How to limit requests, and ban those hitting the limit

Requirements:
- LUA RESTY.
- Redis
- Fail2Ban
- ip_blacklist

What we will do:
- We will use ip_blacklist.lua to blacklist IP's that reaches the request limit.
- We will limit requests to Documents to 20 requests a second.
- When someone reaches that limit, they will be "banned" from accessing your server in 3600 seconds.
- We will use redis to ban, redis stores the IP's in memory which is perfect & fast.

0.) Make sure you have redis and fail2ban installed, you can run this command to install it:

Code (Text):

yum install redis fail2ban -y

1.) Open up your nginx.conf, and make sure those are added within the http block.

Code (Text):

#Limit Requests PHP Documents
limit_req_zone $binary_remote_addr zone=one:16m rate=20r/s;

#Lua Packages etc
lua_package_path "/usr/local/lib/lua/?.lua;;";
lua_shared_dict ip_blacklist_cache 20m;

2.) Make a new folder within: "/usr/local/nginx/conf" called "security_conf" - here we will place security optimizations. Place ip_blacklist.lua here: [Lua] -- a quick LUA access script for nginx to check IP addresses against an -- `ip_ - Pastebin.com (Remember to rename etc).

3.) Make a new file inside security_conf called "global.conf". Put this content inside it:

Code (Text):

#DDoS Security Limit Requests
access_by_lua_file /usr/local/nginx/conf/security_conf/ip_blacklist.lua;
limit_req   zone=one  burst=20 nodelay;
error_log /home/nginx/domains/nginx_error.log;

We will make a global error.log, since I feel fail2ban works better that way instead of motioning multiply files.

4.) Open up your domain.conf, then inside server block you add this:

Code (Text):

include /usr/local/nginx/conf/security_conf/global.conf;

++++++++++++++++++++++++++++++++++++++

Now, all the nginx part is setup. You should be able to run "ngxreload" and restart without any errors.​

++++++++++++++++++++++++++++++++++++++
​

5.) We will now start setting up fail2ban, this is also quiet easy - copy & paste unless you want to modify something.

Make a new file if it doesn't exist already called /etc/fail2ban/jail.local, inside there you add:

Code (Text):

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = ip_blacklist
logpath = /home/nginx/domains/nginx_error.log
findtime = 120
bantime = 3600
maxretry = 3

6.) Inside /etc/fail2ban/action.d you make a new file called ip_blacklist.conf, you will put this content inside there:

Code (Text):

#
# Author: Oxide @ Centminmod
#
# Blacklist option for LUA / REDIS
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = redis-cli SADD ip_blacklist <ip>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = redis-cli SREM ip_blacklist <ip>

Now, run "service fail2ban restart" and you should be ready..

Optional: You can add this to global.conf to block bad user-agents such as WordPress:

Code (Text):

#Block Bad User-Agents
if ($http_user_agent ~* "PHP|curl|Wget|HTTrack|Verifying|PingBack|Joomla|Wordpress") { return 444; }
if ($http_user_agent = "-") { return 444; }
if ($http_user_agent = "") { return 444; }
if ($http_user_agent = " ") { return 444; }

This should be it, not too sure if i forget any steps. If you have any issues, feel free to ask away !

You can also move "limit_req zone=one burst=20 nodelay;" out of global.conf and place it inside the php block in php.conf, to limit only php files. I've had no issues limiting all files so far though.

This will also work for CloudFlare.