A minha tarefa, além de testar a ferramenta ab, era também implementar um método para evitar qualquer DDoS direcionado ao Apache.
A instalação é muito fácil:
Debian/Ubuntu Server:
apt-get install fail2ban
CentOS:
É necessário a instalação dos repositórios epel:
yum install fail2ban
2 - Edite o arquivo /etc/fail2ban/jail.conf e adicione os dados abaixo:
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/SEU_ARQUIVO_DE_ACCESS_LOG
# maxretry is how many GETs we can have in the findtime period before getting narky
maxretry = 300
# findtime is the time period in seconds in which we're counting "retries" (300 seconds = 5 mins)
findtime = 300
# bantime is how long we should drop incoming GET requests for a given IP for, in this case it's 5 minutes
bantime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/SEU_ARQUIVO_DE_ACCESS_LOG
# maxretry is how many GETs we can have in the findtime period before getting narky
maxretry = 300
# findtime is the time period in seconds in which we're counting "retries" (300 seconds = 5 mins)
findtime = 300
# bantime is how long we should drop incoming GET requests for a given IP for, in this case it's 5 minutes
bantime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]
NÃO SE ESQUEÇA de incluir o caminho completo ao seu access.log.
3 - Vamos precisar criar o arquivo de filtro, então crie o arquivo /etc/fail2ban/filters.d/http-get-dos.conf e adicione o conteúdo abaixo:
# Fail2Ban configuration file
#
# Author: http://www.go2linux.org
#
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*\"(GET|POST).*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
4 - Reinicie o fail2ban.
/etc/init.d/fail2ban restart
Pronto!
Se você quiser testar a eficácia do fail2ban:
ab -n 500 -c 10 http://seuservidorouwebsite/
O conteúdo de /var/log/fail2ban.log deverá ser igual a este:
2013-06-22 05:37:21,943 fail2ban.actions: WARNING [http-get-dos] Ban SEU_ENDEREÇO_IP
2013-06-22 05:42:22,341 fail2ban.actions: WARNING [http-get-dos] Unban SEU_ENDEREÇO_IP
Simples e funcional! ;-)
Post original: http://r3dux.org/2013/06/how-to-stop-apache-dos-attacks-with-fail2ban/
Até a próxima!
Nenhum comentário:
Postar um comentário