Malicious attackers can bring down your website by sending too many requests from a single or a group of IPs in a very short time. It is called as Denial-of-Service (DoS) and can hurt your website. Apache provides mod_evasive module which allows you to prevent such DoS attacks. Here’s how to limit requests per IP in Apache so it doesn’t get throttled by exploits.
How to Limit Requests Per IP in Apache
Here are the steps to limit requests per IP in Apache using mod_evasive module. You basically set a limit on number of times an IP can make requests in a given interval of time.
1. Install mod_evasive
Open terminal or SSH into your system as root and run the following commands
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar xzf mod_evasive_1.10.1.tar.gz cd mod_evasive apxs -cia mod_evasive20.c
2. Configure mod_evasive
Here’s the default config of mod_evasive
DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 60
Let’s look at each parameter in detail:
DOSHashTableSizesize of the hash table used by w mod_evasive to track who’s accessing what. The larger the number, the faster the look-up for each visitor’s browsing past. However, it comes at the cost of more memory.
DOSPageCountspecifies no. of identical requests to a specific URI (e.g example.com/about.html) a visitor can make over the specified
DOSPageIntervalinterval (in seconds).
DOSSiteCount– similar to
DOSPageCount, but how many total requests a visitor can make to your site over the
DOSSiteIntervalinterval (in seconds).
If a site visitor exceeds any of these limits, they will be blacklisted for a specified amount of time (
DOSBlockingPeriod). During that time interval, any request they make will return a
403 Forbidden error.
You can even set up email notifications with
DOSEmailNotify (sends via
403 Forbidden responses then you might be blocking legitimate visitors.
3. Sample Configuration
Here’s a sample configuration that you an use for your website/web application. Add this to the bottom of your Apache config file
Open Apache config file in a text editor
Ubuntu / Linux Mint
$ sudo vim /etc/apache2/apache2.conf
$ sudo vim /etc/apache2/httpd.conf
Feel free to customize it as per your requirement.
# Rate limiting # Learn more at http://library.linode.com/web-servers/apache/mod-evasive <IfModule mod_evasive20.c> # The hash table size defines the number of top-level nodes for each child's # hash table. Increasing this number will provide faster performance by # decreasing the number of iterations required to get to the record, but # consume more memory for table space. You should increase this if you have # a busy web server. The value you specify will automatically be tiered up # to the next prime number in the primes list (see mod_evasive.c for a list # of primes used). DOSHashTableSize 3097 # If set, this email address will receive a notification whenever an IP # address becomes blacklisted. A locking mechanism prevents continous # emails from being sent. DOSEmailNotify firstname.lastname@example.org # NOTE: The following settings apply on a per-IP address basis. # Allow up to 2 requests for the same URI per second: DOSPageInterval 1 DOSPageCount 2 # Allow up to 50 requests across the site per second: DOSSiteInterval 1 DOSSiteCount 50 # Once the client is blacklisted, prevent them from accessing the site # for 60 seconds: DOSBlockingPeriod 60 </IfModule>
4. Restart Apache Web Server
Restart Apache web server to apply changes
sudo /etc/init.d/apache2 restart