You all know that feeling (well, I hope you do!) that when a spike in traffic occurs on your WordPress site, that the miniature server you have it running on very quickly runs out of resources. Apache’s good like that. Taking up all the resources with its large number of processes consuming oodles of memory each. How on earth can you possibly fix it, especially when you’re running on a tight budget and upgrading the server for that once-in-a-blue-moon you get a spike in traffic? Well, Amazon Cloudfront to the rescue!
I was recently recommended some software to prevent (or at least act on) automated hack/DoS attacks on services. The usual suspects triggered this, dictionary attempts on common usernames on servers, “admin”, “administrator”, “root”, etc. Up until now, I’ve been monitoring for unusual network activity. When the traffic reached a certain peak for a specific length of time which was out of the ordinary, I knew something was going on. The hard job then was trying to find out which service was being targeted. I started on the usual suspects, proftpd, ssh, httpd. What I wasn’t expecting at this particular point was someone trying to hack open apache.
Anyway, I digress. The software is called fail2ban. Basically, it’s a python daemon which you configure to sit and monitor the log files from all your exposed services. It uses various timestamp algorithms along with checking using regex for failed auth attempts (configurable). In the regex, it also uses extraction parentheses to extract the host/IP address, then automatically turns to iptables and bans the host within a certain number of failed auth attempts. It defaults to 3 failed attempts getting you a 10 minute ban, but again this is configurable. I’ve set mine to 3 failed attempts with a 30 minute ban, and it seems to be quite happy with that. Since then I’ve actually noticed server load go down a touch, which tells me how many times my servers were being targetted without me even knowing it!
And since it’s configurable for practically every service that logs to a file, it’ll also work for custom applications that do the same thing, no matter what they are. I’ll have to bear this in mind when I write stuff in the future that could be prone to hack attempts.
Check it out: fail2ban