Block Slowloris with Fail2ban

G5 Cyber Security

1 month ago

TL;DR

Slowloris attacks exhaust server resources by sending partial HTTP requests slowly. This guide shows you how to use Fail2ban to automatically block IPs attempting a Slowloris attack.

Blocking Slowloris with Fail2ban: A Step-by-Step Guide

Understand the Attack

Slowloris aims to keep many connections open and slowly send headers. Standard web server logs often don’t clearly identify these attacks, making detection tricky.

Check for Fail2ban Installation

First, verify that Fail2ban is installed on your system. Use the following command:

sudo systemctl status fail2ban

If it’s not running, install it using your distribution’s package manager (e.g., apt-get install fail2ban for Debian/Ubuntu or yum install fail2ban for CentOS/RHEL).

Create a Slowloris Filter

Fail2ban uses filters to identify malicious activity in log files. Create a filter file (e.g., /etc/fail2ban/filter.d/slowloris.conf) with the following content:

[Definition]
failregex = ^ -.*"(?:GET|POST|HEAD).*HTTP/.*
ignoreregex =

This filter looks for HTTP requests from any IP address. Adjust ignoreregex if you need to exclude specific legitimate traffic.

Create a Slowloris Jail

A jail defines how Fail2ban responds to the identified attack. Create or edit a jail configuration file (e.g., /etc/fail2ban/jail.local). Add the following section:

[slowloris]
enabled = true
port    = http,https
filter  = slowloris
logpath = /var/log/apache2/access.log
maxretry = 5
bantime  = 600
findtime = 60
action   = iptables-multiport[name=slowloris, port="http,https", protocol=tcp]

Let’s break down the parameters:

enabled = true: Enables this jail.
port = http,https: Specifies the ports to monitor (80 and 443).
filter = slowloris: Uses the filter we created earlier.
logpath = /var/log/apache2/access.log: The path to your web server’s access log file. Important: Change this if your logs are in a different location!
maxretry = 5: Bans an IP after 5 failed attempts (requests) within the specified timeframe.
bantime = 600: Bans IPs for 600 seconds (10 minutes).
findtime = 60: Looks for failed attempts in the last 60 seconds.
action = iptables-multiport[name=slowloris, port="http,https", protocol=tcp]: Uses the iptables action to block IPs on specified ports using TCP.

Restart Fail2ban

After creating or modifying the jail configuration, restart Fail2ban for the changes to take effect:

sudo systemctl restart fail2ban

Check Jail Status

Verify that the jail is running and monitoring your logs. Use the following command:

fail2ban-client status slowloris

This will show you if any IPs have been banned by this jail.

Test Your Configuration (Carefully!)

You can simulate a Slowloris attack using tools like slowhttptest. Be extremely careful when testing, as you could accidentally lock yourself out of your server. Test from a different IP address than the one you use to access your server.

Adjust Parameters

Monitor your logs and adjust the maxretry, bantime, and findtime parameters as needed to balance security and usability. If legitimate users are being blocked, increase maxretry or decrease bantime.