I'm an experienced Web Developer but new to servers. I've been learning on Digital Ocean and one of my sites is being constantly hit with DDoS attacks. I've identified two attacks, one is HTTP GET request flooding which keeps filling up my log files. The other is Wordpress pingback attack.
It was making my site unusable until I installed configured nginx to weed out the fake requests and 444 them and used fail2ban to block the IPs. I even started using Cloudflare but turns out it's not as useful when they have your IP.
So my question is, is this a good strategy? Will what I'm doing now work for these types of attacks? Even now my log files are being filled up. I see even IPv6 addresses in the log files. Fail2ban shows hundreds of blocked IPs but I'm still getting the requests and I'm not sure why fail2ban isn't blocking those. Does fail2ban work with IPv6? Can you suggest me better strategies to deal with such attacks?
Answer
Get a new droplet to change IP addresses, and ensure your IP isn't published by using CloudFlare. You can't have any DNS record point at the server IP. This will help, and CloudFlare will filter out a lot of the rubbish and attacks.
Of course there can be brute force attacks to any IP address, but if it's a shared IP the traffic shouldn't make it to your virtual server. If it's a dedicated IP then, well, that's more challenging.
You probably shouldn't be dealing with attacks using Nginx, do it before it hits your web server to reduce resource usage. On AWS I use security groups, which are effectively a firewall. If DO offer a firewall service you could get that. If not then you probably need to configure a software firewall on your instance to only accept traffic from CloudFlare IPs on 80/443 or your private IP address on a wider range of ports including 22. Be careful not to lock yourself out, as dynamic IP addresses can change.
I can't help with the other questions, but that should get you started and heading in the right direction.
No comments:
Post a Comment