Availability is one pillar of Information Security; it defines itself as the capability of being accessed by legit users when needed. On the other hand, we have DoS attacks which attack an asset availability. A successful DoS attack will not let a user access an asset when needed.
Exposures to DoS attacks are not the easiest to discover; a vulnerability scan will not report them. A successful DoS attack does not always exploit a vulnerability. DoS attacks are discovered easily by seasoned security practitioners. For example, an attacker could send millions of HTTP requests to a valid URL on a given website. The HTTP request could be valid and legitimate, but what makes it an attack is the excess of it. The HTTP server cannot handle it, therefore when a legit user tries to access it, he will fail; the HTTP server is too busy.
There could be many kinds of DoS attacks. This article will prevent the following:
- When an attacker requests too many times the same URL.
- When an attacker requests too many times different URLs; each type of request may not be considered an attack, but the sum of them it is.
Software Requirements
You will need to install the following software:
- mod_evasive
- sudo
- fail2ban
All these are available in any CentOS 7 installation. I am pretty sure they are in other distributions as well.
Configuration
The first step is configuring fail2ban. The trick here is to configure a jail that will never hit. Edit or create the file filter.d/none.conf.
[Definition]
failregex = ^$
ignoreregex =
And add this to your jail.local.
[manual]
enabled = true
port = 443,80
protocol = tcp
filter = none
action = iptables-allports[name=manual, protocol=all]
backend = systemd
bantime = 3600
Next, configure your sudo. I did it by adding the following policy to sudo.
apache ALL = (root) NOPASSWD: /usr/bin/fail2ban-client
This policy tells sudo to allow fail2ban-client without asking for a password.
The last step is configuring the mod_evasive. The mod_evasive.conf file is almost self-explained. Configure it to meet your needs, just add the following line:
DOSSystemCommand "/usr/bin/sudo /usr/bin/fail2ban-client set manual banip %s"
Does your Website use HTTP/2?
If your website supports HTTP/2, the default settings of mod_evasive may fire back. HTTP/2 allows the Apache server to return in one spot many documents. Depending on your website, this could be an HTTP flood and may be cataloged as a DoS.
For example, this blog uses HTTP/2 and with default settings, it bans very easily the access. I came with the following settings:
DOSPageCount 50
DOSSiteCount 100
You will need to play with these two to find a good value for your website.
What will this Config do?
The mod_evasive module from Apache will keep track of the HTTP requests. When a threshold is triggered, it will start answering with 403 error codes. The mod_evasive module will use sudo to put the offending IP in quarantine. Without the sudo/fail2ban, the HTTP server will keep getting the requests and processing them.
Beware of the parameters you put. Some HTTP applications may require you to relax the parameters.
Good luck!