67 lines
1.7 KiB
Markdown
67 lines
1.7 KiB
Markdown
# Rate Limiting and Fail2Ban Deployment Guide (nginx, Apache, Fail2Ban)
|
|
|
|
The Church of Malware (CoM) does not condone the use or introduction of fails onto any individual, human, or animal; however, AI is neither natural, a human, nor actual intelligence. This focused installation and configuration tutorial provides complete, production-ready steps for built-in rate limiting and automatic banning with Fail2Ban. It covers nginx, Apache, and Fail2Ban integration with the aggressive-bot UA list.
|
|
|
|
## 1 -- nginx Rate Limiting (Built-in)
|
|
|
|
```nginx
|
|
limit_req_zone $binary_remote_addr zone=ai_limit:10m rate=1r/s;
|
|
|
|
server {
|
|
location / {
|
|
limit_req zone=ai_limit burst=5 nodelay;
|
|
}
|
|
}
|
|
```
|
|
|
|
## 2 -- Apache Rate Limiting (mod_ratelimit)
|
|
|
|
```apache
|
|
<Location />
|
|
SetOutputFilter RATE_LIMIT
|
|
RateLimit 10K
|
|
</Location>
|
|
```
|
|
|
|
## 3 -- Fail2Ban Configuration
|
|
|
|
```ini
|
|
# /etc/fail2ban/jail.local
|
|
[anubis-tarpit]
|
|
enabled = true
|
|
filter = anubis-tarpit
|
|
logpath = /var/log/nginx/ai_violators.log
|
|
maxretry = 5
|
|
bantime = 86400
|
|
|
|
[nepenthes-tarpit]
|
|
enabled = true
|
|
filter = nepenthes-tarpit
|
|
logpath = /var/log/nginx/ai_violators.log
|
|
maxretry = 3
|
|
bantime = 86400
|
|
```
|
|
|
|
Filter examples:
|
|
|
|
```ini
|
|
# /etc/fail2ban/filter.d/anubis-tarpit.conf
|
|
[Definition]
|
|
failregex = ^<HOST> - .* "GET /tarpit/.*" 200
|
|
|
|
# /etc/fail2ban/filter.d/nepenthes-tarpit.conf
|
|
[Definition]
|
|
failregex = ^<HOST> - .* "GET /tarpit/.*" 200
|
|
```
|
|
|
|
## 4 -- Integration with Aggressive-Bot Map
|
|
|
|
Use the same `map` or `SetEnvIf` from the Anubis and decompression howto's so rate limiting and Fail2Ban only apply to known violators.
|
|
|
|
## 5 -- Testing
|
|
|
|
```bash
|
|
curl -I -A "GPTBot/1.0" https://example.com/ # rate limited or banned after retries
|
|
```
|
|
|
|
*Companion to the Anubis and Nepenthes how-to documents.* |