Good day! A few days ago, I noticed suspicious activity on one of my sites, caused by brute-force passwords. It happened just when the files with several million mailboxes and passwords to them hit the network. After banning several addresses in iptables, attackers began to brute-force passwords from a large number of addresses, and it became inconvenient to manually ban them. I will tell you how this problem was solved under the cut.
Perhaps for someone below "common truths" will be described, but for me this functionality of fail2ban was new and helped a lot. The below listed "how-to" is true for redhat-based-linux, but can be easily adapted for any distribution.
If you don't have rpmforge connected, then connect it:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
rpm -i rpmforge-release-0.5.3-1.el6.rf.x86_64.rpmPre-configure the module in nginx limit_req : Add to the http {} section
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;you select specific parameters of the zone for yourself individually, they are described in the help for the module. In the server {} section, add a location that captures the url that receives malicious traffic (in my case, this is / auth /):
location /auth/ {
limit_req zone=one burst=10 nodelay;
try_files $uri /index.php?q=$uri&$args;
}
Or, for example, for wordpress:
location = /wp-login.php {
limit_req zone=one burst=10 nodelay;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
We check that we are not mistaken anywhere and restart nginx:
nginx -t && service nginx restartIf everything is configured correctly and malicious traffic is still arriving at the server, then the following entries will be written to nignx's error log:
2014/09/11 02:15:11 [error] 17515#0: *1977466 limiting requests, excess: 10.540 by zone "one", client: 93.170.112.10, server: ХХХ, request: "GET /auth/ХХХХ HTTP/1.1", host: "ХХХ"This means that the limits on connections per second for attackers have begun to take effect. Next, go to the blocking itself - install fail2ban:
yum install fail2ban -yCreate a file /etc/fail2ban/filter.d/nginx-req-limit.conf with your favorite editor with the following content:
[Definition]
failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "[^"]+", client: <HOST>
ignoreregex =We take the default jail.conf
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localAnd add to the end:
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10Choose the parameters for yourself, read more about them here
Edit /etc/fail2ban/action.d/sendmail.conf, adding the necessary addresses to dest and sender (it will send mail if you have configured sendmail on the server)
Run fail2ban:
service fail2ban startWe look in the log:
tail -f /var/log/fail2ban.logIf there are records of the form:
2014-09-10 21:32:20,575 fail2ban.actions: WARNING [nginx-req-limit] Ban 178.92.194.221
2014-09-10 21:37:33,136 fail2ban.actions: WARNING [nginx-req-limit] Ban 37.144.59.125then everything is going as it should and the attackers are successfully banned. PROFIT! PS How do you use fail2ban? :)
