Question posted in
Some documentation to get you started can be found here.

Simple rate limiting in .htaccess – Apache

Let’s say I have a login form:

<form action="index.php" method="post"><input type="password" name="pwd"><input type="submit" />

I know that a proper rate-limiting should be done with iptables or fail2ban, but without going so far, can we do something simple, just in the .htaccess:

  • Limit the IP for 24 hours if there has been >= 10 requests to this page during the last minute

Can something like this be done with .htaccess (or apache2.conf) only and no other third-party tool (an Apache module is ok)?

Tags:

2

Answers


  1. 0

    I’d strongly advise against solving this problem on the level that you propose. I’d rather go for the application layer, because in the end it’s most likely failed login attempts that you want to limit.

    And as we still suffer from IPV4, and with it NAT, you won’t know how many distinct legitimate browsers hide behind a single IP address.

    On failure, your application can then trigger fail2ban or iptables activities. However, in times of distributed attacks and botnets I doubt that this will make much of a difference. Before you invest a lot of time, I’d recommend to inspect the logs and find out if this is a common (or rather the most common) attack path.

    Login or Signup to reply.
  2. 0

    If you really need a way to ‘rate limit’ one particular IP and you want an Apache module for it then this might be for you:
    https://wiki.debian.org/en/Apache/mod_evasive

    mod_evasive is a module that detects possible attack patterns on the network similar to an IPS (intrusion prevention system).
    A basic explanation about what an IPS does it right here.

    To setup the module run 

    sudo apt-get install libapache2-mod-evasive

    Then activate the module with

    sudo a2enmod evasive

    Verify the installation by running

     sudo apachectl -M | grep evasive

    Expected output: evasive20_module (shared)
    Now we create a new folder for our apache module so it can write logs to it.

    sudo mkdir /var/log/mod_evasive
sudo chown www-data:root /var/log/mod_evasive

    Let’s edit the config of mod_evasive. I use nano for this example

    sudo nano /etc/apache2/mods-available/evasive.conf

    Please note: Never edit a module configuration in /apache2/mods-enabled/ use /apache2/mods-available/ instead. The example provided above is correct.
    This is an example configuration:

     <IfModule mod_evasive20.c> 
 DOSHashTableSize 3097 
 DOSPageCount 2 
 DOSSiteCount 50 
 DOSPageInterval 1 
 DOSSiteInterval 1 
 DOSBlockingPeriod 10 
 DOSEmailNotify [email protected] 
 DOSSystemCommand "echo +%s > /proc/net/xt_recent/badguys" or block them with iptables "su root -c '/sbin/iptables -A INPUT -s %s -j DROP'" ##command that will be sent to the system - %s = attackers ip
 DOSLogDir "/var/log/mod_evasive" 
 DOSWhitelist 127.0.0.1
 </IfModule>

    If you want to get email notifications via sendmail use

    sudo ln -s /usr/bin/mail /bin/mail

    Finally just restart apache using

     sudo systemctl restart apache2

    To limit the module to one location, use 

    <Directory /var/www/test/>
  <IfModule moduleLimitedToTest>
   ... do something with module
  </IfModule>
</Directory>

    More on how to use containers can be found here. You could place this into a site/virtualhost config. This is explained here.

    Though I’d strongly recommend the same thing as Olaf Kock.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search