Jump to content

Implement Rate Limiting

Jessica Brown
Jessica Brown
in Server Administration

Featured Replies

Posted

You are reading Part 23 of the 57-part series: Harden and Secure Linux Servers. [Level 3]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

Rate limiting protects your Linux server from denial-of-service (DoS) attacks and brute-force login attempts by restricting the number of requests or connections an IP address can make within a certain period.

By enforcing rate limits, you can:
Prevent automated brute-force attacks on SSH and other services.
Reduce the impact of DoS attacks by limiting excessive traffic.
Ensure fair resource usage by preventing abuse from a single client.

How to Implement Rate Limiting for SSH Using iptables

You can use iptables to limit the number of new SSH connections from a single IP to 3 attempts per minute.

  1. Add a rule to track new SSH connection attempts:

    sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set

    (Tracks new SSH connection attempts for rate limiting.)

  2. Block excessive attempts within a 60-second window:

    sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

    • --seconds 60 → Measures connection attempts within a 1-minute window.

    • --hitcount 4 → If an IP attempts more than 3 connections in 60 seconds, it is blocked.

  3. Save iptables rules to persist after reboot:

    sudo iptables-save | sudo tee /etc/iptables.rules

Alternative: Implement SSH Rate Limiting with Fail2Ban

Fail2Ban automatically blocks IPs that exceed login attempt limits over a defined period.

  1. Install Fail2Ban (if not already installed):

    sudo apt install fail2ban -y    # For Debian/Ubuntu
sudo yum install fail2ban -y    # For CentOS/RHEL

  2. Edit the Fail2Ban SSH configuration:

    sudo nano /etc/fail2ban/jail.conf

    Modify the [sshd] section:

    [sshd]
enabled = true
maxretry = 3
findtime = 60
bantime = 600

    • maxretry = 3 → Blocks an IP after 3 failed attempts.

    • findtime = 60 → Tracks failed login attempts within a 1-minute window.

    • bantime = 600 → Blocks the IP for 10 minutes.

  3. Restart Fail2Ban to apply changes:

    sudo systemctl restart fail2ban

  4. Check Fail2Ban status and blocked IPs:

    sudo fail2ban-client status sshd

Best Practices for Rate Limiting

Apply rate limits to all critical services (not just SSH) like HTTP, FTP, and APIs.
Combine iptables rate limiting with Fail2Ban for layered security.
Monitor logs (/var/log/auth.log) to detect brute-force attempts and fine-tune limits.
Whitelist trusted IP addresses to prevent accidental blocking.

By implementing rate limiting, you reduce brute-force login risks, prevent abuse, and protect your server from DoS attacks.

  • Quote
    • Views 53
    • Created
    • Last Reply

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    Terms of Use Privacy Policy Guidelines We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.