-
- Getting Started
- Git and File-System Layout (non-default setup)
- Version Constraints
- Managing Themes and Plugins (for entire WordPress site)
- Updating Themes and Plugins (for entire WordPress site)
- Adding Composer Support to Your Own Themes and Plugins (for developers)
- Using Composer to Manage Own Theme/Plugin Dependencies (for developers)
-
- Assigning Multiple IP Addresses to Single LAN Card
- Disable IPv6 on Ubuntu 12.04
- dsh – distributed shell
- fdupes – find & replace duplicate files with hardlinks
- GPG Keys Cheatsheet
- Increase "Open Files Limit"
- kill all php, nginx, mysql or any kind of processes
- Passwordless Authentication for SSH
- Screen
- search replace in multiple files useing grep xargs sed
- Setup sftp
- sysctl.conf
- Timezone Sync
- Using Google Public DNS on Ubuntu Server
- Using openssl to match private key, cerificate and CSR
- Configure Postfix to Use Gmail SMTP on Ubuntu
- Logrotate Example for Custom Logs
- PHP 5.5, MySQL, Postfix, Nginx and WordPress on Ubuntu
- Serverdensity
- Upgrade Ubuntu 10.04 to 12.04
- Using find and sed to replace strings in multiple files
- Webmin
-
- .my.cnf – mysql user & password
- Analyse slow-query-log using Anemometer
- Improving MySQL Query Cache
- MySQL Query Profiling
- Reset MySQL root password
- tuning-primer.sh – an alternative for mysqltuner
- Using MariaDB 10
- Install/Upgrade to MySQL 5.6 on Ubuntu 12.04 LTS
- Change WordPress Domain Name
- Character Sets and Collations
- Enable innodb_file_per_table
- Enable Remote Access (Grant)
- Installing Percona Toolkit
- Using tmpfs for temporary folder creation
- YARPP and InnoDB
- Convert MyISAM to InnoDB
- Using tmpfs for mysqldump & mysqlimport
- Convert from INNODB to MYISAM
- Analyse slow-query-log using mysqldumpslow & pt-query-digest
- mysqlcheck with cron to optimize automatically
- Using MySQLTuner to Optimize MySQL configuration
-
- Checking FQDN, Reverse-DNS/PTR, MX record
- Clients
- DKIM with Postfix
- Postfix Queue Management
- RoundCube
- Server Setup
- Setup OpenDKIM
- SPF Records
- swaks – SMTP test tool
- Using larch for mail transfer between imap/gmail servers
- Debugging Postfix Config, Mail Logs & more
- Increasing Attachment Size in Posfix
-
- Adding $upstream_cache_status in HTTP Response Headers
- Amazon Elastic Load Balancer and Forwarding Real-IP Nginx
- Block wp-login.php bruteforce attack
- Configuring HTTP/2 Server Push
- Enable gzip compression
- fail2ban
- Filter query string for Redis-Nginx cache
- Let's Encrypt with EasyEngine
- Nginx's Open file cache
- Serving fonts with correct mime types
- SSL – PCI compliance and performance optimization
- Troubleshooting
- Tweaking fastcgi-buffers
- Using $upstream_cache_status in access.log
- Using Pagespeed
- Weak Diffie Hellman Logjam Attack Fix
- Website access restriction using nginx
- Enable Nginx Status Page
- Forwarding Visitor's Real-IP + Nginx Proxy/Fastcgi backend correctly
- Parsing access.log and error.logs using linux commands
- Debugging Nginx Configuration
- Nginx config for www to non-www and non-www to www redirection
- Optimizing Nginx Configuration
- Rewrite Rules for vBulletin SEO-friendly permalinks
-
- Directly connect to PHP-FPM
- Generating core-dump for php5-fpm
- GeoIP
- Having php5 and php7 on same system.
