Hello … i received some kind of L7 attack ( http flood ) … i use fail2ban for other services ( ex: ssh, ftp ).
Does anyone have some suggestion to mitigate httpd flood?
This means that f2b will ban all IP’s who made 100 request (maxretry) in 5 seconds (findtime) for 24 hours (bantime). You can play with maxretry and findtime to set how is best for you but watch out to not ban legitimate visitors. You could lover the ban time to something smaller like 1 hour but i will leave this to you.
Dont forget to restart f2b and free to rename “nomoreflood” to whatever you want.
After you restart fail2ban check the log files (f2b, apache) and see if everything is working. Just to know people who share same IP like public wi-fi could trigger f2b.
WHITELIST YOUR IP ADDRESS in “/etc/fail2ban/jail.local” (pay attention to empty space between each IP): ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx
Just to be sure you will not ban yourself during testing or whatever else especially if you keep 24h ban time.
During testing it would be good to set bantime to something smaller like 3 to 5 min (180 - 300) so if you start banning legitimate visitors by mistake it will expire in short time.
Find time is too big, 120 = 2 minutes and in case of flood you would get hundreds of request per second. I would lower that to 30 (and lower) and then play with maxretry. Just to know with that rule all POST and GET will be counted regardless if the source is legitimate or not. Keep this in mind when setting findtime and maxretry.
This is another rule similar to your and maybe worth to test: failregex = ^ -."(GET|POST).?.=http://. HTTP/.*$
Ignoreip and the rest i explained in my first post and you should add your ip to that line, at least until you are sure everything works (or you know what are you doing).
Check the f2b and apache logs and see if everything works.