Make Nginx server respond slowly

nginx

Nginx directive limit_rate lets you specify the speed you'd like to rate limit responses, e.g.

location / {
  if ($slow) {
    limit_rate 4k;
  }
}

Nginx documentation is here. (from the documentation you'll see that your backend may make the decision and request Nginx to rate limit the client)

How you get this $slow variable set depends on your configuration. The easiest would be to set it via geo mapping:

geo $slow {
  default    0;

  1.2.3.0/24 1;
}

"Geo" mapping is a dependency of $slow based on the client IP address. It's 0 by default and 1 if a client IP address is in 1.2.3.0/24 subnet. See Nginx documentation on "geo" here

Using "fail2ban" is a reasonable evolution of this whole solution. You may use "fail2ban" to automatically detect unusual activity and collect IPs for Nginx and then reload Nginx so that it re-reads lists of IP addresses that need to be slowed down and/or blocked.


If you want to trick the offending user into thinking that he is still going unnoticed by you, you can use nginx's request limit module (http://wiki.nginx.org/HttpLimitReqModule).

First define a request limit zone:

http {
    limit_req_zone  $binary_remote_addr  zone=spammers:1m   rate=30r/m;
}

This zone will use the offender's IP address in order to identify and limit requests into 30 per minute (1 / 2 sec). Please note that the zone's memory size is set to 1 MiB, which means it can handle 1 MiB / 64 bytes per request bucket = 16384 spammer addresses (which is maybe an overkill for our case). Adjust respectively, if you must.

Next, we define the directive that will actually route the offender through the limiter using an (evil, unfortunately) if case:

location / {
    if ($remote_addr = 1.2.3.4) {
        limit_req   zone=spammer  burst=5;
    }
}

You can watch the fruits of your labor in the server's access log.

Note that this hack does not scale well, since you'll have to update the configuration file each time the offender changes IP (let alone include more IPs in there which means more if cases), but it works.


Best way to deal with this spammer is to proper install and configure fail2ban. Fail2ban will search patterns in log files and block all ips that spam your site. Ofcourse you must configure it to search proper pattern.

Related

There are two MOTD's shown when I login to my server using SSH
systemd ExecStartPost doesn't look to be called
Used vgextend/lvextend to add addtional 8GB space but it is not reflected in df output
What is the best way in Puppet to add a piece of text to the /etc/hosts file?
How to stop Nginx to listen to port 80?
Active Directory authentication load balancing and failover
How reliable is HDD SMART data?
sshd tries reverse DNS lookups with UseDNS no
real solution for `No input file specified.` (nginx, fpm)
Apache logs flooded with connections - "(via ggpht.com GoogleImageProxy)"
Is single sign on with LDAP still recommended today to integrate a bunch of open source tools?
Is Algebraic Number Theory still an active research field?