Home > Rocky Linux or CentOS > Rocky Linux 9.x > Web Servers > Apache

This has not been tested practically. There could be mistakes / errors in below steps.

Rate limit incoming connections using iptables recent module

We can achieve rate limiting using `firewalld`, which interfaces with `iptables` in the backend. The process involves creating direct `firewalld` rules. Steps are:

1. Start and enable firewalld service:

   sudo systemctl start firewalld
   sudo systemctl enable firewalld

2. Whitelist IPs for which we dont want rate limiting to apply, eg internal IPs:

   sudo firewall-cmd --permanent --add-source=WHITELISTED_IP_1 --zone=trusted
   sudo firewall-cmd --permanent --add-source=WHITELISTED_IP_2 --zone=trusted

3. Add direct rules for rate limiting:

   sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m recent --name rate_limit --rcheck --seconds 3600 --hitcount 101 -j DROP
   sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m recent --name rate_limit --set -j ACCEPT

   In above example we are limiting to 100 connections per hour from a single source IP.

4. Reload the firewall to apply the changes:

   sudo firewall-cmd --reload

5. List direct rules to verify:

   sudo firewall-cmd --permanent --direct --get-rules ipv4 filter INPUT

6. Test with some IP. During testing you can set a small limit such as 5 from each source IP and see that the connections get blocked only for that IP and not for others for one hour.

Refer:

• Iptables recent module is used at Port knocking
• Rate limiting using limit module is explained at Rate limiting using iptables

Rate limiting connections via fail2ban

fail2ban can also be used to ban IPs that make excessive requests to Apache within a specific period using:

1. Install fail2ban:

      sudo yum install fail2ban

   In case of debian / Ubuntu use 'sudo apt-get install fail2ban'

2. Whitelist Ips of office via: CentOS_7.x_fail2ban#Whitelist_IPs
3. Create a new filter for Apache by creating file '/etc/fail2ban/filter.d/apache-req-limit.conf' with following contents:

      [Definition]
      failregex = ^<HOST> -.* "GET .* HTTP.*"
      ignoreregex =

   This regex looks for GET requests in the Apache access log. If you want to capture other HTTP methods (like POST), adjust the regex accordingly.

4. Configure fail2ban for the new filter by editing '/etc/fail2ban/jail.local' and adding:

      [apache-req-limit]
      enabled = true
      filter = apache-req-limit
      logpath = /var/log/httpd/access_log  # or /var/log/apache2/access.log on Debian/Ubuntu
      maxretry = 100
      findtime = 3600
      bantime = 3600  # ban for 1 hour, adjust as needed
      action = iptables-multiport[name=NoAuthFailures, port="http,https", protocol=tcp]

   Here chnage `logpath` if your Apache logs are in a different location.

5. Restart fail2ban

   sudo systemctl restart fail2ban

6. Monitor fail2ban log at '/var/log/fail2ban.log' and test the configuration. For testing try setting a smaller limit such as 5 and validate that while connections are being blocked from IP they work from some other IP. We can also see fail2ban-client status via:

   fail2ban-client status apache-req-limit

Home > Rocky Linux or CentOS > Rocky Linux 9.x > Web Servers > Apache