Throttle and then Fail2Ban #534

acegilz · 2017-01-03T23:40:33Z

acegilz
Jan 3, 2017

I want to first throttle abusers but then if they continue issue a ban, I am not being successful as everything is getting "forbidden"

class Rack::Attack

  ##LETS GIVE A FIRST THROTTLE
  throttle('req/ip', :limit => 50, :period => 1.minutes) do |req|
    req.ip
  end

  ##IF IT CONTINUES BAN FOR 24H
  Rack::Attack.blocklist('fail2ban pentesters') do |req|
    Rack::Attack::Fail2Ban.filter("pentesters-#{req.ip}", :maxretry => 100, :findtime => 5.minutes, :bantime => 1.days) do
      true ## I want to consider all requests, including legits
    end
  end
end

acegilz · 2017-01-10T15:23:20Z

acegilz
Jan 10, 2017
Author

up..

0 replies

courtenay · 2017-03-26T00:05:19Z

courtenay
Mar 26, 2017

in your fail2ban.filter code, check for the throttle key in Rails.cache.read("rack::attack:#{Time.now.to_i / 1.minute}:req/ip:127.0.0.1") - if the count is over a certain amount return true and it'll ban.

0 replies

feliperaul · 2018-01-16T13:53:30Z

feliperaul
Jan 16, 2018

@courtenay I like your suggestion, but in this case we should set maxretry to 0 in the Fail2Ban filter, right?

0 replies

kruglyjmax · 2020-04-19T20:26:38Z

kruglyjmax
Apr 19, 2020

Solved with using throttled?(req) in Rack::Attack::Fail2Ban.filter with maxretry: 0

Rack::Attack.throttle('xhr/ip', limit: 10, period: 1.minute) do |req|
  req.path.include?('/api/')
end

Rack::Attack.blocklist('fail2ban') do |req|
  Rack::Attack::Fail2Ban.filter("xhr/#{req.ip}", maxretry: 0, findtime: 1.minute, bantime: 1.day) do
    throttled?(req) # Counts repeatedly
  end
end

0 replies

dvandersluis · 2021-02-26T19:01:13Z

dvandersluis
Feb 26, 2021

@kruglyjmax using throttled? seems to doubly increment the throttle (ie. the counter in redis is updated both by the throttle and by the fail2ban). Have you gotten around this?

0 replies

dvandersluis · 2021-02-26T19:51:37Z

dvandersluis
Feb 26, 2021

I solved my issue by adding a method to Rack::Attack::Throttle:

def exceeded?(request)
  discriminator = discriminator_for(request)
  return false unless discriminator

  current_period = period_for(request)
  current_limit = limit_for(request)

  key = [Time.now.to_i / current_period, name, discriminator].join(':')
  count = cache.read(key).to_i

  count > current_limit
end

And then I can use:

Rack::Attack::Fail2Ban.filter("throttled/#{req.ip}", maxretry: 10, findtime: 1.minute, bantime: 1.hour) do
  configuration.throttles.any? { |_name, throttle| throttle.exceeded?(req) }
end

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Throttle and then Fail2Ban #534

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 6 comments

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Throttle and then Fail2Ban #534

acegilz Jan 3, 2017

Replies: 6 comments

acegilz Jan 10, 2017 Author

courtenay Mar 26, 2017

feliperaul Jan 16, 2018

kruglyjmax Apr 19, 2020

dvandersluis Feb 26, 2021

dvandersluis Feb 26, 2021

acegilz
Jan 3, 2017

acegilz
Jan 10, 2017
Author

courtenay
Mar 26, 2017

feliperaul
Jan 16, 2018

kruglyjmax
Apr 19, 2020

dvandersluis
Feb 26, 2021

dvandersluis
Feb 26, 2021