Here is a way to protect your LAMP server from a Post Flooding DDoS attack.
Steps:
- Set up Fail2Ban and IPTables by following instructions here.
- Create a new file named
/etc/fail2ban/filter.d/apache-postflood.confwith the following content:[Definition] # match these lines to find a login fail failregex = ^
.*\"POST [^\"]+\" # matches this example line: # 202.120.209.38 - - [16/Dec/2015:11:27:32 +1000] "POST /index.php HTTP/1.0" 302 270 "-" "-" # # don't ignore anything ignoreregex = - Next, add the following to the bottom of
/etc/fail2ban/jail.local[apache-postflood] enabled = true # block these ports port=http,https # filter in /etc/fail2ban/filter.d/apache-postflood.conf filter = apache-postflood logpath = /var/log/apache/*_access_log # or path to your Apache log files findtime = 20 maxretry = 10
The above will block all IPs which try to post more than 10 times in 20 seconds to your server
- Check your IPTables for the list of blocked IPs by entering
iptables-save. You should see output like the following:# Generated by iptables-save v1.4.21 on Thu May 12 22:17:09 2016 *filter :INPUT ACCEPT [149:37517] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [137:16186] :fail2ban-apache-postflood - [0:0] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-apache-postflood -s 91.200.12.26/32 -j REJECT --reject-with icmp-port-unreachable -A fail2ban-apache-postflood -j RETURN -A fail2ban-ssh -j RETURN COMMIT # Completed on Thu May 12 22:17:09 2016