Shabat Closer

Sunday, May 29, 2016

TECH : Block DDOS attack with Cloudflare and haproxy and fail2ban.

Survive DDOS attack with Cloudflare and haproxy and fail2ban.


This configuration tested in live attack of 72 servers with 10,000 requests per  minute


  1. Configure Cloudflare for maximum security
    1. https://support.cloudflare.com/hc/en-us/articles/200170196-I-am-under-DDoS-attack-what-do-I-do-
  2. Enable  haproxy log
    1. http://moshez.blogspot.co.il/2016/05/tech-enable-haproxy-log.html
  3. Enable custom log for haproxy by changes to /etc/haproxy/haproxy.cfg
  4. frontend  main
     bind *:80
     
     log   global
     capture request header X-Forwarded-For len 25
     log-format %hr[%r]
  5. Remove from default section the log global because we move it to frontend  main for more performance
  6. configure fail2ban 
    1. jail config - /etc/fail2ban/jail.conf

    2. [haproxy]
      enabled = true
      port    = http,https
      filter  = haproxy
      banaction = cloudflare
      maxretry = 2
      findtime  = 5
      logpath  = /var/log/haproxy.log
      bantime = 7200
      

    3. filter config /etc/fail2ban/filter.d/haproxy.conf
    4. this will catch all / requests.
      # Fail2Ban filter for haproxy
      # by MosheZ http://moshez.blogspot.com
      
      
      [INCLUDES]
      
      # Read common prefixes. If any customizations available -- read them from
      # common.local
      before = common.conf
      
      [Definition]
      
      _daemon = haproxy
      
      failregex = ^\s.*: {<HOST>}(.*GET / HTTP/1.1.*)\s*$
      
      ignoreregex = 
      
      [Init]
      
      # "maxlines" is number of log lines to buffer for multi-line regex searches
      maxlines = 10
      
    5. action config /etc/fail2ban/action.d/cloudflare.conf
    6. [Definition]
      
      
      actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
      
      
      #actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
      
      [Init]
      
      # If you like to use this action with mailing whois lines, you could use the composite action
      # action_cf_mwl predefined in jail.conf, just define in your jail:
      #
      # action = %(action_cf_mwl)s
      # # Your CF account e-mail
      # cfemail  = 
      # # Your CF API Key
      # cfapikey = 
      
      cftoken = dfgb0390bfe31ed1e931c1b6ae (REPLACE THIS)
      
      cfuser = example@example.com (REPLACE THIS)
    7. Restart services
      service haproxy restart
      service fail2ban restart

  7. Enjoy!

3 comments:

  1. hello,

    thanks for your post.. but when curl run I got error :

    ERROR curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=myapikey' -d 'email=myuseremail' -d 'key=ip' -- stderr: '\ncurl: (7) Failed to connect to 198.41.214.162: Permission denied\n'

    but when I paste this comment to screen it blocked with successfully.. :S

    ReplyDelete
    Replies
    1. thanks for your help..

      I see false negatives.. How can I setup? I can not see.. It blocked some search engine bots too..

      Delete