×


Setup Rate Limit for IP Addresses in DigitalOcean Account

Setting up rate limit on digital ocean account will help to block IP addresses on too many requests.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Digitalocean queries.

In this context, you will learn how to perform this task on your Digitalocean account.


How to set up rate limit for IP addresses in Digitalocean ?

Generally, there is no direct option to rate limit IPs in the DigitalOcean control panel. However, we can perform it using the built-in functionality of NGINX or using mod_ratelimit on Apache.


On Nginx

The ngx_http_limit_req_module allows us to limit the request processing rate per a defined key. it allows us to limit the processing rate of requests coming from a single IP address particularly.

The limitation is done using the "leaky bucket" method.

We can do this with the following steps:

i. Go to the nginx.conf using the following command:

$ vi /etc/nginx/nginx.conf

ii. And define an area where the session states are stored – this must go inside the http {} container:

http {
    [...]
    limit_req_zone  $binary_remote_addr  zone=one:10m   rate=1r/s;
    [...]
}

iii. Then we must put this in a location ~ \.php$ {} container:

[...]
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                limit_req zone=one burst=5;
        }
[...]

Here, limit_req zone=one burst=5; specifies that this rate limit belongs to the session storage area we defined before. Thus the rate limit is 1r/s.

It means that if we exceed the rate limit, the following requests are delayed. And if we have more requests waiting in the queue than specified in the burst parameter, we may end up with a 503 error like the one given below:

The page you are looking for is temporarily unavailable.

Please try again later.

iv. To fix this we can use the nodelay option as given below:

[...]
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                limit_req zone=one burst=5 nodelay;
        }
[...]

v. Finally, we have to reload Nginx using the following command:

/etc/init.d/nginx reload

On Apache

The mod_evasive module is an Apache web services module that helps our server to run even when there is an attack.

To install mod_evasive,

Debian / Ubuntu

To install the mod_evasive module on Debian / Ubuntu, we can use the following:

$ sudo apt install libapache2-mod-evasive

CentOS / RedHat

To install the mod_evasive module on RedHat / CentOS:

i. First, add the EPEL repository:

$ sudo yum install epel-release

ii. Then, enter the following command to install mod_evasive:

$ sudo yum install mod_evasive


How to configure mod_evasive ?

We need to make the following changes in the configuration file as the first step for preventing DDoS attacks:

1. We need to enter the following command using any text editor:

Debian / Ubuntu:

$ sudo nano /etc/apache2/mods-enabled/evasive.conf

RedHat / CentOS:

$ sudo nano /etc/httpd/conf.d/mod_evasive.conf

2. The need we need to find the following entry:

#DOSEmailNotify        you@yourdomain.com

And remove the # sign. Use an email that we check regularly so that we can keep an eye on the alerts.


3. We have to remove the comment tag from the following entries as well. As a result, the log file will look like the following one:

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify mail@yourdomain.com
DOSLogDir "/var/log/apache2/"


4. After that we have to save the file and exit.

Finally, we need to reload the Apache service using the following:

Debian / Ubuntu:

$ sudo systemctl reload apache2

RedHat / CentOS:

$ sudo systemctl restart httpd.service


[Need assistance fixing DigitalOcean droplet errors? We are happy to help you. ]


Parameters and Settings of mod_evasive

There are many mod_evasive parameters some of them are as follows:

  • DOSSystemCommand: This command allows us to specify a system command to be run when an IP address is added to the blacklist. We can also use this to launch a command to add an IP address to a firewall or IP filter.
  • DOSHashTableSize: This configuration allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory.
  • DOSPageCount: The number of requests for an individual page that triggers blacklisting can be found with this.
  • DOSSiteCount: The total number of requests for the same site by the same IP address. By default, this is set to 50. We can increase it up to 100 to reduce false positives.
  • DOSPageInterval: With this we can find the number of seconds for DOSPageCount. By default, this is set to 1 second. That means that if you don't change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.
  • DOSSiteInterval: Similar to DOSPageInterval, this option specifies the number of seconds that DOSSiteCount monitors. By default, this is set to 1 second.
  • DOSBlockingPeriod: The amount of time an IP address stays on the blacklist.
  • DOSLogDir: By default, this is set to write logs to /var/log/mod_evasive.

 

How to Create Directory for Logs ?

We can create a new directory to save these apache access logs. While doing this we must ensure to change the owner to Apache, then update the location.

We can do this using the following commands:

$ sudo mkdir /var/log/apache/mod_evasive
$ sudo chown –R apache:apache /var/log/apache/mod_evasive
$ sudo nano /etc/apache2/mods-enabled/evasive.conf
DOSLogDir "/var/log/apache/mod_evasive"


Whitelisting IP addresses: This option isn't included in the evasive.conf file by default.

i. However, we can open the file again and add the following line:

DOSWhitelist XXX.XXX.XXX.XXX
DOSWhitelist XXX.XXX.XXX.*

This is typically used with a trusted client that exchanges a lot of data with the website.

ii. Also, this tool is good at detecting bots and scripts.

iii. After making the changes we must save the file and exit.

iv. Finally, we need to reload the Apache service.


[Need assistance fixing DigitalOcean droplet errors? We are happy to help you. ]


Conclusion

This article covers how to set up rate limit for IP Addresses in DigitalOcean for our customers. 

Basically, limit standard ssh like this:

$ sudo ufw limit ssh/tcp

or

$ sudo ufw limit 22/tcp

Both will limit port 22.

The /tcp allows only a tcp connection to allow only udp you simply add /udp and to allow it on both you simply leave off the /* example: ufw limit ssh.