Nginx and Fail2ban are complementary tools for mitigating DDoS attacks. Nginx rate limiting provides real-time protection by controlling the number of requests allowed from each client within a specific timeframe. Fail2ban enhances this by analyzing Nginx logs to identify and block client IP that is sending excessive number of requests, further strengthening the server's defenses against DDoS attacks.
Prerequisites
- Nginx has been installed and is active running.
- Fail2ban has been installed and is active running.
1. Configure Nginx to enable Rate Limiting
Add the following content to your Nginx configuration file.
http {
limit_conn_zone $binary_remote_addr zone=conn_perip:10m;
# Defines a zone for limiting connections based on the client's IP address
limit_req_zone $binary_remote_addr zone=req_perip:20m rate=10r/s;
# Defines a zone for limiting requests per IP address
server {
limit_conn conn_perip 20;
# Limits the number of simultaneous connections from a single IP to 20
limit_req zone=req_perip burst=10 nodelay;
# Limits requests to 10 requests per second, allowing bursts of up to 10 requests without delay
}
}
Explanation:
- limit_conn_zone:
This directive creates a shared memory zone named conn_perip that tracks the number of connections from each IP address. The 10m specifies the size of the zone. - limit_req_zone:
This directive defines a shared memory zone named req_perip that limits the rate of requests from each IP address to 10 requests per second. The 20m allocates memory for this zone. - limit_conn:
This directive inside the server block enforces the connection limit, allowing a maximum of 20 simultaneous connections per IP address. - limit_req:
This directive limits requests to 10 requests per second but allows bursts of up to 10 requests at once. The nodelay option means that requests above the limit will be processed immediately rather than delayed, which can be useful for certain applications.
Tips:
- Testing: After implementing these limits, monitor your server's behavior to ensure that legitimate users are not adversely affected.
- Adjust Values: Depending on your traffic patterns, make sure to adjust the connection and request limits to find the right balance between security and performance.
2. Configure Fail2Ban to block IP with excessive request
Create customized Fail2Ban configuration file with command:
sudo nano /etc/fail2ban/filter.d/nginx-limit.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.* requests, excess: .* <HOST>, .*
ignoreregex =
Include the following basic content in your jail.local:
[nginx-limit]
enabled = true
port = 443
bantime = 12h
maxretry = 2
logpath = %(nginx_error_log)s
Reload Fail2Ban service:
$ sudo fail2ban-client reload
3. Testing and Monitoring
3.1 Check the Nginx error log to see if any excess requests have been captured.
$ sudo cat /var/log/nginx/www.itnote.org.error.log
2025/01/05 21:36:13 [error] 2580252#2580252: *1 limiting requests, excess: 1.497 by zone "req_perip", client: 129.45.s?delta=1&language=en&theme=solo&include=eJxljsEKhDAMRH_IbGFvfs3S2KBhm0aaVunfWz257uXBDG9gTKM6aVO1ovKJjNnnNtjZnoCpI3c.org", referrer: "https://www.itnote.org/"
2025/01/05 21:36:14 [error] 2580253#2580253: *3 limiting requests, excess: 1.296 by zone "req_perip", client: 129.45.rer: "https://www.itnote.org/"
3.2 Check the status of Fail2ban nginx-limit jail:
$ sudo fail2ban-client status nginx-limit
Status for the jail: nginx-limit
|- Filter
| |- Currently failed: 0
| |- Total failed: 11
| `- File list: /var/log/nginx/www.itnote.org.error.log /var/log/nginx/error.log
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
3.3 Check Fail2ban nginx-limit banned IPs
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere REJECT 43.156.229.70 # by Fail2Ban after 2 attempts against nginx-limit
Conclusion
Nginx and Fail2Ban work together to mitigate DDoS attacks. Nginx uses rate limiting to control the number of requests from each client in real-time. Fail2Ban analyzes Nginx logs to identify and block IPs sending excessive requests, enhancing server defenses.
Comments