Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th June 2010, 19:40
Sinchan Sinchan is offline
Member
 
Join Date: Nov 2006
Posts: 48
Thanks: 14
Thanked 2 Times in 2 Posts
Question fail2ban against slowloris DDOS, is it possible?

hi all,

Yesterday, i'd try a little test to attack my ISPConfig server with slowloris ddos.
I have enable apache banning rules before doing little test.
This is my jail.conf :

Code:
[apache]

enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
When i starting attack my server with slowloris, web server is down, and fail2ban is didnt do anything

here apache error.log (a hundred lines actually) :
Code:
[...]
[Fri Jun 25 22:07:38 2010] [error] [client 111.222.333.444] request failed: error reading the headers
[Fri Jun 25 22:07:38 2010] [error] [client 111.222.333.444] request failed: error reading the headers
[Fri Jun 25 22:07:39 2010] [error] [client 111.222.333.444] request failed: error reading the headers
[Fri Jun 25 22:07:41 2010] [error] [client 111.222.333.444] request failed: error reading the headers
[...]
My question is : is it possible to prevent ddos attack such as slowloris with fail2ban?
Or maybe any other suggestion to prevent this attack?
any help is really appreciated
Reply With Quote
Sponsored Links
  #2  
Old 26th June 2010, 20:02
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

I think it should be possible as fail2ban detects anomalies in log files with regular expressions. I'am not a fail2ban expert, so I'am notable to tell you in detail on how to write that rule, but I think it should be possible. Maybe you find the solution already by looking at the other apache filter definitions.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 26th June 2010, 20:15
Sinchan Sinchan is offline
Member
 
Join Date: Nov 2006
Posts: 48
Thanks: 14
Thanked 2 Times in 2 Posts
 
Default

okay Till, thanks for your fast reply.
I'll try to find another regex apache rules first, and if i found something useful, i will write here.

but, if there are any other suggestions or someone have already found a way, would be greatly appreciated
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 11:47
slowloris DDOS nima0102 HOWTO-Related Questions 0 1st August 2009 15:32
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 20:16


All times are GMT +2. The time now is 06:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.