Shabat Closer

Sunday, May 29, 2016

TECH : Block DDOS attack with Cloudflare and haproxy and fail2ban.

Survive DDOS attack with Cloudflare and haproxy and fail2ban.
This configuration tested in live attack of 72 servers with 10,000 requests per  minute

  1. Configure Cloudflare for maximum security
    1. https://support.cloudflare.com/hc/en-us/articles/200170196-I-am-under-DDoS-attack-what-do-I-do-
  2. Enable  haproxy log
    1. http://moshez.blogspot.co.il/2016/05/tech-enable-haproxy-log.html
  3. Enable custom log for haproxy by changes to /etc/haproxy/haproxy.cfg
    4. frontend  main
 bind *:80
 
 log   global
 capture request header X-Forwarded-For len 25
 log-format %hr[%r]
  4. Remove from default section the log global because we move it to frontend  main for more performance
  5. configure fail2ban 
    1. jail config - /etc/fail2ban/jail.conf

    2. [haproxy]
enabled = true
port    = http,https
filter  = haproxy
banaction = cloudflare
maxretry = 2
findtime  = 5
logpath  = /var/log/haproxy.log
bantime = 7200

    3. filter config /etc/fail2ban/filter.d/haproxy.conf
    4. this will catch all / requests.
      # Fail2Ban filter for haproxy
# by MosheZ http://moshez.blogspot.com


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = haproxy

failregex = ^\s.*: {<HOST>}(.*GET / HTTP/1.1.*)\s*$

ignoreregex = 

[Init]

# "maxlines" is number of log lines to buffer for multi-line regex searches
maxlines = 10
    5. action config /etc/fail2ban/action.d/cloudflare.conf
    6. [Definition]


actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'


#actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'

[Init]

# If you like to use this action with mailing whois lines, you could use the composite action
# action_cf_mwl predefined in jail.conf, just define in your jail:
#
# action = %(action_cf_mwl)s
# # Your CF account e-mail
# cfemail  = 
# # Your CF API Key
# cfapikey = 

cftoken = dfgb0390bfe31ed1e931c1b6ae (REPLACE THIS)

cfuser = example@example.com (REPLACE THIS)
    7. Restart services
      service haproxy restart
service fail2ban restart

  7. Enjoy!
Posted by at

3 comments:

  1. UnknownJuly 7, 2016 at 11:59 PM

    hello,

    thanks for your post.. but when curl run I got error :

    ERROR curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=myapikey' -d 'email=myuseremail' -d 'key=ip' -- stderr: '\ncurl: (7) Failed to connect to 198.41.214.162: Permission denied\n'

    but when I paste this comment to screen it blocked with successfully.. :S

    ReplyDelete
    Replies
    1. ידעJuly 8, 2016 at 7:23 AM

      Try to disable SELinux

      Delete
    2. UnknownJuly 8, 2016 at 10:58 PM

      thanks for your help..

      I see false negatives.. How can I setup? I can not see.. It blocked some search engine bots too..

      Delete

Subscribe to: Post Comments (Atom)