How-to – Ban HTTP DoS attacks with Fail2Ban

  • Install fail2ban through the method of your choice.
  • Edit the file /etc/fail2ban/jail.local and add the following section:

enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/YOUR_WEB_SERVER_ACCESS_LOG
# maxretry is how many GETs we can have in the findtime period before getting narky
maxretry = 300
# findtime is the time period in seconds in which we're counting "retries" (300 seconds = 5 mins)
findtime = 300
# bantime is how long we should drop incoming GET requests for a given IP for, in this case it's 5 minutes
bantime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]

Don’t forget to replace YOUR_WEB_SERVER_ACCESS_LOG with the actual access log for your webserver! Note: This doesn’t have to be an apache log, I just happen to be using apache.

  • Now we need to create the filter file, so create the file /etc/fail2ban/filters.d/http-get-dos.conf and place the following contents in it:
# Fail2Ban configuration file
# Author:

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^<HOST> -.*"(GET|POST).*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
  • Now we just need to restart fail2ban for the new jail & filter to come into affect:
    /etc/init.d/fail2ban restart

    Or if your machine is on systemd, use:

    systemctl start fail2ban

    Also on systemd, if you want fail2ban to start on boot (and the chances are that you do), run the additional:  

    systemctl enable fail2ban

    With all that done your site should be pretty safe from casual DOS attacks, although you’d likely need more stringent maxretry and findtime settings to really help against Distributed DOS (DDOS) attacks.