> I was an Apache user for some 9-10 years and switched everything to Nginx > about 8 months ago and have never looked back. Nginx has built in rate > limiting functions that mod_evasive can’t come even close to. I am not > knocking blocking IP’s at firewall level but firewall rules that rate limit > all connections like below are also extremely likely to block valid users > especially when running Wordpress sites that open multiple connections for > just one user viewing 2-3 pages. > > If you really want a solution that will work now and forever I highly > suggest you take some time and learn Nginx, it’s super easy to switch to, > it’s unbreakable and rock solid and their ways of configuring and testing > config’s outmatches anything Apache has been able to do up to this day.
I agree. I switched to nginx from apache a while back and I love it. But the nginx rate limiting can't do anything like block a series of sequential IPs that are making too many combined requests when no single IP is making too many requests by itself. - Grant >> I haven't followed this thread all that closely, so forgive me if this is >> a >> repeat. >> >> Not a fail2ban solution, but: >> >> Here's a snippet from an iptables config file. The comments should be >> self-explanatory. This applies to all source and destination addresses. >> But you could augment by setting the source and/or destination >> address(es). >> Perhaps even make a config file where you can list the CIDR blocks for >> which >> you want the rule to apply, and then use a shell script to generate the >> iptables commands based on the config file. >> >> Michael >> >> >> # TCP DDoS Prevention >> #-------------------------------------------- >> # Places an overall rate limit on all connections. >> # >> # Leaky bucket analogy for the 'limit' match: >> # Each match empties the bucket by one token. >> # --limit-burst = size of the bucket >> # --limit = refill rate >> # Example: --limit 3/minute -- limit-burst 5 >> # For each match, one token is removed from the bucket. >> # After 5 matches (with no refill), the bucket is empty. >> # Every 20 seconds the bucket is refilled with 1 token up to a max of >> 5. >> >> # Limit total of all new connection attempts to 5/second; burst of 20 >> $ipt -A tcp_rate -p tcp -m state --state NEW \ >> -m limit --limit 5/second --limit-burst 20 -j RETURN >> $ipt -A tcp_rate -p tcp -m state --state NEW -j LOG \ >> --log-level debug --log-prefix "IPTables TCP Rate1: " >> $ipt -A tcp_rate -p tcp -m state --state NEW -j DROP > > > Thank you but I'm looking for something that will work without > specifying the bad IPs in advance. And if I apply a rule like this to > all clients then a connection coming from a good client will be just > as likely to be dropped as a connection coming from a bad client. > > - Grant > > >>> > Well, yes, for my apache server I use the mod_evasive plugin. A quick >>> > search on the web seems to indicate that mod_evasive isn't available >>> > for >>> > nginx (at least according to this post) but apparently there is an >>> > nginx >>> > alternative: >>> > >>> > http://stackoverflow.com/questions/4849094/mod-evasive-for-nginx >>> > >>> > Good luck with it. Installation might seem somewhat daunting at >>> > first but if you find the right instructions it will probably be >>> > straightforward (mod_evasive was). >>> >>> >>> I don't understand how mod_evasive could help when a series of >>> sequential IPs are making too many combined requests but no single IP >>> is making too many requests by itself. >>> >>> - Grant >>> >>> >>> >> > Fail2ban works when the attacker can be distinguished in some way >>> (other >>> >> > than rate) from an ordinary person browsing your site. >>> >> > If these ten hosts aren't attempting a "brute force" or "dictionary" >>> >> > attack ..ie if they are doing nothing more than requesting web pages >>> >> > (at a fast rate), then fail2ban is probably not the right tool. >>> >> >>> >> >>> >> Any idea what the right tool would be? nginx doesn't seem to have >>> >> anything like that. >>> >> >>> >> - Grant ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