- Install Xdebug and configure it with webgrind
- Installation of PHP Code Review Tools
- memcache
- PHP's Zend Opcache Config & Web Viewer
- Setting Sqlite support with PHP
- Using HHVM with PHP-FPM Fallback
- Using Redis for PHP Sessions on Ubuntu Server
- Installing PhpMyAdmin Quickly
- Moving PHP's session storage to tmpfs
- Install Xdebug and configure it with Netbeans
- Nginx – Enable PHP-FPM Status Page
- PHP-FPM: Socket vs TCP/IP and sysctl tweaking
- APC Cache Optimization & Monitoring Using Web Interface
- Checking if PHP/WordPress can send mails
- Debugging PHP Scripts Using slow_log and more
- Increase file upload size limit in PHP-Nginx
- Increase PHP script execution time with Nginx
-
- Performance Optimization
- Remove Query string of css/js files
- Setup ElasticSearch with ElasticPress
- Using Redis for WordPress Object-Cache
- WooCommerce Window Shopping Caching Technique
- Moving WordPress To New Server (Faster)
- Better wp-cron using linux's crontab
- 404 error- Page not Found!!!
- Debugging WordPress with Nginx
Last updated on Dec 18, 2020
Recently one of our client server was subjected to DDOS attack. We use Nginx’s Limit Req Module and fail2ban together to thwart this attack.
Installing fail2ban
On Ubuntu/Debian, just run…
apt-get install fail2ban
Configuration
There are 2 parts. First, we need to configure nginx to limit number of requests for IP addresses. Nginx will log info about banned IP into error log. fail2ban will parse nginx error log and ban offending IP addresses.
Nginx configuration
Please follow this post for nginx config part.
fail2ban Configuration
filter config
Create a nginx filter file:
vim /etc/fail2ban/filter.d/nginx-req-limit.conf
Add following content in it:
# Fail2Ban configuration file
#
# supports: ngx_http_limit_req_module module
[Definition]
failregex = limiting requests, excess:.* by zone.*client:
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
jail config
Create a new jail config in:
vim /etc/fail2ban/jail.local
If you don’t see jail.local, simply run:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Add following towards end:
[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10
findtime and maxretry values are important. Together, they decides how often offending IP’s gets banned. If you make these values smaller, IP’s will get banned more often. Tweak as per your need.
After saving both config files, restart fail2ban using:
service fail2ban restart
Testing
Before you exit from shell, it’s better to make sure if fail2ban is working.
fail2ban logs
You can monitor fail2ban log file:
tail -f /var/log/fail2ban.log
You will see lines like below:
2014-04-28 14:16:02,840 fail2ban.actions: WARNING [nginx-req-limit] Ban 95.211.117.202
2014-04-28 14:16:02,848 fail2ban.actions: WARNING [nginx-req-limit] Ban 78.187.45.204
2014-04-28 14:16:03,857 fail2ban.actions: WARNING [nginx-req-limit] 78.187.45.204 already banned
2014-04-28 14:17:36,952 fail2ban.actions: WARNING [nginx-req-limit] Ban 91.216.201.114
If you don’t see anything that means either misconfiguration or nothing to worry at all. If you think there is something to worry, jump to debugging section below.
fail2ban-client
You can also use fail2ban-client to find out status of a particular jail using following command:
fail2ban-client status nginx-req-limit
This will show:
Status for the jail: nginx-req-limit
|- filter
| |- File list: /var/log/nginx/test.com.error.log /var/log/nginx/example.com.error.log
| |- Currently failed: 6
| `- Total failed: 389
`- action
|- Currently banned: 3
| `- IP list: 95.211.117.202 78.187.45.204 91.216.201.114
`- Total banned: 3
As you can see there are 3 IP’s in jail.
Debugging
If things are not working as expected, you can debug fail2ban config.
Check debug output
Run following command to see config used by fail2ban-server:
fail2ban-client -d
Debug filter
Run following command to see if fail2ban filter works for a particular log file:
fail2ban-regex /var/log/nginx/example.com.error.log /etc/fail2ban/filter.d/nginx-req-limit.conf
Output will contain something like following (towards end):
Success, the total number of match is 861
If there are zero match then there could be an issue with regex filter.
Comments