How To: Stop Apache DOS attacks with Fail2Ban

I had to install and configure fail2ban yesterday to stop some hacking attempts on my FTP server, and when I was looking through the fail2ban configs I saw that you could stop DOS (Denial of Service) attacks with it too. As this site’s been hit by the occasional DOS from people with an axe to grind and too much time on their hands, I thought I may as well set up a DOS mitigation strategy while I was at it. Here’s how:

  1. Install fail2ban through the method of your choice.
  2. Edit the file /etc/fail2ban/jail.local and add the following section:

  3. Don’t forget to replace YOUR_WEB_SERVER_ACCESS_LOG with the actual access log for your webserver! Note: This doesn’t have to be an apache log, I just happen to be using apache.

  4. Now we need to create the filter file, so create the file /etc/fail2ban/filters.d/http-get-dos.conf and place the following contents in it:

  5. Now we just need to restart fail2ban for the new jail & filter to come into affect:

  6. Or if your machine is on systemd, use:

    Also on systemd, if you want fail2ban to start on boot (and the chances are that you do), run the additional:

    With all that done your site should be pretty safe from casual DOS attacks, although you’d likely need more stringent maxretry and findtime settings to really help against Distributed DOS (DDOS) attacks.

Testing

To check if fail2ban is seeing the logs, check out /var/log/fail2ban.log and you should see things like:

showing up as visitors view your site.

If you want to test if it’s really working, a nice way to do so is to use ab (Apache Benchmark – part of the apache2-utils package), like this:

This will kick off 500 page-loads in 10 concurrent connections against your site. When the ban kicks in the page-loads will stop (as incoming GET requests from your IP will be dropped), then when the bantime expires you’ll be able to access the site again. If you then take a look in your /var/log/fail2ban.log file you should see something like this:

Pretty neat, huh?

Many thanks to the authors of the following great articles for helping me to get this set up in no-time:
http://www.dedmeet.com/software-projects-mainmenu-12/fail2ban-to-limit-ddos-attacks– on-webserver.html
http://go2linux.garron.me/linux/2011/05/fail2ban-protect-web-server-http-dos-attack-1084.html

Cheers! =D

How To: Block FTP hacking attempts using Fail2Ban

I noticed that my FTP server was getting hit up with huge streams of access attempts, which just won’t do. Thankfully, it’s really easy to block these access attempts using the awesome fail2ban script.

  1. First, install fail2ban either manually or if it’s in your repos use:
  2. Next, go to the relevant section of the file /etc/fail2ban/jail.conf for your FTP server (mine is proftpd) and enable jailing by flipping the enabled flag to true:
  3. Set your retries and bantime as you see fit, and make sure the log file path is correct (i.e. that it’s actually the log you want to monitor!)

  4. Restart fail2ban with a swift:
  5. If your FTP server is controlled via inted/xinetd you don’t need to restart the FTP server as it’s started when required. If your FTP server is standalone then it probably won’t hurt to restart the service manually through /etc/init.d/[your-ftp-server-management-script-here]

That should be pretty much it, if there’s still access attempts going on they’ll be banned from connecting for the bantime you defined, and you’ll be able to see ban details in /var/log/fail2ban.log.

Many, many thanks to the excellent Block FTP Hacking tutorial on The Art of Web – fantastic stuff =D

How to: Pixelise a webcam stream using OpenCV

There was a video the other day which I posted about where the video footage was all highly pixelised into circles of varying sizes and colours, and I reckoned I could produce a similar effect by either resizing the stream down so it’s really blocky then scaling it back up or reading all the pixels in a block, averaging the colour and then drawing blocks of that averaged colour.

Well, I had an hour or so today to do a bit of “me-coding”, and in the end I took the second option.

Pixelised Webcam Stream

The pixelisation works on the live stream, and you can drag the slider around to switch through from 1 division (i.e. the entire window is one block of solid colour) to 160 divisions.

I’ll bring the values into OpenGL and see what I can do with points and the like when I have another hour or two spare over the coming few days – fun stuff =D

Source code after the jump for those interested…

Continue reading How to: Pixelise a webcam stream using OpenCV

How To: Block Access To Specific Websites from your Router using Tomato Firmware

Tomato firmware is a free, downloadable firmware for the Linksys WRT series and some Buffalo and Asus routers which provides vastly improved functionality over the stock firmware. One of the nice things about Tomato, assuming you have a router which it’ll run on, is that it provides a very configurable method of selectively blocking access to the net in general, specific applications or protocols, or even specific websites. So if you have youngish kids who have (largely) unsupervised access to a computer with a net connection, you can keep them away from social networking sites like facebook, myspace, habbo etc. pretty easily. Here’s how:

1.) Go to you routers web interface (http://192.168.1.1 on my setup) and click on Access Restriction

Tomato1

2.) Click on Add to create a new rule

Tomato2

3.) Untick Block All Internet Access to display the full options list, and set it up something like this:

Tomato3

In the above example I’m only blocking selected machines (so the wife still has access to facebook etc.) – the PC the kids have access to is 192.168.1.105, and my IP is 101 (so I can test the blocks on my machine before removing myself from the block list).

The blocklist uses regex sub-string matching to decide which sites to block as follows:

  • Regular words on their own are blocked if they occur anywhere in the site URL, so for example, having the word facebook in there will block sites such as: http://facebook.com, http://www.facebook.com, http://facebook.com.au, anything.facebook.anything-else
  • Words with a dollar sign at the end of them will block domains ending with what you’ve specified, that is, putting: .com$ would block ALL sites ending with .com, so putting slashdot.org$ would block slashdot.org, linux.slashdot.org, games.slashdot.org, hardware.slashdot.org etc. etc.
  • Words starting with a caret (^) block all domains starting with what you’ve specied, that is, putting: ^chat will block sites like http://chatworld.com, http://chat.parachat.com but not http://www.chatworld.com or http://www.parachat.com
  • Words starting with a caret and ending with a dollar sign blocks that exact address, i.e. ^www.r3dux.org$ would block http://www.r3dux.org, but not http://r3dux.org or http://www.r3dux.org?p=1407 (i.e.this page)

You can also block specific protocols (BitTorrent, eDonkey, LimeWire etc.) using the built-in IPP2P module, or via Layer 7 (Application Layer) deep packet inspection, which can detect and block traffic of specific types (World of Warcraft, FTP, Flash etc. etc.) regardless of what port they’re running on. Which is both amazingly awesome and slightly depressing at the same time.

I’m a firm believer in preparing the child for the world, and not the world for the child – but sometimes it can make life easier to restrict the amount of mischief they can get up to, hence the social networking blockage. Now all you need to do is make sure you’ve got a strong password on your router (which isn’t stored on a post-it note under your keyboard) and you can keep the little darlings out of harms way with a few clicks… Until they discover pr0n, where you’re going to probably going to have to take a whitelist rather than a blacklist approach like this.

Once you’ve started, where does it end, eh?

Anyways – Happy Benevolent Dictatorship!