用Fail2ban阻擋DDOS攻擊

環境 

1
2
AWS EC2 Tokyo Region
前面設置ALB

使用情境

由於AWS WAF的rate_limit只能針對一定速率(2000/5m)左右的request做阻擋

而且當此ip request速率下降後就停止阻擋

所以會出現間歇係持續ddos行為時無法完全阻擋成功

經過詢問support後得到使用fail2ban的建議,前方有設置ALB也可以正常套用

安裝Fail2ban

1
2
3
sudo yum install fail2ban -y

cd /etc/fail2ban

修改fail2ban.conf

1
修改SYSLOG為/var/log/fail2ban.log

修改jail.conf 新增規則

1
2
3
4
5
6
7
8
9
10
[nginx-proxy]

enabled =true #是否啟用
port = http
filter = nginx-proxy
logpath = /var/log/nginx/access.log
maxretry = 400 #次數
findtime = 60 #每秒
bantime = 600 #每秒
action = iptables-proxy[name=nginx-proxy, port=http, protocol=tcp]

filter.d中新增nginx-proxy.conf

1
2
3
[Definition]
failregex = \"(GET|POST).*\"<HOST>
ignoreregex =

action.d中新增iptables-proxy.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Fail2Ban configuration file
#
# Author: Centos.Tips
#
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: <ip>' -j DROP

[Init]

# Default name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = http

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

重啟Nginx/fail2ban生效規則

1
2
sudo service nginx restart
sudo service fail2ban restart

如果fail2ban啟動失敗的話可能是規則有誤或是沒有正確添加conf

fail2ban.conf中的log記錄可調整為1

預設值3的記錄有點太累贅感

可以使用壓力測試軟體

i.e 

1
ab -c 10 -n 1000 ALB域名

看有沒有自動加入iptables阻擋規則

1
sudo iptables -L

Reference

Fail2Ban Behind A Proxy/Load Balancer

心得 與 DDoS 奮戰:nginx, iptables 與 fail2ban