Ultimate DDoS Solution! Nice on the budget too!

[eva2000]

The centmindmod fail2ban - cloudflare API integration is priceless. It's a game changer. I went from dealing with massive attacks every day and night for years, to not having to worry about it at all. Its amazing that I can just chill out in the evening, go to sleep, wake up, work and just go about my day without dealing with attacks continuously. I was even able to scale back the rules in the CF firewall to let more traffic in because F2B will catch most of the attacks and nip it in the bud before it can grow.
Also extremely useful are many of the posts by @eva2000 around the net about cloudflare. (Here, TAZ, centminmod, CF forums, etc)

Glad to see that you and @AzzidReign are liking Centmin Mod's fail2ban solution

 

[AzzidReign]

Glad to see that you and @AzzidReign are liking Centmin Mod's fail2ban solution

bows in respect has been a godsend!

 

[eva2000]

@AzzidReign @Alfa1 @MattW you both have me curious now. With my fail2ban solution there's a fail2ban.sh status feature which lists all fail2ban jail rules and their current status and calculated hit rate/day allowed and top ban/rebanned IP stats. Wonder how that looks you both of you for fail2ban.sh status output. You can provide me an example output in private conservation here on centmin mod forums private conversation. No pressure if you don't want to, but curious how much fail2ban is tackling

example excerpt from fail2ban.sh status for wordpress pingback attack's jail rules

./fail2ban.sh status

wordpress-pingback parameters:
maxretry: 1 findtime: 1 bantime: 86400
allow rate: 1 hits/day
Status for the jail: wordpress-pingback
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     1
|  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
`- Actions
  |- Currently banned: 1
  |- Total banned:     1
  `- Banned IP list:   104.237.xxx.xxx
---------------------------------------
All Time: Top 10 Banned IP Addresses:
      4 149.xxx.xxx.xxx [nginx-req-limit]
      3 104.237.xxx.xxx [wordpress-pingback]
      2 149.xxx.xxx.xxx [wordpress-auth]
      2 149.xxx.xxx.xxx [http-xensec]
---------------------------------------
All Time: Top 10 Restored Banned IP Addresses:
     25 104.237.xxx.xxx [wordpress-pingback]
      2 149.xxx.xxx.xxx [nginx-req-limit]
---------------------------------------
Yesterday: Top 10 Banned IP Addresses:
      4 149.xxx.xxx.xxx [nginx-req-limit]
      2 149.xxx.xxx.xxx [wordpress-auth]
      2 149.xxx.xxx.xxx [http-xensec]
      2 104.237.xxx.xxx [wordpress-pingback]
---------------------------------------
Yesterday: Top 10 Restored Banned IP Addresses:
     12 104.237.xxx.xxx [wordpress-pingback]
      2 149.xxx.xxx.xxx [nginx-req-limit]
---------------------------------------
Today: Top 10 Banned IP Addresses:
---------------------------------------
Today: Top 10 Restored Banned IP Addresses:
      8 104.237.xxx.xxx [wordpress-pingback]
---------------------------------------
1 hr ago: Top 10 Banned IP Addresses:
---------------------------------------
1 hr ago: Top 10 Restored Banned IP Addresses:
---------------------------------------

 

[V3NTUS]

Affiliate links everywhere in your first post.. You could've at least mentioned it. To me, it's just business, no way I can trust what you're saying if you're not clear about your true intentions this community.

 

[Ozzy47]

Affiliate links everywhere in your first post.. You could've at least mentioned it. To me, it's just business, no way I can trust what you're saying if you're not clear about your true intentions this community.

Ummm:

To disclose further, I've put my affiliate links below. If this helps you, please use my links to help me out. I'm in no way affiliated with either company, other than them providing affiliate links to their customers.

 

[AzzidReign]

Meh

I've also updated things later in the thread but xf staff wouldn't replace the first post with the updated information.

Despite you not seeing the RED text with regards to affiliate links (which I think it was just 2,one company no longer around and the other not paying me), it would be especially retarded of you (oh no I said the r word during the height of pc culture) to ignore what I've posted. My attackers have gone from 3x/day attacks to now I haven't seen an attack in about a month bc the last 8 months haven't yielded them any results (my downtime). Every time I say that tho, some attacker comes out of the wood works so let's see if that still holds true lol I'm always happy to add more rules to make me more secure.

 

[Brad Padgett]

Affiliate links everywhere in your first post.. You could've at least mentioned it. To me, it's just business, no way I can trust what you're saying if you're not clear about your true intentions this community.

