Availability is one pillar of Information Security; it defines itself as the capability of being accessed by legit users when needed. On the other hand, we have DoS attacks which attack an asset availability. A successful DoS attack will not let a user access an asset when needed.

Exposures to DoS attacks are not the easiest to discover; a vulnerability scan will not report them. A successful DoS attack does not always exploit a vulnerability. DoS attacks are discovered easily by seasoned security practitioners. For example, an attacker could send millions of HTTP requests to a valid URL on a given website. The HTTP request could be valid and legitimate, but what makes it an attack is the excess of it. The HTTP server cannot handle it, therefore when a legit user tries to access it, he will fail; the HTTP server is too busy.

There could be many kinds of DoS attacks. This article will prevent the following:

  • When an attacker requests too many times the same URL.
  • When an attacker requests too many times different URLs; each type of request may not be considered an attack, but the sum of them it is.

Software Requirements

You will need to install the following software:

  • mod_evasive
  • sudo
  • fail2ban

All these are available in any CentOS 7 installation. I am pretty sure they are in other distributions as well.

Configuration

The first step is configuring fail2ban. The trick here is to configure a jail that will never hit. Edit or create the file filter.d/none.conf.

[Definition]
failregex = ^$
ignoreregex =

And add this to your jail.local.

[manual]
enabled = true
port = 443,80
protocol = tcp
filter = none
action = iptables-allports[name=manual, protocol=all]
backend = systemd
bantime = 3600

Next, configure your sudo. I did it by adding the following policy to sudo.

apache ALL = (root) NOPASSWD: /usr/bin/fail2ban-client

This policy tells sudo to allow fail2ban-client without asking for a password.

The last step is configuring the mod_evasive. The mod_evasive.conf file is almost self-explained. Configure it to meet your needs, just add the following line:

DOSSystemCommand "/usr/bin/sudo /usr/bin/fail2ban-client set manual banip %s"

Does your Website use HTTP/2?

If your website supports HTTP/2, the default settings of mod_evasive may fire back. HTTP/2 allows the Apache server to return in one spot many documents. Depending on your website, this could be an HTTP flood and may be cataloged as a DoS.

For example, this blog uses HTTP/2 and with default settings, it bans very easily the access. I came with the following settings:

DOSPageCount 50
DOSSiteCount 100

You will need to play with these two to find a good value for your website.

What will this Config do?

The mod_evasive module from Apache will keep track of the HTTP requests. When a threshold is triggered, it will start answering with 403 error codes. The mod_evasive module will use sudo to put the offending IP in quarantine. Without the sudo/fail2ban, the HTTP server will keep getting the requests and processing them. 

Beware of the parameters you put. Some HTTP applications may require you to relax the parameters.

Good luck!

";