My website has been getting vulnerability scans lately which I am not responsible of. I’m trying to block any IP that requests more than a reasonable amount of pages. I’m actually unsure of an amount maybe 4-5 requests and block them.
I’ve seen this done with lightspeed web servers but I have apache. How can I limit PHP requests to my pages so if a user goes over the limit they are blocked from my site for 30 minutes? (I’m really not sure what a good amount is. Something so a real user wouldn’t get blocked for.)
The important thing in such a solution is, that the actual “blocking” is very resource-cost inexpensive. It is also important to correctly recognise attackers and not ban someone by accident, but also don’t be too open so that you already wasted lots of resources before blocking somebody.
However you are not the first one experiencing this problem.
There is a great apache module available called mod_evasive which is configured to do exactly that.
I once did a very simple technique on a server (because it worked better with that partuclar application) that had a flow like so:
My application counts up a variable in local apc cache with the key that was the current hour of the day and the user ip adress and checks whether a limit has been reached.
If so the ip adress is written into a job-log where a cronjob picked it up and added a filter using iptables so packages from that ip are just dropped.
So they dont even reach the webserver and the resources spended are minimal.
Once a day the added rules got cleared.