Affiliate links? This thread is 6 years old. How is anyone supposed to know how to even get the protection if the links to where he got it weren't there. Your comment is a bit ridiculous and unrealistic

 

[V3NTUS]

I've also updated things later in the thread but xf staff wouldn't replace the first post with the updated information.

Despite you not seeing the RED text with regards to affiliate links (which I think it was just 2,one company no longer around and the other not paying me), it would be especially retarded of you (oh no I said the r word during the height of pc culture) to ignore what I've posted. My attackers have gone from 3x/day attacks to now I haven't seen an attack in about a month bc the last 8 months haven't yielded them any results (my downtime). Every time I say that tho, some attacker comes out of the wood works so let's see if that still holds true lol I'm always happy to add more rules to make me more secure.

Didn't read up to page 3, my bad then, I'll regret my previous post and sorry if I offended you, it's just that nowadays nearly everything contains affiliate links and most of the time people don't even mention it. Just like phone reviews or anything else you seek information for.

Hope the staff will consider replacing your first post then.

 

[javakhir]

none of these helps, as ddos can easily bypass even cloudflares most exensive plans, ovh & whatever
only solution is to have protection on hardware level & the only one exist is stormwall with SLA 99%
nothing else works, server uptime matters, even 95% can remove your web from google search
number 1 ddoser who writes scripts & attacks in 30 methods, said: only stormwall!
don't advert anything, just recommend tested solution!

 

[GPA-R]

none of these helps, as ddos can easily bypass even cloudflares most exensive plans, ovh & whatever
only solution is to have protection on hardware level & the only one exist is stormwall with SLA 99%
nothing else works, server uptime matters, even 95% can remove your web from google search
number 1 ddoser who writes scripts & attacks in 30 methods, said: only stormwall!
don't advert anything, just recommend tested solution!

 

[AzzidReign]

none of these helps, as ddos can easily bypass even cloudflares most exensive plans, ovh & whatever
only solution is to have protection on hardware level & the only one exist is stormwall with SLA 99%
nothing else works, server uptime matters, even 95% can remove your web from google search
number 1 ddoser who writes scripts & attacks in 30 methods, said: only stormwall!
don't advert anything, just recommend tested solution!

That may be true on certain types of attacks but so far, cloudflare + fail2ban has done so well for us that the attackers (which would attack 3x/day) haven't attempted in the last month or so, maybe longer.

 

[Alpha1]

Same here.

 

[AzzidReign]

Since I got an alert liking the update I made just over 1 year ago to date, figured I'd give a little update. We've had a huge reduction in the number of attacks we receive. I think in the last 30 days, we've seen 2 attacks, both didn't cause a slow down in our service. Over the last year, we've had threats and even the DDoSer himself came and asked me what we were doing and tried prying me for more information so he could try to subvert it. I have noticed a small handful of attacks in the last year trying different things to subvert our security and not a single one was successful. That's not to say there isn't an attack mode they can try that will do damage but so far, we've not been down due to DDoS in over a year. I never thought I would see the day tbh.

 

[Alpha1]

Also still the same here. We get hit with a multimillion connection DDoS about 3 times a month but we do not notice it at all. I just get a notice from CF that they stopped a massive DDoS. It doesn't touch the server.

 

[Alpha1]

Glad to see that you and @AzzidReign are liking Centmin Mod's fail2ban solution

I'm still extremely happy with this. The only problem I run into is of course members with a crappy WiFi connection getting automatically added to the IP access rules because their WiFi makes thousands of connections per minute. From then on they will have to complete a captcha on many times an hour.

Unfortunately CF doesn't allow you to see which users/IPs complete the captcha. And we can also not whitelist logged in members or xf usergroups. @eva2000 if you speak to the CF team could you poke them about this?

Does Fail2Ban remove the IP rules after some time, or are these forever?
Does anyone have an idea how to find legitimate members getting blocked through fail2ban?

 

[eva2000]

Does Fail2Ban remove the IP rules after some time, or are these forever?

that is determined by your fail2ban jail rule's bantime which can be between 5-10 mins or whatever you set, after which IP bans are removed - you don't want bantimes too long as CF IP access rules have a limit for number of IPs.

