Resolved Ddos Attacks and Fail2ban

[kevin722]

Hello, I hope I am in right place to ask this.
I am new to Plesk and I have followed the guides to resolve my problem but no luck yet.

My issue is that my website is under continuous ddos attacks from one specific country. I have tried Fail2ban but it "failed" to do the job. I am also covered by cloudflare but the attackers must have gotten through that.

I keep blocking the IPs manually through the Firewall. I don't even know how to set a range of IPs for that specific country.

Thanks in advance,
Kevin

 

[IgorG]

I have tried Fail2ban but it "failed" to do the job.

What sort of problem with fail2ban do you have exactly? Could you please be more specific?
Also, have you tried this solution - Web Application Firewall (ModSecurity) ?

 

[kevin722]

I had more than 10 ddos attacks that resulted in my server stopping to respond. Fail2ban didn't stop any of the attacks.

I will try Web Application Firewall (ModSecurity) now.

 

[Bitpalast]

ModSecurity won't solve this either. A DDoS attack is an issue that you need to handle yourself on your host or with the help of a router before the host. Check out this article. It describes how you can create your own DDoS firewall solution: How To Build Your Own DDoS Protection With Linux & IPtables , it is good advice that works.

 

[danami]

Our Juggernaut Firewall product supports blocking specific countries. Let me know if you require any information.

 

[kevin722]

I am still suffering from this problem. I know the attacks origin but I cannot add a range of ips to Plesk Firewall. Any help in how I can enter a range of IPs?

 

[UFHH01]

Hi kevin722,

Any help in how I can enter a range of IPs?

I recommend to to read the new forum article: => https://talk.plesk.com/articles/how-to-insert-ip-ranges-into-iptables-with-the-help-of-ipset.9/ to achieve your goal.

 

[kevin722]

Hi UFHH01,
For some reason, I can't enter the article. It says "You do not have permission to view this page or perform this action."

 

[UFHH01]

Hi kevin722,

pls. wait for the approval of the new article, which should be done by a forum - administrator / moderator in a short time.


Edit since we have friday ( WE ) and you might not like to wait , here is a copy:

There might be several situations, where you could desire to insert not only a single IP to your iptables, but as well IP Ranges. Such a goal can be easily acchieved by using "ipset" on your server:

• Install "ipset" ( with "apt-get"/"aptitude" on Debian/Ubuntu - based systems / with "yum" on CentOS/RHEL - based systems )

• Create a new ruleset and add single IPs or IP Ranges:

ipset -N blacklist-YOUR-DESIRED-NAME hash:net hashsize 4096 maxelem 131050

# For a single IP, use:
ipset -A blacklist-YOUR-DESIRED-NAME XXX.XXX.XXX.XXX

# For an IP Range, use:
ipset -A blacklist-YOUR-DESIRED-NAME XXX.XXX.XXX.XXX/24


iptables -N blacklist-YOUR-DESIRED-NAME
iptables -A blacklist-YOUR-DESIRED-NAME -m set --match-set blacklist-YOUR-DESIRED-NAME src -j DROP

• Save your ruleset:

ipset save > /root/ipset_blacklist-YOUR-DESIRED-NAME

• Restore your ruleset:

ipset restore < /root/ipset_blacklist-YOUR-DESIRED-NAME

• Test if an IP or a IP Range exist in one of your rulesets:

ipset test XXX.XXX.XXX.XXX
ipset test XXX.XXX.XXX.XXX/24

• Delete a single IP or an IP Range from a ruleset

ipset del ipset_blacklist-YOUR-DESIRED-NAME XXX.XXX.XXX.XXX

ipset del ipset_blacklist-YOUR-DESIRED-NAME XXX.XXX.XXX.XXX/24

For further informations about the possible command options of "ipset" or "iptables", pls. use the "--help" option string!

ipset --help

iptables --help

 

[burnley]

I am still suffering from this problem. I know the attacks origin but I cannot add a range of ips to Plesk Firewall. Any help in how I can enter a range of IPs?

Any effort to block a DDoS attack on the target server is a waste of time. You must liaise with your network provider to block the traffic upstream. You can build the most elaborate firewall on that server, the DDoS packets will still hit the network interface and the server will still use CPU cycles to process them.

 

[Sybil J. Wilson]

Hey. I think this article can help you.
What You Need To Know About DDOS Attacks | NCI
It would be better if you could identify the signs of DDOS attacks early. A significant spike in traffic levels should not be neglected. Consulting IT security services is also recommended in your case.

 

[Kimberlibre]

Very interesting topic, thank you. But how I hate DDoS attacks, sometimes you go to an online shop, and it's brutally hung up. I used to work in a small firm as a regular worker once upon a time. When COVID-19 hit us all, we quickly went online and took orders through our website. Due to DDoS attacks it became impossible to accept orders. We had to hire a good programmer and solving the problem became very expensive for the firm, we almost went bankrupt, and then our management learned about the benefits of pre pack administrations and resold the company to other hands. I resigned and decided to start from scratch. I am now a student of information security.