How to add IP rate limit in htaccess?

[capcom]

I am getting unusually high request from few IPs and wanted to see if there is a way I can rate limit IP address by making a change in .htaccess file. I am able to block the IPs in a day, but it it making unnecessary calls to website. and they keep coming from new IP addresses.

 

any suggestions are welcome.

Thanks

[wolstech]

This is not possible in stock Apache. It's just allow or block. There are rate limiting modules available, but we don't support any of them. You can manage block lists in cPanel for specific IPs as well.

 

What is the concern about the traffic? Is it causing performance issues or load you're worried about?

[capcom]

Thanks for the response. I am using the IP blocks to deny access. and keep adding new ones there.

 

My only concern is around load, but when I look at account load in cPanel, it is not significant at all (almost near 0 every day). I just want to make sure that increase in traffic does not cause my account to be flagged.

[Krydos]

Depending on the scripting language you're using you could have your website display a low load static error message explaining to the visitor that they're browsing too fast.

 

If it's bots browsing your site you could use .htaccess to block them based on their user agent. A lot of reputable bots will use the user agent string to let you know exactly who they are. If it's a hacker or some sort of illegal bot -- like trying to hack wordpress accounts -- it will likely have a user agent string that is blank or mimics a real browser though. When you're designing your bot it's easy to put whatever you want in the user agent string.

 

If load starts to become an issue, or if it's a mild ddos you're experiencing you could always use a free cloudflare account. It won't work on a free heliohost.us subdomain, but any purchased or free domain can be configured to use cloudflare. Be aware that cloudflare breaks some of the functionality of cpanel though, but it's something to consider to block access to your site.

[capcom]

I am using python flask and have added rate limiting already and once reached, it will not load data and will just give a "Rate limit applied" message. That part has been working fine. 

 

Most of the unwanted traffic is coming as Mozilla browser, operating system is unknown in Awstats, but I have a feeling it is a web scrapper. even after rate limit message, user is keep requesting same url.

[Krydos]

You could use cloudflare scrape prevention https://www.cloudflare.com/learning/bots/what-is-data-scraping/ It is of course possible to get around it anyways. I've done it myself, but perhaps your scraper won't be bothered to figure out how to do it.

[capcom]

Thanks. I will look into this.