-1

I have deployed WP project on a CentOS based Linux server.

I am experiencing unusual traffic (crawling) from random IP addresses hence causing very high server load (as high as average load 200).

Is there any possibility to automatically detect such requests at server and temporarily block that IP ?

I mean if server founds 100 requests from same IP within a second it should block that IP.

Please guide.

Irfan DANISH
  • 119
  • 1
  • 7
  • 1
    http://serverfault.com/search?q=iptables+rate+limit – user9517 Mar 10 '16 at 13:15
  • 2
    There are `iptables` rate limiting modules. There's also `fail2ban`. It's worthwhile to use both. I'm downvoting this question because it's almost certainly been answered a million times already on this site alone. – Parthian Shot Mar 10 '16 at 13:54
  • A combination of iptables and fail2ban might solve the problem. But we are not really sure how comprehensive this crawling is or how powerful your solution is? Have you considered Cloudflare? – SteffenNielsen Mar 10 '16 at 14:09
  • 1
    why it downvoted? what wrong with you guys? – Vasilii Suricov Feb 07 '20 at 17:14
  • Instead of down voting you should flag as a duplicate question in this case. @ParthianShot – Chris Stryczynski Aug 07 '20 at 10:33
  • Well, it's worth both closing as dupe and downvoting. Because it's a bad question (didn't describe any research whatsoever), and part of *why* it's a bad question is that it's answered just... everywhere (including elsewhere on here). – Parthian Shot Sep 16 '20 at 17:28

3 Answers3

0

Yes it exists and it's called fail2ban:

www.fail2ban.org

edit: let me copy the URL with the detailed solution from the comments to here:

https://security.stackexchange.com/questions/35773/how-can-i-block-an-ip-if-im-getting-many-http-requests-in-a-second

Thanks @Pit

BeerSerc
  • 489
  • 3
  • 6
  • No its not, it will only ban the ip with failed login attempts. – Gaurav Pundir Mar 10 '16 at 13:35
  • @GauravPundir You can use Fail2ban for other things than just failing wp logins! But fail2ban might be a tough process running for this task. I would consider using a service like Cloudflare in this case. – SteffenNielsen Mar 10 '16 at 13:38
  • 1
    How to use fail2ban for this: http://security.stackexchange.com/questions/35773/how-can-i-block-an-ip-if-im-getting-many-http-requests-in-a-second – Pit Mar 10 '16 at 13:41
  • @GauravPundir: fail2ban does the job the OP asked for very well, see for example the comment above. It also takes care of releasing the ips after some time, and it doesn't only work for brute force attacks against wordpress but also many other services which probably run on a standard CentOS server. – BeerSerc Mar 10 '16 at 13:49
  • Fail2ban is more of an anti-DOS solution to me. Not what OP requests: `I am experiencing unusual traffic (crawling) from random IP addresses`. – SteffenNielsen Mar 10 '16 at 13:55
  • If you want to prevent hundreds of accesses from a single IP because of "unusuable traffic (crawling) [...] causing very high server load" or for DOS-protection does not really make a big difference, does it? How would you discriminate between the two? – BeerSerc Mar 10 '16 at 13:59
0

We use in our company a Web-Application-Firewall Plugin called All-In-One WP Security for this task.

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

I'd say this is an absolute must have for every WordPress site (either this plugin or any other security plugin with high security standards). We had brute force attacks on our WP Sites but were able to secure our sites with this plugin to the maximum. There are many other security options than only just IP-blocking you can set with this plugin i.e .htaccess restrictions, blacklist functions, file system security options, Firewall functionalities, malware scan and many more.

SimonS
  • 767
  • 3
  • 13
  • 28
0

You can block the IP address manually by check the apache logs. You may check your log location in the configuration path for apache. 

root@ping#  vi /etc/httpd/conf/httpd.conf

search for error_log in this file.

I have WHM installed in my server so in my case logs was at below defined path

root@ping#  tail -f /usr/local/apache/logs/error_log

Search the IP which is requesting continuously and block that IP address via iptables.

Iptables command to block ip address permanentely

root@ping#  iptables -I INPUT -s 1.2.3.4 -j DROP

Add your own IP at place of 1.2.3.4

imvikasmunjal
  • 695
  • 7
  • 14