Does anyone have an idea how to find legitimate members getting blocked through fail2ban?

get their IPs and match with CF Firewall analytics via dashboard or via CF Firewall Analytics GraphQL API.

also there's my fail2ban.sh status output to see top banned IPs to match them against your CF Firewall Analytics event logs https://xenforo.com/community/threa...ion-nice-on-the-budget-too.75809/post-1426649

Example I manually banned an IP via my own CF Firewall API wrapper script so the IP ends up in CF Firewall IP Access Rule list

./cf-firewall-api.sh ban xxx.xxx.xxx.xxx
{
  "id": "331e9070ffef47789ced9a2c7ca6cdf5",
  "paused": false,
  "modified_on": "2021-04-18T17:36:21.262325429Z",
  "mode": "block",
  "notes": "cfban",
  "configuration": {
    "target": "ip",
    "value": "xxx.xxx.xxx.xxx"
  },
  "created_on": "2021-04-18T17:36:21.262325429Z"
}

./cf-firewall-api.sh list-json xxx.xxx.xxx.xxx
{
  "id": "331e9070ffef47789ced9a2c7ca6cdf5",
  "paused": false,
  "modified_on": "2021-04-18T17:36:21.203766Z",
  "mode": "block",
  "notes": "cfban",
  "configuration": {
    "target": "ip",
    "value": "xxx.xxx.xxx.xxx"
  },
  "created_on": "2021-04-18T17:36:21.262325429Z"
}

Then when that IP tries to access the site, the CF Firewall IP Access Rule banned IP is logged into CF Firewall Analytics event log



You can query the Cloudflare Firewall GraphQL API to check too. For example I have a script to query the CF Firewall GraphQL API by IP, rayid or even Firewall rule id for the past 1hr of event logs. So example query above CF rayid = 641fb2987fb2e9b3

./cf-analytics-graphql.sh rayid-hrs 1 641fb2987fb2e9b3

------------------------------------------------------------------
Cloudflare Firewall
------------------------------------------------------------------
since: 2021-04-18T17:03:24Z
until: 2021-04-18T18:03:24Z
------------------------------------------------------------------
1 Firewall Events for CF RayID: 641fb2987fb2e9b3
------------------------------------------------------------------
      1 xxx.xxx.xxx.xxx 403 97xMachine Learning block ASN# ISP-NAME ISP AU BNE GET HTTP/2 ip
------------------------------------------------------------------
      1 xxx.xxx.xxx.xxx 403 97xMachine Learning block ASN# ISP-NAME ISP AU BNE GET HTTP/2
------------------------------------------------------------------
      1 xxx.xxx.xxx.xxx 403 97xMachine Learning block ASN# ISP-NAME ISP AU BNE blog.centminmod.com GET HTTP/2
------------------------------------------------------------------
      1 xxx.xxx.xxx.xxx 403 97xMachine Learning block ASN# ISP-NAME ISP AU BNE blog.centminmod.com GET HTTP/2 /
------------------------------------------------------------------
xxx.xxx.xxx.xxx 641fb2987fb2e9b3 403 97xMachine Learning block ASN# ISP-NAME ISP AU BNE 2021-04-18T17:43:49Z blog.centminmod.com GET HTTP/2 /
------------------------------------------------------------------
{
  "results": [
    {
      "action": "block",
      "botScore": 97,
      "botScoreSrcName": "Machine Learning",
      "clientASNDescription": "ISP-NAME ISP",
      "clientAsn": "ASN#",
      "clientCountryName": "AU",
      "clientIP": "xxx.xxx.xxx.xxx",
      "clientRefererHost": "blog.centminmod.com",
      "clientRefererPath": "/2020/09/06/203/wordpress-cache-enabler-advanced-full-page-caching-guide/",
      "clientRefererQuery": "",
      "clientRefererScheme": "https",
      "clientRequestHTTPHost": "blog.centminmod.com",
      "clientRequestHTTPMethodName": "GET",
      "clientRequestHTTPProtocol": "HTTP/2",
      "clientRequestPath": "/",
      "clientRequestQuery": "",
      "clientRequestScheme": "https",
      "datetime": "2021-04-18T17:43:49Z",
      "edgeColoName": "BNE",
      "edgeResponseStatus": 403,
      "kind": "firewall",
      "originResponseStatus": 0,
      "rayName": "641fb2987fb2e9b3",
      "ruleId": "ip",
      "source": "ip",
      "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 OPR/75.0.3969.171"
    }
  ]
}

From then on they will have to complete a captcha on many times an hour

fail2ban sends ban IPs to CF IP Access rule based Firewall and usually is a ban not a challenge so visitors won't see a captcha as far as I know. The banned IP will be greeted with an Error 1006 Access Denied Cloudflare page usually so no captcha. Gnerally slow visitors won't all come from the same IP so it wouldn't really trigger fail2ban which looks at each individual IP. You configured fail2ban/cloudflare differently?