How to protect an apache server from hping3's syn attack?

gabrielcard

II'm doing a scenario where I have a VM with apache2 and a VM client that will attack the apache server with hping3 syn attack (hping3 -S --flood -V -p 80 server_ip).

I was trying to use fail2ban but it didn't work, I tried these steps (via chatgpt):

Certainly! Here is the information translated into English:

1. Create a Custom Filter File for SYN:

   Open a text editor to create the custom filter:

   ```bash

   sudo nano /etc/fail2ban/filter.d/syn.conf

   ```

   Add the following content to the file:

   [Definition]

   failregex = ^<HOST>.* "GET .*" 400

   ignoreregex =

   This filter looks for patterns in logs where access attempts with HTTP status code 400 occur.

2. Update the Fail2Ban Configuration File:

   Open the Fail2Ban configuration file:

   sudo nano /etc/fail2ban/jail.local

   Add a section for the new SYN rule at the end of the file:

   [syn]

   enabled = true

   port = all

   filter = syn

   logpath = /var/log/apache2/access.log

   maxretry = 5

   Ensure that the reference to the filter matches the name of the filter file you created (`syn.conf`).

3. Restart Fail2Ban:

   Restart Fail2Ban to apply the new configurations:

   sudo service fail2ban restart

So which tool should I use that is simplest to implement? I could use pfsense, but I would like another solution (teacher request)

If there is another type of attack that can be prevented in a simpler way, the objective of the project is to build a scenario to use one tool to carry out a DoS attack and another to defend it.

JDMurray

What does ChatGPT recommend to use for attack and defense tools? You can ask it to use different tool suggestions if you don't like its first response.

shochan

Yeah, I was wondering about this as well...does this have anything to do with HTTPMethods?