 PM
To: Michael Fox <n...@mefox.org> <n...@mefox.org>
Cc: Fail2Ban-Users Distribution List <fail2ban-users@lists.sourceforge.net>
<fail2ban-users@lists.sourceforge.net>
Subject: Re: [Fail2ban-users] fail2ban for a range of IPs
> I haven't followed this thread all that closely, so forgive me if this is
a
> repeat.
>
> Not a fail2ban solution, but:
>
> Here's a snippet from an iptables config file. The comments should be
> self-explanatory. This applies to all source and destination addresses.
> But you could augment by setting the source and/or destination
address(es).
> Perhaps even make a config file where you can list the CIDR blocks for
which
> you want the rule to apply, and then use a shell script to generate the
> iptables commands based on the config file.
>
> Michael
>
>
> # TCP DDoS Prevention
> #--------------------------------------------
> # Places an overall rate limit on all connections.
> #
> # Leaky bucket analogy for the 'limit' match:
> # Each match empties the bucket by one token.
> # --limit-burst = size of the bucket
> # --limit = refill rate
> # Example: --limit 3/minute -- limit-burst 5
> # For each match, one token is removed from the bucket.
> # After 5 matches (with no refill), the bucket is empty.
> # Every 20 seconds the bucket is refilled with 1 token up to a max of
> 5.
>
> # Limit total of all new connection attempts to 5/second; burst of 20
> $ipt -A tcp_rate -p tcp -m state --state NEW \
> -m limit --limit 5/second --limit-burst 20 -j RETURN
> $ipt -A tcp_rate -p tcp -m state --state NEW -j LOG \
> --log-level debug --log-prefix "IPTables TCP Rate1: "
> $ipt -A tcp_rate -p tcp -m state --state NEW -j DROP
Thank you but I'm looking for something that will work without
specifying the bad IPs in advance. And if I apply a rule like this to
all clients then a connection coming from a good client will be just
as likely to be dropped as a connection coming from a bad client.
- Grant
>> > Well, yes, for my apache server I use the mod_evasive plugin. A quick
>> > search on the web seems to indicate that mod_evasive isn't available
for
>> > nginx (at least according to this post) but apparently there is an
nginx
>> > alternative:
>> >
>> > http://stackoverflow.com/questions/4849094/mod-evasive-for-nginx
>> >
>> > Good luck with it. Installation might seem somewhat daunting at
>> > first but if you find the right instructions it will probably be
>> > straightforward (mod_evasive was).
>>
>>
>> I don't understand how mod_evasive could help when a series of
>> sequential IPs are making too many combined requests but no single IP
>> is making too many requests by itself.
>>
>> - Grant
>>
>>
>> >> > Fail2ban works when the attacker can be distinguished in some way
>> (other
>> >> > than rate) from an ordinary person browsing your site.
>> >> > If these ten hosts aren't attempting a "brute force" or
"dictionary"
>> >> > attack ..ie if they are doing nothing more than requesting web
pages
>> >> > (at a fast rate), then fail2ban is probably not the right tool.
>> >>
>> >>
>> >> Any idea what the right tool would be? nginx doesn't seem to have
>> >> anything like that.
>> >>
>> >> - Grant
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
