Their is a vesta pannel, it wood be grate to add ruls and, for exsample, after a bunsh of such requsts, the IP wood autimaticly get banned.

Plez tel me how to block atacks usin standart meens, periodicly ther ar tons of requsts from wun IP. I block it in the nginx konfig (deny 1.1.1.1;) and the atack ends, but I wood like the block to be autimatic. Ther ar many sites and a manditory kondition is that the Google bot is not blocked.

Ther ar dozens of requsts every sekond to the site.

One approach is to utilize the fail2ban software, which is a popular, open-source intrusion prevention system. It monitors your server's logs for signs of malicious activity and automatically bans IP addresses that exceed a certain threshold of failed login attempts or other suspicious behavior.

To set up fail2ban, you'll need to install it on your server. The process varies depending on your operating system, but for Ubuntu-based systems, you can simply run sudo apt-get install fail2ban. Once installed, you'll need to configure it to monitor your Nginx logs.

Create a new file in the /etc/fail2ban/filter.d/ directory, e.g., nginx-req-limit.conf, with the following content:

[Definition]
failregex = ^<HOST>.*"(GET|POST|HEAD).*HTTP.*
ignoreregex =
This filter will match any GET, POST, or HEAD requests in your Nginx logs.

Next, create a new file in the /etc/fail2ban/jail.d/ directory, e.g., nginx-req-limit.local, with the following content:

[nginx-req-limit]
enabled = true
port = http,https
filter = nginx-req-limit
logpath = /var/log/nginx/access.log
maxretry = 50
findtime = 60
bantime = 3600

This jail configuration sets the maximum number of retries to 50 within a 60-second time frame, and bans the IP for 1 hour if exceeded.

Restart the fail2ban service to apply the changes: sudo service fail2ban restart.

Another approach is to utilize Nginx's built-in limit_req module, which allows you to rate-limit requests from a single IP. You can add the following configuration to your Nginx server block:

http {
    ...
    limit_req_zone $binary_remote_addr zone=one:10m rate=50r/s;
    server {
        ...
        location / {
            limit_req zone=one;
            ...
        }
    }
}

This configuration sets a rate limit of 50 requests per second from a single IP. If exceeded, Nginx will return a 503 error.

To ensure Googlebot is not blocked, you can add a set directive to your Nginx configuration to exclude Googlebot's IP ranges:

http {
    ...
    set $is_googlebot 0;
    if ($http_user_agent ~* "Googlebot") {
        set $is_googlebot 1;
    }
    ...
    server {
        ...
        location / {
            if ($is_googlebot = 0) {
                limit_req zone=one;
            }
            ...
        }
    }
}

This configuration sets a variable is_googlebot to 1 if the user agent matches Googlebot, and only applies the rate limit if it's not Googlebot.

Remember to reload your Nginx configuration after making changes: sudo service nginx reload

1.

Simple approach.

Using ngx_http_limit_req_module (a module for Nginx) combined with Fail2ban.

With this module, you configure how many requests from a single IP address are deemed excessive per minute and designate where to log these requests. Then, in Fail2ban, you set up a config file that points to this log, defining the filtering rules and the banning mechanism.

There's a plethora of guides available online for setting this up...

2.

More complex approach.

ModSecurity is a robust solution that handles all of this and more by enforcing the rules you define (for instance, blocking an IP after exceeding 5 requests per second). It can be integrated with both Apache and Nginx. However, it is a Web Application Firewall (WAF), which can be quite intricate and risky if misconfigured

For most scenarios, the first option should be your go-to choice.

You gotta add this to your /etc/sysconfig/iptables file and then restart, but dont forhet to leave it as is in Vesta panel, or it will override your iptables config.

-A INPUT -p tcp -m tcp --dport PORT -m connlimit --connlimit-above 3 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable
This command helps to block those pesky bots that try to flood your site with requests. You can also add a check for bots in your php.ini file, its a good idear.

By the way, I've notisd that CloudFlare (CF) often changes to blacklisted IPs that are blocked by RKN (like 188.114.97.2 and 188.114.96.2). Its a real pain, especialy with over 5000 sites and pages blocked on the Free tariff.