Topics

ip

Limit requests per IP on Nginx using HttpLimitZoneModule and HttpLimitReqModule except whitelist

– Make sure to check Nginx, PHP posts for information on Nginx and PHP setup and configuration.

Nginx offers two modules, HttpLimitReqModule and HttpLimitZoneModule, to limit simultaneous connections for the assigned session and the number of requests for a given session from one IP address. Basically these modules are built to protect the web server from possible DDos attacks; For example, this configuration limits remote clients to no more than 20 concurrently “open” connections per remote ip address:

http{
    limit_conn_zone  $binary_remote_addr zone=concurrent:10m;
    limit_conn_log_level warn;
    limit_conn  concurrent  20;

Configuring iptables on CentOS

– disable SELINUX

vi /etc/selinux/config
#change
SELINUX=disabled

– reboot or run

 setenforce 0

– add iptables rules

Ban IP from logging in for 5 minutes after 10 failed logins


if( login_limit() )
   die( 'Your IP has been banned from logging in for the next 5 minutes' );



/*
 * Counts login times by same IP 
 * returns true if limit reached or false if not 
 */
function login_limit(){
    //get real IP if user behind proxy noted by Sebastian Enger
    $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
    
    //user still banned from login
    if( _cache( $ip . 'banned' ) )
        return true;

    //number of seconds 
    $sec = 30;
    //find ip info array in cache saved less than $sec ago
    if( ($ip_info=_cache( $ip ))  && $ip_info[0] > time()-$sec ){
        
        //user login 10 times during last $sec 
        if(  $ip_info[1] > 10 ){
            //ban user ip for the next 5 minutes
            _cache( $ip . 'banned', 1, 0, 60*5 );
            _cache( $ip, -1 );
            return true;
        }
        //increase login retries +1 
        _cache( $ip, array(  $ip_info[0],   ++$ip_info[1] ), 0, $sec );
        return false;
        
    }
        
    //add ip info to cache
    _cache( $ip, array( time(), 1 ), 0, $sec );
    return false;
}

function _cache( $name, $val=NULL, $ttl=false ){
        //memcached
	global $mcdb;
	if(empty($mcdb) ) 
		$mcdb = memcache_connect('unix:///etc/sockets/memcached.sock', 0);
	
	if($val === -1){
		return memcache_delete($mcdb,$name);
	}elseif( $val !== NULL ){
		return memcache_set($mcdb,$name,$val, false, $ttl);
	}else{
		$retval = memcache_get($mcdb,$name);
		return  $retval ? $retval : NULL;
	}

}

Using iptables to block ips that spam or attack your server

Check Configuring iptables on CentOS post.

Why should you do that while APF or CSF can do it automatically?
Because APF/CSF could block an important bot testing your server to add to search index. So reviewing every ip would be a daily task!
Ok, so how?
using RHEL4, centos4