Introduction

Distributed Denial-of-Service (DDoS) attacks remain a persistent threat to online services, often overwhelming servers with traffic from multiple sources. While sophisticated mitigation often requires enterprise-grade solutions, basic DDoS attacks—such as SYN floods, HTTP floods, and brute-force login attempts—can be effectively mitigated using built-in Linux tools. This guide explores how to configure UFW (Uncomplicated Firewall) and Fail2Ban to protect your server against common attack vectors. By the end, you’ll have a robust, low-overhead defense layer that significantly reduces your attack surface.

Understanding the Threat: Basic DDoS Attacks

Basic DDoS attacks often target specific services (e.g., SSH, HTTP) with high volumes of requests or connection attempts. Common types include:

  • SYN Floods: Exploit the TCP handshake by sending numerous SYN packets, exhausting server resources.
  • HTTP Floods: Send a large number of seemingly legitimate HTTP requests, overloading the web server.
  • Brute-Force Attacks: Repeated login attempts on SSH or other services, aiming to gain unauthorized access.

UFW provides a stateful firewall that can rate-limit connections, while Fail2Ban monitors logs and dynamically blocks offending IPs. Together, they form a powerful first line of defense.

Prerequisites

  • A Linux server (Ubuntu/Debian recommended) with root or sudo access.
  • UFW installed (usually pre-installed on Ubuntu).
  • Fail2Ban installed (sudo apt install fail2ban).
  • Basic familiarity with the command line.

Step 1: Configuring UFW for Rate Limiting

UFW can limit incoming connections to prevent abuse. For example, to limit SSH connections to 6 per 30 seconds from a single IP:

sudo ufw limit ssh/tcp

This applies a default limit rule. For more granular control, you can edit the /etc/ufw/before.rules file. Add the following lines before the *filter section to limit SYN packets:

# Rate limit SYN packets
-A ufw-before-input -p tcp --syn -m limit --limit 60/s --limit-burst 20 -j ACCEPT
-A ufw-before-input -p tcp --syn -j DROP

After editing, reload UFW:

sudo ufw reload

This rule allows up to 60 SYN packets per second (burst of 20) and drops excess, mitigating SYN flood attacks.

Step 2: Installing and Configuring Fail2Ban

Fail2Ban works by scanning log files (e.g., /var/log/auth.log) for repeated failures. It then updates UFW rules to block the offending IP for a specified duration.

Basic Configuration

Copy the default jail configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Set the default ban action to use UFW. Under [DEFAULT], ensure:

banaction = ufw

Enable the SSH jail (for example):

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600

This bans an IP after 5 failed SSH attempts for 1 hour.

Custom Jails for HTTP Floods

For Nginx or Apache, create a custom filter. Example for Nginx (create /etc/fail2ban/filter.d/nginx-http-flood.conf):

[Definition]
failregex = ^ -.*"(GET|POST).*HTTP.*" 404 .*$
ignoreregex =

Then add a jail in jail.local:

[nginx-http-flood]
enabled = true
port = http,https
filter = nginx-http-flood
logpath = /var/log/nginx/access.log
maxretry = 100
bantime = 600
findtime = 60

This bans IPs that generate 100+ 404 errors in 60 seconds.

Step 3: Testing and Monitoring

After configuration, restart Fail2Ban:

sudo systemctl restart fail2ban

Check status:

sudo fail2ban-client status

View specific jail status:

sudo fail2ban-client status sshd

Monitor logs:

sudo tail -f /var/log/fail2ban.log

Simulate an attack (from a test machine) to verify blocking. For example, use hydra for SSH brute force or ab (Apache Bench) for HTTP floods. Ensure you have permission.

Best Practices and Advanced Tips

  • Whitelist trusted IPs: Add ignoreip = 192.168.1.0/24 in jail.local to avoid blocking yourself.
  • Adjust limits based on traffic: Monitor normal traffic patterns and set thresholds accordingly.
  • Combine with other tools: Use iptables directly for more complex rules, or integrate with cloudflare for larger attacks.
  • Regularly update Fail2Ban: New filters are added to address emerging threats.

Conclusion

Configuring UFW and Fail2Ban is a cost-effective way to mitigate basic DDoS attacks. While not a silver bullet for large-scale assaults, this combination significantly reduces the risk of service disruption from common attack patterns. By implementing rate limiting and dynamic banning, you enhance your server’s resilience with minimal overhead. Start with the steps above, monitor your logs, and iterate based on your specific threat landscape.