Enhance DDoS Protection with HAProxy, NGINX, and Fail2Ban

Enhance DDoS Protection with HAProxy, NGINX, and Fail2Ban

Distributed Denial of Service (DDoS) and brute force attacks are common security threats that can disrupt your online services. To mitigate these attacks, you can combine HAProxy, NGINX, and Fail2Ban for a multi-layered defense strategy. This guide will explain how to use these tools together to effectively block DDoS and brute force attacks at multiple layers.

1. DDoS Protection with HAProxy

HAProxy is a powerful reverse proxy and load balancer that can handle DDoS attacks effectively with a combination of rate limiting, connection limiting, and access control lists (ACLs).

a. Rate Limiting with HAProxy

Rate limiting helps prevent Layer 7 DDoS attacks by limiting the number of requests a client can make in a specific time frame. This ensures that attackers cannot flood your server with requests.

Example Configuration:

frontend http_front
    bind *:80
    acl too_many_conn src_conn_rate(10s) gt 100
    tcp-request connection reject if too_many_conn

In this example, the configuration rejects connections from IP addresses that exceed 100 requests per 10 seconds.

b. Connection Limiting with HAProxy

Limiting the number of simultaneous connections from a single IP address helps prevent Layer 4 attacks.

Example Configuration:

frontend http_front
    bind *:80
    maxconn 100

This rule limits each IP to a maximum of 100 concurrent connections, preventing resource exhaustion.

c. Blocking Malicious IPs with HAProxy

You can manually block known malicious IPs using ACLs in HAProxy.

Example Configuration:

frontend http_front
    bind *:80
    acl blocked_ip src 192.168.1.1
    http-request deny if blocked_ip

This configuration blocks access from IP address 192.168.1.1.

---

2. DDoS Protection with NGINX

NGINX, like HAProxy, is also a robust reverse proxy and web server. It provides several DDoS defense mechanisms such as rate limiting, connection limiting, and IP blocking.

a. Rate Limiting with NGINX

Rate limiting helps reduce the impact of Layer 7 DDoS attacks by limiting the number of requests from a single IP within a given time frame.

Example Configuration:

http {
    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

    server {
        location / {
            limit_req zone=mylimit burst=20;
        }
    }
}

In this configuration, requests from the same IP address are limited to 10 requests per second, with a burst capacity of 20.

b. Connection Limiting with NGINX

Limiting the number of concurrent connections from a single IP helps mitigate Layer 4 DDoS attacks.

Example Configuration:

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;

    server {
        location / {
            limit_conn addr 1;
        }
    }
}

This configuration limits each IP address to only one active connection.

c. Blocking Malicious IPs with NGINX

You can block malicious IPs using the geo module or simple conditional checks in NGINX.

Example Configuration:

http {
    geo $blocked_ip {
        default 0;
        192.168.1.1 1;
    }

    server {
        if ($blocked_ip) {
            return 403;
        }
    }
}

This configuration blocks IP 192.168.1.1 from accessing your server.

---

3. Using Fail2Ban for DDoS and Brute Force Protection

Fail2Ban is a log-parsing tool that scans system logs for suspicious activity and blocks IP addresses involved in malicious actions such as brute force and DDoS attacks. Fail2Ban works well in conjunction with HAProxy and NGINX to enhance security.

a. Install and Configure Fail2Ban

To install Fail2Ban on a Linux server:

sudo apt update
sudo apt install fail2ban

Once installed, you need to configure Fail2Ban to monitor logs for suspicious activity, such as failed login attempts or excessive requests.

b. Protecting SSH and Web Servers from Brute Force Attacks

Fail2Ban can monitor SSH and web server logs for failed login attempts and automatically block IP addresses involved in brute force attacks.

Example Configuration for SSH Protection:
Edit the file /etc/fail2ban/jail.local and add:

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
findtime = 600

This configuration blocks an IP for 10 minutes (bantime = 600) after 5 failed login attempts (maxretry = 5) within 10 minutes (findtime = 600).

Example Configuration for NGINX/HAProxy Logs:
To protect against excessive failed HTTP requests, Fail2Ban can monitor NGINX or HAProxy logs.

Add the following to /etc/fail2ban/jail.local:

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 600
findtime = 600

This configuration blocks an IP for 10 minutes if it fails to authenticate 3 times within 10 minutes.

c. Customizing Fail2Ban Filters

Fail2Ban uses filters to define patterns for failed login attempts or suspicious requests. You can customize filters to specifically target brute force or DDoS activity.

For example, to block IPs involved in excessive request flooding (DDoS), you can create a custom filter that identifies multiple 404 errors within a short period.

Example Custom Filter for NGINX DDoS:
Create a new filter in /etc/fail2ban/filter.d/nginx-dos.conf:

[Definition]
failregex = ^<HOST> -.* "(GET|POST).*HTTP.*" 404
ignoreregex =

This filter identifies IP addresses that repeatedly request non-existing resources (404 errors).

---

4. Integrating HAProxy, NGINX, and Fail2Ban for Layered Security

To achieve maximum protection, combine the strengths of HAProxy, NGINX, and Fail2Ban:

• HAProxy can handle Layer 4 DDoS protection, such as connection limits and rate limiting.
• NGINX provides additional Layer 7 protections with request rate limiting and IP blocking.
• Fail2Ban monitors logs for signs of brute force and suspicious activity, blocking malicious IPs based on defined criteria.

By using these tools together, you can effectively defend against both Layer 3 and Layer 7 DDoS attacks, as well as brute force attempts.

---

Conclusion

Protecting your systems from DDoS and brute force attacks requires a comprehensive strategy that involves multiple layers of defense. By combining HAProxy, NGINX, and Fail2Ban, you can ensure robust protection against a variety of attack vectors. Start by implementing the configurations in this guide to strengthen your defenses and ensure the availability and security of your web services.