Introduction
Distributed Denial-of-Service (DDoS) attacks remain a persistent threat to online services, often overwhelming servers with traffic from multiple sources. While sophisticated mitigation often requires enterprise-grade solutions, basic DDoS attacks—such as SYN floods, HTTP floods, and brute-force login attempts—can be effectively mitigated using built-in Linux tools. This guide explores how to configure UFW (Uncomplicated Firewall) and Fail2Ban to protect your server against common attack vectors. By the end, you’ll have a robust, low-overhead defense layer that significantly reduces your attack surface.
Understanding the Threat: Basic DDoS Attacks
Basic DDoS attacks often target specific services (e.g., SSH, HTTP) with high volumes of requests or connection attempts. Common types include:
- SYN Floods: Exploit the TCP handshake by sending numerous SYN packets, exhausting server resources.
- HTTP Floods: Send a large number of seemingly legitimate HTTP requests, overloading the web server.
- Brute-Force Attacks: Repeated login attempts on SSH or other services, aiming to gain unauthorized access.
UFW provides a stateful firewall that can rate-limit connections, while Fail2Ban monitors logs and dynamically blocks offending IPs. Together, they form a powerful first line of defense.
Prerequisites
- A Linux server (Ubuntu/Debian recommended) with root or sudo access.
- UFW installed (usually pre-installed on Ubuntu).
- Fail2Ban installed (
sudo apt install fail2ban). - Basic familiarity with the command line.
Step 1: Configuring UFW for Rate Limiting
UFW can limit incoming connections to prevent abuse. For example, to limit SSH connections to 6 per 30 seconds from a single IP:
sudo ufw limit ssh/tcp
This applies a default limit rule. For more granular control, you can edit the /etc/ufw/before.rules file. Add the following lines before the *filter section to limit SYN packets:
# Rate limit SYN packets
-A ufw-before-input -p tcp --syn -m limit --limit 60/s --limit-burst 20 -j ACCEPT
-A ufw-before-input -p tcp --syn -j DROP
After editing, reload UFW:
sudo ufw reload
This rule allows up to 60 SYN packets per second (burst of 20) and drops excess, mitigating SYN flood attacks.
Step 2: Installing and Configuring Fail2Ban
Fail2Ban works by scanning log files (e.g., /var/log/auth.log) for repeated failures. It then updates UFW rules to block the offending IP for a specified duration.
Basic Configuration
Copy the default jail configuration:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Set the default ban action to use UFW. Under [DEFAULT], ensure:
banaction = ufw
Enable the SSH jail (for example):
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
This bans an IP after 5 failed SSH attempts for 1 hour.
Custom Jails for HTTP Floods
For Nginx or Apache, create a custom filter. Example for Nginx (create /etc/fail2ban/filter.d/nginx-http-flood.conf):
[Definition]
failregex = ^ -.*"(GET|POST).*HTTP.*" 404 .*$
ignoreregex =
Then add a jail in jail.local:
[nginx-http-flood]
enabled = true
port = http,https
filter = nginx-http-flood
logpath = /var/log/nginx/access.log
maxretry = 100
bantime = 600
findtime = 60
This bans IPs that generate 100+ 404 errors in 60 seconds.
Step 3: Testing and Monitoring
After configuration, restart Fail2Ban:
sudo systemctl restart fail2ban
Check status:
sudo fail2ban-client status
View specific jail status:
sudo fail2ban-client status sshd
Monitor logs:
sudo tail -f /var/log/fail2ban.log
Simulate an attack (from a test machine) to verify blocking. For example, use hydra for SSH brute force or ab (Apache Bench) for HTTP floods. Ensure you have permission.
Best Practices and Advanced Tips
- Whitelist trusted IPs: Add
ignoreip = 192.168.1.0/24injail.localto avoid blocking yourself. - Adjust limits based on traffic: Monitor normal traffic patterns and set thresholds accordingly.
- Combine with other tools: Use
iptablesdirectly for more complex rules, or integrate withcloudflarefor larger attacks. - Regularly update Fail2Ban: New filters are added to address emerging threats.
Conclusion
Configuring UFW and Fail2Ban is a cost-effective way to mitigate basic DDoS attacks. While not a silver bullet for large-scale assaults, this combination significantly reduces the risk of service disruption from common attack patterns. By implementing rate limiting and dynamic banning, you enhance your server’s resilience with minimal overhead. Start with the steps above, monitor your logs, and iterate based on your specific threat landscape.