Mitigating Layer7 HTTP Flood with Nginx+Fail2ban

This tutorial is regarding mitigation of layer 7 http flood using nginx and fail2ban. In this tutorial we assumed to have installed Centos Web Panel.

How to Do It

1) Enable Nginx:

Login to Centos Web Panel (http://your-server-ip:2030) and navigate to Apache Settings –> Select WebServers

Select Apache & Nginx Reverse Proxy (Nginx on port 80 and apache on port 8181) and click on Save and Rebuild Configuration

Once nginx is installed click on Rebuild Virtual Host.

2) Setup Nginx to Block Request.

cd /etc/nginx
nano nginx.conf

Find http { and paste the lines as below.

# BULLTEN
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=7r/s;

# BULLTEN
    limit_conn_status 403;
    limit_req_status 403;

3) Now open your virtual host file located in /etc/nginx/conf.d. Replace yourdomainname.com.conf with your actual domain config file.

cd /etc/nginx/conf.d
nano yourdomain.com.conf

Find location / { and above that add the lines below

        
         # BULLTEN

         limit_conn conn_limit_per_ip 10;
         limit_req zone=req_limit_per_ip burst=5 nodelay;

         client_body_timeout 5s;
         client_header_timeout 5s;

4) Restart Nginx

service nginx restart

Check your nginx log file to know if connection is being successfully blocked. Blocked connection will have 403 error code. Replace yourdomain.com with your actual domain name.

tail -f /var/log/nginx/error.yourdomain.com.log

Your nginx is now ready to mitigate layer 7 DDOS. Change the above values as needed by your configuration.

5) Install fail2ban

yum install fail2ban -y
cd /etc/fail2ban
cp jail.conf jail.local

6) Now download two files named nginx-conn-limit.conf and nginx-req-limit.conf in /etc/fail2ban/filter.d

wget --output-document="/etc/fail2ban/filter.d/nginx-conn-limit.conf" http://dl-package.bullten.in/cwp/files/nginx_limit/nginx-conn-limit.txt
wget --output-document="/etc/fail2ban/filter.d/nginx-req-limit.conf" http://dl-package.bullten.in/cwp/files/nginx_limit/nginx-req-limit.txt

8) Edit jail.local and add the lines below. Replace yourdomain.com with your configured domain.

cd /etc/fail2ban
nano jail.local

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.yourdomain.com.log
findtime = 300
bantime = 7200
maxretry = 5

[nginx-conn-limit]

enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.yourdomain.com.log
findtime = 300
bantime = 7200
maxretry = 5

9) Now start fail2ban

service fail2ban start

10) Check fail2ban rules status

fail2ban-client status nginx-req-limit
fail2ban-client status nginx-conn-limit

11) Check fail2ban Log

tail -f /var/log/fail2ban.log

If /var/log/fail2ban.log doesnt exist then follow the below step.

cd /etc/fail2ban
nano fail2ban.conf

Find logtarget = and change this whole line with logtarget = /var/log/fail2ban.log

Restart Fail2ban

service fail2ban restart

Your fail2ban is now configured to monitore nginx error log file and ban the IP using iptables.