DDOS protection options for apache server - specifically setting a non-static sites

So im looking to add DDoS protection on my linux box for a wordpress site.

currently looking @ mod_evasive.

however, I am unable to set different settings for non-static sites(.css, .js, .png). In their documentation I only found page count, however, I want more control.

is there any other package that is available for this mitigation and specific parameters im looking for, for apache server

rate limiting via firewall?

Don’t do any of that crap, just put it behind a free cloudflare account. It’s not only the best protection you can get, but also has the distinct advantages of caching static content in their CDN and hiding your real IP address from attackers. Cloudflare free is an amazing deal.

1 Like

this is not true and cant use a free account

Yes it is and why not? Are you in Iran?

there are ways around that

You are a man of few words.

sorry man just busy. ill be back on later :slight_smile:

I for one would like to know how this can be achieved. If having the bandwidth, i’d chose to self host any day.

I know my question is off topic I was wondering how Cloudflare can ofter some of their services for free? Like @hem I to would like to know how to setup DDOS protection using their free services.

My immediate guess would be that it attracts customers. It’s only for free to get started really, as soon as it grows to a certain size, it’ll cost. Chance for someone moving their entire site/app/whatever when it starts costing, is limited.

Also, by looking at what other customers do. Lets say what a lowend paying customer use within one year represents 100%, then offering future customers 80% for free, there’s a reasonable probability they’d become paying customers within the first year.

At the same time, free customers most likely run on overhead hardware that’s already online, but not doing anything, if you use the resources to run the hardware, it might as well do something.

Can come up with several more reasons for them doing it, but I think you get the gist. It’s quite simple, want someone to do something, present them with two options, where there’s one they’d probably be fine with “A”, and one that’s better “B”. You just sold them “B”.

Out of curiosity I’m interested in knowing how they do it, but at the end of the day, I’d like to know how to set something like that up on my own hardware, so I can host my own stuff, on my own server, in my own house. Without anyone mooching off of meta data and whatever else they can derive from what I’m doing.

When something is free, you’re the product.

1 Like

Cloudflare free is a loss-leader, plain and simple. It’s feature-limited, BUT the features they give away are the ones everybody wants-- DDOS protection, a CDN to reduce your bandwidth usage, hiding your IP address, and transparent SSL.

If you want their much cooler features, and CF has some badass features, you need to pay. Stuff like load-balancing, more than a handful of page rules, their web application firewall, threat-blocking and suspicious visitor challenges, PCI compliance, detailed reporting, phone support, or any of their extensions, some of which are really cool, you gotta open up your wallet.

And their plans start at only $20/month, which is no big deal.

Setting it up is really easy. Sign up on their website and transfer your authoritative nameservers over. Their web UI is very easy to follow and fully documented.

1 Like