A Bash script I’ve used for many years got some love recently and I’ve uploaded it to Codeberg.1 The HTTP Limiter is my answer to the bots, scrapers, and pentest tools that constantly hammer on my public facing hosts.
Though “hammer” might actually be an understatement. What once seemed like constant background noise has now become the norm with noticeable consequences: Log files grow faster and make you blind to relevant entries. Processing meaningless requests consumes more CPU, RAM, and bandwidth. REST APIs in particular, often implemented in slow frameworks and programming languages with sluggish database connections, are highly vulnerable to DDOS2 attacks.
Of course my HTTP Limiter is just a “poor man’s defense” for individual and small systems. Any load-balancing cluster and proof-of-work implementation like Anubis3 is far more better. But hey, it works and sometimes things just need to be simple and fast. The HTTP Limiter is perfectly sufficient. It injects its iptables chains into ufw before.rules and processes requests before high-level services even have to deal with them. The following rules apply:
- Allow a maximum of 100 new connections within 10 seconds from a single IP.
- Allow a maximum of 250 connections from an IPv4 /24 subnet.
- Allow a maximum of 250 connections from an IPv6 /64 subnet.
- Optionally block entire ASNs (especially effective against BigTech).
These are thresholds developed over years, proven to work well for typical websites and self-hosted services in the SME sector. Your mileage may vary, and the rules can be freely adjusted.
If you like, you can port everything to the more modern nftables and adapt it for other distributions, that may deviate from the “Debian way.”
With that in mind,
Tomas Jakobs