I asked a question on the IT security StackExchange about protecting against DoS attacks. One of the answers was to install Fail2Ban.
I talked to the people that administer the server and they told me Fail2ban is installed by default to watch for failed SSH login attempts. They asked if I wanted it to watch other services on the server.
What services should I have watched by Fail2ban to protect against the DoS attacks?
Would this just be the HTTP services - watch for multiple requests from the same IP within x amount of time?
One of the attacked appeared to create a lot of connection to the MySQL database with the command sleep
.
Fail2Ban is most effective in banning IPs for 'failed attempts'. As such, it's really not the most appropriate tool for watching for actual DoS attacks. I set Fail2Ban to watch Apache's httpd-error log file. IPs that have 20 "bad" requests within 5 minutes get banned for 5 minutes. This cuts down on script kiddies and the like, but really wouldn't protect at all against a targeted attack.
Mod_evasive and mod_security cam help cut down on potential DoS vectors, but without knowing how your site works I couldn't provide any silver bullet solutions.
There's a rather common misconception that performing blocks of some kind can prevent, or at least significantly ease, a DoS attack. While that may be true of simple and crude attacks, the reality is that truly effective DoS attacks don't require a response from the attacked system. The desired effect is achieved by simply flooding the system with inbound packets and it doesn't even matter what those packets are. This works for two reasons.
From that it should be evident that fail2ban, or anything else of than kind, can at best have only a minimal effect on those attacks that do listen for a response from the target.
I have fail2ban on myservers configured to ban for 15 min after 5 failed attempts with exempted IP ranges for internal users. I had been getting a lot of login attempts out of China, nothing targeted but still about 5-10k per day between 1AM and 6AM. As usefull as it is, it will have no effect on a DoS.
A DoS needs to be handled at layer 3 or 4 on the perimeter of your network. If the attack make it to a server your allready going to be shut down.
See this article on how to protect Apache with fail2ban including a custom rule for DoS attacks https://komunity.komand.com/learn/article/server-administration/how-to-protect-ssh-and-apache-using-fail2ban-on-ubuntu-linux/