block-web-flooders - Block IP addresses of web flooders using iptables
This document describes version 0.010 of block-web-flooders (from Perl distribution App-BlockWebFlooders), released on 2019-01-29.
This script should be run as root/sudo root, because it needs to call the iptables command to add block rules to the firewall.
First of all, create /etc/block-web-flooders.conf that contains something like this:
whitelist_ip = 1.2.3.4 whitelist_ip = ...
Where 1.2.3.4 is the IP address(es) that you are connecting from (you can see this from output of w command), to make sure you yourself don't get blocked. Add more lines/IP address as necessary.
1.2.3.4
When a flood is happening, try to tail your web access log file:
# tail -f /s/example.com/syslog/https_access.2017-06-07.log
and see the patterns that you can use to discriminate the requests coming from the flooder. Since the IP address is usually random/many, you can see from other patterns e.g. requested URI, user agent. For example, if the suspicious log lines are something like this:
93.186.253.79 - - [07/Jun/2017:00:54:23 +0000] "GET /heavy1.php HTTP/1.0" 200 20633 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 51.15.41.74 - - [07/Jun/2017:00:54:25 +0000] "POST /heavy2.php HTTP/1.1" 302 - "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.38.149.5 - - [07/Jun/2017:00:54:24 +0000] "GET /heavy1.php HTTP/1.0" 200 20633 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 93.186.253.79 - - [07/Jun/2017:00:54:24 +0000] "GET /heavy3.php HTTP/1.0" 200 20524 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 51.15.41.74 - - [07/Jun/2017:00:54:25 +0000] "GET /heavy1.php HTTP/1.0" 200 20633 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.38.149.5 - - [07/Jun/2017:00:54:25 +0000] "GET /heavy3.php HTTP/1.0" 200 20524 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.38.149.5 - - [07/Jun/2017:00:54:25 +0000] "GET /heavy3.php HTTP/1.0" 200 20524 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 93.186.253.79 - - [07/Jun/2017:00:54:26 +0000] "POST /heavy2.php HTTP/1.1" 302 - "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 51.15.41.74 - - [07/Jun/2017:00:54:25 +0000] "GET /heavy1.php HTTP/1.0" 200 20633 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.36.213.37 - - [07/Jun/2017:00:54:26 +0000] "GET /heavy3.php HTTP/1.0" 200 20524 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.36.213.37 - - [07/Jun/2017:00:54:27 +0000] "POST /heavy2.php HTTP/1.1" 302 - "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.38.149.5 - - [07/Jun/2017:00:54:26 +0000] "GET /heavy1.php HTTP/1.0" 200 20633 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00" 89.36.213.37 - - [07/Jun/2017:00:54:26 +0000] "GET /heavy1.php HTTP/1.0" 200 20633 "-" "Opera/9.80 (Windows NT 6.0; U; en) Presto/2.2.0 Version/10.00"
you can add --has Presto/2.2.0 and --has /heavy since these quite accurately selects the flood requests. If you can add strings which pretty accurately single out the flood requests, you can use a lower threshold speed, e.g. --limit 5 to block IPs which has requested 5 or more in the last 5 minutes. Otherwise, if you do not have any specific --has to single out the flood, you might need to set a higher limit, e.g. --has html --limit 30 --period 60 to block IPs which have requested 30 or more requests in the last minute, or --limit 200 --period 120 to block IPs which have requested 200 or more requests in the last 2 minutes.
--has Presto/2.2.0
--has /heavy
--limit 5
--has
--has html --limit 30 --period 60
--limit 200 --period 120
Feed the output of the tail command to this script:
tail
# tail -f /s/example.com/syslog/https_access.2017-06-07.log | block-web-flooders \ --has Presto/2.2.0 --has-pattern '/heavy|/baz' --limit 5
or perhaps:
# tail -f /s/example.com/syslog/https_access.2017-06-07.log | block-web-flooders \ --limit 200 --period 120
The script will display the top IP addresses and whether an IP is being blocked, along with some statistics:
Blocked IPs this session: 12 | Log lines: 198 | Running for: 2m13s Top IPs: 89.36.213.37 ( 4) 89.38.149.5 ( 2) 93.186.253.79 ( 2) ... Last messages: 51.15.41.74 BLOCKED
While this script is running, you might also want to open something like this in another terminal (monitor incoming web requests):
# tail -f /s/example.com/syslog/https_access.2017-06-07.log | grep /heavy
and somethins like this in yet another terminal (monitor system load and number of web server processes, this depends on the web server you use):
# watch 'w | head -n1; echo -n "Blocked IPs total: "; iptables -nL INPUT | wc -l; echo -n "Apache processes: "; ps ax | grep apache | wc -l'
If your webserver is still maxed out by requests, you might want to tweak --limit and --period options and restart the web server.
--limit
--period
To see the blocked IP addresses:
# iptables -nL INPUT
As long as the script runs, IP addresses are blocked by default temporarily for 86400 seconds (or, according to the --block-period command-line option or block_period configuration). After that block period is exceeded, the IP is unblocked.
To immediately clear/unblock all the IPs:
# iptables -F INPUT
(this is assuming the default policy of input is ACCEPT; if you have a firewall package installed, please follow the procedure for that firewall.)
To immediately unblock some IPs:
#
This script helps a sysadmin when there is a flood from multiple IP addresses to your website. The script works by reading web access log file, considering lines which match the specified pattern(s), then block the IP address of the requester if the speed of request from that IP exceeds a limit. The blocking is done using firewall (iptables), by default:
# iptables -A INPUT -s <ip-address> -p tcp -m multiport --dports 80,443 -j DROP
To use this script, see the general guide in the Synopsis.
--has=S
--has-pattern=REGEX
--lacks=S
--lacks-pattern=REGEX
--limit=N
--period=N
--whitelist-ip=IP
--spanel-site=NAME
--dry-run
Option to customize ports.
Parse timestamps from web access logs so it can also parse past lines.
IPv6 support.
Some interactivity, e.g.: reset counters, unblock some IPs, increase/decrease limit.
Please visit the project's homepage at https://metacpan.org/release/App-BlockWebFlooders.
Source repository is at https://github.com/perlancar/perl-App-BlockWebFlooders.
Please report any bugs or feature requests on the bugtracker website https://rt.cpan.org/Public/Dist/Display.html?Name=App-BlockWebFlooders
When submitting a bug or request, please include a test-file or a patch to an existing test-file that illustrates the bug or desired feature.
CSF, https://configserver.com/cp/csf.html, the more generic solution.
perlancar <perlancar@cpan.org>
This software is copyright (c) 2019, 2018, 2017 by perlancar@cpan.org.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
To install App::BlockWebFlooders, copy and paste the appropriate command in to your terminal.
cpanm
cpanm App::BlockWebFlooders
CPAN shell
perl -MCPAN -e shell install App::BlockWebFlooders
For more information on module installation, please visit the detailed CPAN module installation guide.