Description of settings
Configuring web server services to protect against small attacks, flooding, and password guessing attacks. This type of attack is designed to increase the load on a web service, consume server resources, and cause denial of service due to exhaustion and lack of resources. This guide allows you to configure your server to obtain basic protection against different types of attacks at the server level. In our configuration examples, we used the Centos 7 operating system.
What is the difference from the DDOS attack protection service?
The service Protection against DDOS attacks is provided in the form of a protected IP address, traffic for which passes through special equipment and protects against medium and large attacks designed more to disable network equipment. But it will not protect services from minor flooding, which can also cause harm, since it simply does not recognize it due to the small number of bots that access the web server. In the case of the correct approach to server protection, both rules are applied, flood protection and protection from DDoS attacks. Here we will describe how to configure your web server to protect it from flooding.
Web services
Depending on the web server you choose, there are different methods and types of settings. We have listed the most popular web services and described the settings for each.
Protection against BruteForce attacks
This type of attack greatly increases the load on the web service. The attacker provides a link to the login form in the site’s admin area and launches it on several bots, which begin to guess passwords using the get and post methods. In the logs you will see hundreds, thousands of requests from the same IP addresses. They can create a significant load and cause the web service to fail. For protection, we will use the Fail2Ban service, which, if the limit of requests on the same link is exceeded within 10 minutes, will block the IP address for a certain time. From our experience and observations, with this type of attack, the service is able to block about 5000 IP addresses in a short period of time without creating a load on the server.
Protection against SYN Flood attacks
This type of attack emulates a request from an ordinary website visitor, but unlike a real client, the bot, without waiting for a response from the server, sends a new request to the web service; when there are several thousand requests, the service freezes and stops responding to requests. This type of attack is very popular because it does not require large resources to disable an unprotected server. The ddos deflate service perfectly reflects this type of attack.
Setting connection limits
Here we will talk about firewall rules; you need to set a limit on the number of connections from one IP address for all services. This rule will help avoid stack overflow, the limit of which is set in the kernel settings. We will carry out the setup in iptables on Centos.
Protection against overload and increase in Load Avereage
One way or another, there are different types of attacks, and if the protection services did not have time to work or not all filters were set, the load on the server during the attack will increase and ultimately you will lose access to the server, it will stop responding. In order not to lose access when the server is attacked, we recommend setting up a script that, in case of high load, will restart the necessary services and perform other actions.
Conclusion
This type of setting will allow you to repel most small DDoS attacks without loss of performance, and will also protect the site from possible password guessing. This setting must be done once. After some time, you should check the log files to make sure that logrotate is working and the files occupy no more than 5-10 megabytes. If the size is large, the Fail2Ban service may not work correctly due to the large amount of data. With this setting, even a server with a small amount of processor and memory resources will work stably. You will also receive notifications by email and will always know which IP addresses were blocked and when.