Welcome to Centmin Mod Community
Register Now

Nginx Monitor NGINX access logs for possible DDoS attempts and auto temp-ban?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by BobbyWibowo, Apr 4, 2020.

  1. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    6:01 AM
    1.17.x
    10.3.x
    Hi, I'm not sure if my memory serves me right, but a couple years ago I recall Centmin used to have something that could be configured to auto temp-ban possible DDoS attempts by actively monitoring Nginx's access logs..?
    I recall it would simply temporarily push the detected IPs into CSF deny list or something.

    It was something that I used to have on a server I managed over 4-5 years ago, but not in the new one I setup since 2-3 years ago, since I decided to rely entirely on Cloudflare for that matter.
    But I was recently banned from Cloudflare, so I'd like to look into that thing again.
    Unfortunately I can't remember what it was, but I'm pretty sure I also used Centmin back then, so I'm not sure..
    Any insights would be appreciated! Thanks!
     
  2. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    6:01 AM
    1.17.x
    10.3.x
    Oh, found it!
    It was fail2ban, and the integration was indeed something cooked up by eva, centminmod/centminmod-fail2ban.
    But I'm not sure if it's still recommended for use? I can't find any mention of it on centminmod.com.
    I was expecting some sort of "official" guides or something :confused:
     
  3. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    6:01 AM
    1.17.x
    10.3.x
  4. steph40

    steph40 Member

    74
    15
    8
    Jan 28, 2019
    Ratings:
    +31
    Local Time:
    7:01 PM
    1.1.5
    mariadb 10
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    44,172
    10,067
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,560
    Local Time:
    9:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 1
  6. eva2000

    eva2000 Administrator Staff Member

    44,172
    10,067
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,560
    Local Time:
    9:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    sorry to hear. How was the caching done ? was the main domain also serving HTML/css/js files or just video and images by themselves i.e. subdomain on Cloudflare with main domain not on Cloudflare ?
     
  7. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    6:01 AM
    1.17.x
    10.3.x
    The whole fiery.me was on Cloudflare, but I had a page rule specifically for subdomain i.fiery.me to "cache everything". That's the subdomain that's used to serve any files uploaded into my public uploader site.
    So main site, including the uploader itself, was caching html/css/js normally, just like typical Cloudflare's use case, but over 90% of my bandwidth usage came from serving the uploaded files through i.fiery.me to begin with, lul
    My uploader's user CP would call Cloudflare API to purge cache of any files the users wanted to delete, to make things remain up-to-date even if Cloudflare cached everything

    Basically I was abusing it to the max, so it was somewhat within my expectations
    The reason they gave for my ban was indeed the things related to caching videos and all that stuff anyway
    I believe I had a lot of users uploading pretty big videos

    I even allowed max file of up to 512MB, which was Cloudflare's max size per file to be cached
    And my users certainly didn't shy away from uploading those big files, lmao
     
    Last edited: Apr 6, 2020
  8. BobbyWibowo

    BobbyWibowo Active Member

    196
    41
    28
    Jul 30, 2015
    Indonesia
    Ratings:
    +70
    Local Time:
    6:01 AM
    1.17.x
    10.3.x
    Can confirm it also appears to be working well so far
    It seems I was indeed hit by some sort of bots or something, as within the first 12 or so hours I set it up, it managed to temp-ban 6 different IPs from reaching zone limit, using the same threshold as the gist file
    I had my zone limit follow centmin's default of 16 concurrent connections, which should've been a lot already imho
     
    • Informative Informative x 1
  9. eva2000

    eva2000 Administrator Staff Member

    44,172
    10,067
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,560
    Local Time:
    9:01 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Glad to hear it's working well :)