How can I block an IP, if I'm getting many http requests in a second?
fail2ban is an easy-to-implement solution in these cases.
Add a block-all-dem-noobs.conf file to your filter.d directory, something like this
[Definition]
failregex = ^<HOST> -.*"GET.*
Translation: a RegExp to find GET requests
Then create a new entry in your jail.conf, something like this
[block-all-dem-noobs]
enabled = true
port = http,https
filter = block-all-dem-noobs
logpath = /var/log/httpd/access.log
maxretry = 100
findtime = 5
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Translation: Look through my access.log file, then block for 600 seconds (10 minutes) the IP addresses that made 100 requests in 5 seconds
One major drawback, though, is that this might produce false positives for NATed users, as they'll all appear as one IP address to you.
fail2ban can be configured to do this. You can configure it to trigger on a regex match in a logfile and if it happens too many times per minute (not sure if it goes to second resolution but just multiply whatever you were thinking per second by 60) and it can drop the client IP into the iptables packet filter or whatever other action you want taken. Or you can use the iptables recent module and adapt what I've done here for SIP brute force attacks to use with your web server:
# Deal with SIP brute forcing iptables -N SIP_WHITELIST # home iptables -A SIP_WHITELIST -s 1.2.3.0/24 -m recent --remove --name SIP -j ACCEPT # voip provider iptables -A SIP_WHITELIST -s 4.5.6.0/24 -m recent --remove --name SIP -j ACCEPT # remote location iptables -A SIP_WHITELIST -s 7.8.9.0/24 -m recent --remove --name SIP -j ACCEPT iptables -N SIP_BRUTEFORCE iptables -A SIP_BRUTEFORCE -m recent --set --name SIP iptables -A SIP_BRUTEFORCE -p udp --dport 5060 -m state --state NEW -j SIP_WHITELIST iptables -A SIP_BRUTEFORCE -m recent --update --seconds 30 --hitcount 3 --name SIP -j LOG iptables -A SIP_BRUTEFORCE -m recent --update --seconds 30 --hitcount 3 --name SIP -j DROP iptables -A INPUT -p udp --dport 5060 -m state --state NEW -j SIP_BRUTEFORCE
Source: https://web.archive.org/web/20180901235739/http://tracyreed.org/blog/2010/12/26/sip-brute-force-attacks
You can configure Apache mod_evasive module. This module provides a very basic function by keeping a hash table of IPs and pages requested and when a threshold level is exceeded on a target page or site it will “block” the IP with a 403 “Forbidden” error. For configuration details you read "How to Stop an Apache DDoS Attack with mod_evasive".