Web server prevents DOS denial of service attacks

Server security is very important drops, MySQL 3306, FTP, ssh 22 ports and so on can be directly used iptables set access permissions, the CentOS system can add similar statements in Etc/sysconfig/iptables.

-A input-s 192.168.3.192/32-p tcp-m tcp--dport 3306-j ACCEPT

This means that only 192.168.3.192 this IP can access the server's port 3306, and so on, so it is much safer. However, Web services are not appropriate because they are intended for all users. Now is the time to sacrifice the artifact Fail2ban. But also can only prevent the general small hacker. A DDoS estimate will kill you. Dos and DDoS differences are one that is one and the other is more than one.

Installation

RPM-UVH http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Yum Install Fail2ban

Configuration

After the installation is complete, the service configuration directory is:/etc/fail2ban
/ETC/FAIL2BAN/ACTION.D #动作文件夹 with default files included. Iptables and Mail and other action configuration
/etc/fail2ban/fail2ban.conf #定义了fai2ban日志级别, log location, and sock file location
/ETC/FAIL2BAN/FILTER.D #条件文件夹 with default files included. Filtering log key content settings
/etc/fail2ban/jail.conf #主要配置文件, modular. Main settings enable ban Action Service and action threshold
/etc/rc.d/init.d/fail2ban #启动脚本文件
3. vi/etc/fail2ban/fail2ban.conf
[Definition]
Logtarget =/var/log/fail2ban.log #我们需要做的就是把这行改成/var/log/fail2ban.log, convenient for logging information

Vim/etc/fail2ban/jail.conf added.

[Nginx-dos]
Enabled = True
Port = Http,https
Filter = Nginx-bansniffer
Action = Iptables[name=bbs-nginx-ddos, Port=http, Protocol=tcp]
Sendmail-whois[name=bbs-nginx-ddos, [email protected] Sender=root]
LogPath =/data/nginx/logs/bbs.access.log# where the log is placed.
Maxretry = 4000 #注意
Findtime = 60
Bantime = 3600

Socket =/var/run/fail2ban/fail2ban.sock

Then create the file/etc/fail2ban/filter.d/nginx-bansniffer.conf, which reads as follows:

[Definition]
Failregex = <HOST>-.*-. *http/1.*. *. *$
Ignoreregex =

Principle
Fail2ban capture Log call iptables for IP, you can use a large foreign gods Hulk and other tools to test. The above configuration Maxretry = 4000, not only the maximum 4,000 IP is sealed off, but to see clearly when the page load Fail2ban log will produce how many records, SendEmail and iptables to align up and down.

Web server prevents DOS denial of service attacks