When managing a web server, controlling traffic per IP is crucial to prevent abuse. A common scenario is limiting an IP to 1GB of daily traffic or a specific number of requests. If exceeded, the IP should be blocked until the next day. This can be achieved using Apache modules like mod_evasive or system-level tools like iptables.
mod_evasive is an Apache module designed to mitigate brute-force attacks by limiting requests per IP. Here’s how to configure it:
LoadModule evasive20_module modules/mod_evasive24.so
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 86400 # Block for 24 hours
Key parameters:
DOSPageCount: Max requests for the same page per interval.DOSSiteCount: Max total requests per IP per interval.DOSBlockingPeriod: Block duration in seconds.
For bandwidth control, iptables can track and limit traffic per IP. Example:
# Reset daily counters
iptables -N BANDWIDTH_LIMIT
iptables -A BANDWIDTH_LIMIT -j RETURN
# Track traffic per IP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j BANDWIDTH_LIMIT
# Limit to 1GB (approx. 1,000,000,000 bytes)
iptables -A BANDWIDTH_LIMIT -m hashlimit --hashlimit-name bw --hashlimit-mode srcip --hashlimit-above 1000000000 --hashlimit-burst 1000000000 --hashlimit-htable-expire 86400 -j DROP
For robust control, combine mod_evasive (request limiting) and iptables (bandwidth limiting):
# Apache config (mod_evasive)
DOSPageCount 100
DOSSiteCount 500
# iptables rule
iptables -A BANDWIDTH_LIMIT -m hashlimit --hashlimit-name bw --hashlimit-above 1gb -j DROP
Verify the setup using tools like ab (Apache Benchmark) or iftop for traffic monitoring:
ab -n 1000 -c 10 http://yourserver.com/
iftop -i eth0 -n
Log blocked IPs in Apache:
CustomLog /var/log/apache2/blocked_ips.log "%h %{mod_evasive}n"
When running public-facing web services, it's common to encounter scenarios where you need to:
- Prevent single IPs from consuming excessive bandwidth
- Protect against brute force attacks
- Ensure fair resource allocation among users
- Mitigate potential DDoS attempts
The Apache module mod_evasive provides excellent request throttling capabilities. Here's how to implement it:
First install the module:
# Debian/Ubuntu
sudo apt-get install libapache2-mod-evasive
# CentOS/RHEL
sudo yum install mod_evasive
Configuration in httpd.conf or apache2.conf:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 100
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 86400 # 24 hour block
DOSEmailNotify admin@yourdomain.com
DOSSystemCommand "iptables -A INPUT -s %s -j DROP"
</IfModule>
For precise bandwidth control at the network level:
# Limit to 1GB per day (approx 12KB/s)
iptables -A OUTPUT -p tcp --sport 80 -d $CLIENT_IP -m quota \
--quota 1073741824 -j ACCEPT
# Alternative burst-friendly approach:
iptables -A INPUT -p tcp --dport 80 -s $CLIENT_IP -m hashlimit \
--hashlimit-above 12kb/s --hashlimit-burst 1mb \
--hashlimit-mode srcip --hashlimit-name web_quota -j DROP
Create a daily cron job to reset counters:
#!/bin/bash
# Reset iptables counters at midnight
iptables -Z
# Clear mod_evasive blacklist
echo "" > /var/log/mod_evasiveFor comprehensive protection, combine both methods:
# Apache config
<Location "/">
BandwidthModule On
Bandwidth all 1024000 # 1GB in KB
BandwidthError 403
</Location>
# iptables fallback
iptables -N APACHE_PROTECT
iptables -A INPUT -p tcp --dport 80 -j APACHE_PROTECT
iptables -A APACHE_PROTECT -m recent --name APACHE_ABUSE --update --seconds 86400 --hitcount 1 -j DROP
iptables -A APACHE_PROTECT -m quota --quota 1073741824 -j ACCEPT
iptables -A APACHE_PROTECT -m recent --set --name APACHE_ABUSE -j DROP- Test thresholds in staging before production
- Consider IPv6 if your service supports it
- Whitelist search engine crawlers
- Monitor false positives in logs
- Adjust values based on actual traffic patterns