How to Automatically and Temporarily block an IP address making too many hits on the Server in a short timespan?

Solution 1:

Fail2Ban. The gold standard/default solution to this problem on the Linux platform.

Solution 2:

You should avoid trying to do this with PHP. By the time PHP gets involved, it's already too late - the memory has already been allocated.

You can ban IP addresses at any layer, but the lowest level that uses the least amount of resources is the route you want to take. This is usually the firewall. At the very least, iptables (linux firewall) is what you want to use. There are tools that others have mentioned, such as Fail2Ban, that can automate this for you. External firewall would be better.

Besides trying to ban offending IP addresses, you should try to make better use of your resources. If a request takes less resources it will take longer for an attack to be effective.

Apache also uses a lot of memory. If you're using mod_php, it's even worse because PHP is loaded inside of every Apache child process. This means even requests to static content (css/js/images) are loading PHP even when PHP isn't being used. You can solve this problem by using FastCGI instead. mod_fcgid is a good option.

There are also other web servers that are more resource efficient. Nginx is my favorite. There's also Lighttpd. A lot of people like Litespeed (drop in replacement for Apache).

If you want to stick with Apache, consider tuning it as best you can. Consider disabling .htaccess. Here's a good explanation why.


Solution 3:

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

ossec can do this type of thing automatically and transparently based on the syslogs.


Solution 4:

To control or block http traffic, you can use :

  • apache module.
  • iptable
  • fail2ban as stated here by HopelessN0ob.

However, be aware that these tool might also block/slow webspiders and therefore impact SEO.