Bobcares

WeSupport

Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Emergency Response Time custom

Our experts have had an average response time of 11.06 minutes in March 2021 to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

Setup Rate Limit for IP Addresses in DigitalOcean Account

by | May 24, 2021

Wondering how to setup rate limit for IP addresses in Digitalocean account? We can help you.

Here at Bobcares, we often receive requests from our customers to setup rate limit on digital ocean account. This is to block IP addresses on too many requests.

Today let’s see how our support engineers set this up for our customers as a part of our Server Management Services.

Steps to set up rate limit for IP addresses in Digitalocean

Generally, there is no direct option to rate limit IPs in the DigitalOcean control panel. However, we can perform it using the built-in functionality of NGINX or using mod_ratelimit on Apache.

Nginx

The ngx_http_limit_req_module allows us to limit the request processing rate per a defined key. it allows us to limit the processing rate of requests coming from a single IP address particularly.

The limitation is done using the “leaky bucket” method. We can do this with the following steps:

Go to the nginx.conf using the following command:

vi /etc/nginx/nginx.conf

And define an area where the session states are stored – this must go inside the http {} container:

http {
    [...]
    limit_req_zone  $binary_remote_addr  zone=one:10m   rate=1r/s;
    [...]
}

Then we must put this in a location ~ \.php$ {} container:

[...]
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                limit_req zone=one burst=5;
        }
[...]

Here, limit_req zone=one burst=5; specifies that this rate limit belongs to the session storage area we defined before. Thus the rate limit is 1r/s.

It means that if we exceed the rate limit, the following requests are delayed. And if we have more requests waiting in the queue than specified in the burst parameter, we may end up with a 503 error like the one given below:

digitalocean rate limit

For fixing this we can use the nodelay option as given below:

[...]
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                limit_req zone=one burst=5 nodelay;
        }
[...]

Finally, we have to reload Nginx using the following command:

/etc/init.d/nginx reload

Apache

The mod_evasive module is an Apache web services module that helps our server to run even when there is an attack.

Installing mod_evasive
Debian / Ubuntu

To install the mod_evasive module on Debian / Ubuntu, we can use the following:

sudo apt install libapache2-mod-evasive
CentOS / RedHat

To install the mod_evasive module on RedHat / CentOS:
First, add the EPEL repository:

sudo yum install epel-release

Then, enter the following command to install mod_evasive:

sudo yum install mod_evasive

 

Configuring mod_evasive

We need to make the following changes in the configuration file as the first step for preventing DDoS attacks:

1. We need to enter the following command using any text editor:

Debian / Ubuntu:
sudo nano /etc/apache2/mods-enabled/evasive.conf
RedHat / CentOS:
sudo nano /etc/httpd/conf.d/mod_evasive.conf

2. The need we need to find the following entry:

#DOSEmailNotify        you@yourdomain.com

And remove the # sign. Use an email that we check regularly so that we can keep an eye on the alerts.

3. We have to remove the comment tag from the following entries as well. As a result, the log file will look like the following one:

DOSHashTableSize 3097

DOSPageCount 2

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

DOSEmailNotify mail@yourdomain.com

DOSLogDir "/var/log/apache2/"

4. After that we have to save the file and exit.

Finally, we need to reload the Apache service using the following:

Debian / Ubuntu:
sudo systemctl reload apache2
RedHat / CentOS:
sudo systemctl restart httpd.service
[Need assistance for the setup? We are happy to help you]

Parameters and Settings of mod_evasive

There are many mod_evasive parameters some of them are as follows:

  • DOSSystemCommand: This command allows us to specify a system command to be run when an IP address is added to the blacklist. We can also use this to launch a command to add an IP address to a firewall or IP filter.
  • DOSHashTableSize: This configuration allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory.
  • DOSPageCount: The number of requests for an individual page that triggers blacklisting can be found with this.
  • DOSSiteCount: The total number of requests for the same site by the same IP address. By default, this is set to 50. We can increase it up to 100 to reduce false positives.
  • DOSPageInterval: With this we can find the number of seconds for DOSPageCount. By default, this is set to 1 second. That means that if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.
  • DOSSiteInterval: Similar to DOSPageInterval, this option specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second.
  • DOSBlockingPeriod: The amount of time an IP address stays on the blacklist.
  • DOSLogDir: By default, this is set to write logs to /var/log/mod_evasive.

Create Directory for Logs

We can create a new directory to save these apache access logs. While doing this we must ensure to change the owner to Apache, then update the location.

We can do this using the following commands:

sudo mkdir /var/log/apache/mod_evasive
sudo chown –R apache:apache /var/log/apache/mod_evasive
sudo nano /etc/apache2/mods-enabled/evasive.conf
DOSLogDir "/var/log/apache/mod_evasive"

Whitelisting IP addresses: This option isn’t included in the evasive.conf file by default.

However, we can open the file again and add the following line:

DOSWhitelist XXX.XXX.XXX.XXX

DOSWhitelist XXX.XXX.XXX.*

This is typically used with a trusted client that exchanges a lot of data with the website. Also, this tool is good at detecting bots and scripts.

After making the changes we must save the file and exit.

Finally, we need to reload the Apache service.

Conclusion

In short, we saw how our Support Engineers set up rate limit for IP Addresses in DigitalOcean for our customers.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares

Use your time to build great apps. Leave your servers to us.

Managing a server is time consuming. Whether you are an expert or a newbie, that is time you could use to focus on your product or service. Leave your server management to us, and use that time to focus on the growth and success of your business.

TALK TO US Or click here to learn more.
Bobcares

Use your time to build great apps. Leave your servers to us.

Managing a server is time consuming. Whether you are an expert or a newbie, that is time you could use to focus on your product or service. Leave your server management to us, and use that time to focus on the growth and success of your business.

TALK TO US Or click here to learn more.

Categories:

Tags:

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF