How to Protect from Bad Bots in Nginx on cPa…
Learn how to protect your cPanel Nginx server from bad bots using Cpnginx firewall settings. Improve website security, …
Distributed Denial of Service (DDoS) attacks are among the most common cyber threats that web servers face today. A DDoS attack floods your server with illegitimate traffic, making it unavailable to legitimate users. Since Nginx is one of the most popular web servers and reverse proxies in the world, it provides powerful configuration options to mitigate DDoS attempts. For cPanel users, the Cpnginx plugin simplifies this process by offering built-in firewall settings and rate-limiting modules directly from WHM.
In this guide, we’ll explore how to prevent DDoS attacks with Nginx and Cpnginx, covering everything from basic configurations to advanced attack mitigations.
A Layer 7 DDoS attack targets the application layer of the OSI model, where HTTP requests are processed. Unlike lower-layer attacks that flood bandwidth or network connections, Layer 7 attacks simulate real user behavior, making them harder to detect. Examples include HTTP floods, Slowloris attacks, and malicious bot traffic.
Because these attacks exploit legitimate HTTP/S requests, a specialized server like Nginx, with fine-grained request controls, is essential for protection.
Nginx is widely used by high-traffic websites, CDNs, and hosting providers because of its scalability and advanced traffic-handling features.
Key reasons to use Nginx for DDoS protection:
Before diving into Nginx configurations, it’s important to know the types of DDoS attacks:
Nginx is particularly effective against application-layer DDoS attacks, which traditional firewalls may not be able to detect.
Nginx acts as both a web server and a reverse proxy, allowing it to filter incoming requests before they reach your application. Using Nginx’s limit modules, timeout settings, and security rules, you can:
With Cpnginx on cPanel, all of these can be configured from WHM → Cpnginx → Preferences → Firewall, making DDoS prevention easier for hosting providers and shared hosting users.
Learn how to prevent DDoS attacks with Nginx and cPanel Nginx (Cpnginx). Step-by-step guide covering connection limits, request rate limiting, bot protection, Slowloris defense, and ModSecurity WAF setup.
-- By Cpnginx Team
Example: If you set the limit to 10 connections per IP, a malicious user who tries to open 200 concurrent connections will get blocked after the first 10.
Go to WHM → Cpnginx → Preferences → Firewall → DDoS Protection and enable Limit Connection Module. Set the number of connections per IP.
Add to nginx.conf:
http {
# Other nginx.conf settings
limit_conn_zone $binary_remote_addr zone=perip:10m;
}
server {
# other virtual host configuration
limit_conn perip 10; # 10 connections from per visitor IP
limit_conn_status 444; # This code will simply close the connection without a response from the server.
}Reload Nginx:
nginx -s reloadWhen visitors access your website, their browsers or apps open multiple network connections to load pages, images, scripts, and other resources. While this is normal, too many simultaneous connections — either accidental or intentional (like in a bot attack) — can overload your web server.
To prevent abuse, web servers like Nginx allow you to set a maximum number of simultaneous connections per visitor IP address. This technique is known as connection limiting.
Sometimes, the attack comes not from one IP but from multiple IPs targeting the same website. In such cases, you should limit the number of concurrent connections per server (per virtual host).
Add to nginx.conf:
http {
limit_conn_zone $server_name zone=perserver:10m;
}
server {
limit_conn perserver 100; # Max 100 connections to website
limit_conn_status 444; # Close excessive connections
}Reload Nginx:
nginx -s reloadWhen someone (or something) visits your website, their browser or application sends HTTP requests to your server — for pages, APIs, images, scripts, etc. Normally, a human visitor might make a few requests per second while browsing.
But malicious bots, scrapers, or DDoS attacks can fire hundreds or thousands of requests per second from a single IP address. This overwhelms the server, slows down performance, and can even cause downtime.
Rate limiting solves this by controlling how many requests per second (RPS) a visitor IP is allowed to make.
This prevents a single IP from overwhelming your server by sending too many requests per second.
http {
limit_req_zone $binary_remote_addr zone=reqperip:32m rate=1r/s;
}
server {
limit_req zone=reqperip burst=5 nodelay;
limit_conn_status 444;
}Every time someone loads your website, their browser or app sends multiple HTTP requests — for pages, images, CSS, JavaScript, or API calls.
While this is normal behavior, problems arise when:
To stop this, web servers like Nginx support rate limiting, which controls how many requests per second a visitor (by IP address) is allowed to make.
Instead of per-IP, you can enforce request limits for the entire website, protecting against distributed request floods.
http {
limit_req_zone $server_name zone=reqperserver:10m rate=10r/s;
}
server {
limit_req zone=reqperserver burst=10;
limit_conn_status 444;
}A Slowloris attack is a type of Layer 7 (application-level) DDoS attack that targets web servers by opening hundreds or thousands of HTTP connections and keeping them open as long as possible.
Unlike typical DDoS attacks that flood the server with traffic, Slowloris is stealthy:
Impact: Web pages load slowly or fail to load, while the attacker uses minimal bandwidth.
Nginx is event-driven and highly efficient at handling concurrent connections. Unlike traditional web servers, it can:
server {
client_header_timeout 5s;
client_body_timeout 180s;
}Slowloris attacks are stealthy, low-bandwidth attacks designed to exhaust server connections. Nginx protects your server by:
With Cpnginx, you can enable these protections easily via WHM without manually editing Nginx configs, making your website resilient against Slowloris attacks.
A Range-Based Attack (or HTTP Range Attack) is a type of application-layer (Layer 7) attack where attackers exploit the HTTP Range header to request partial content repeatedly.
Impact: Normal users experience slow responses or errors while downloading content, streaming, or accessing your website.
Nginx can block or sanitize malicious Range headers before they reach the backend. By clearing or validating the header, Nginx prevents attackers from overloading server resources.
location / {
proxy_set_header Range "";
}Allow only safe methods (GET, POST, HEAD) to prevent abuse of unsupported HTTP methods.
HTTP methods (or verbs) define the action a client wants to perform on a web server. Common methods include:
Problem: Some HTTP methods, like PUT or DELETE, are rarely needed for standard websites. Attackers can abuse them to:
http {
map $request_method $badmethod {
default 1;
~(?i)(GET|HEAD|POST) 0;
}
}
server {
if ($badmethod = 1) {
return 444;
}
}Limiting HTTP methods in Nginx helps reduce your server’s attack surface by:
With Cpnginx, enabling HTTP method restrictions is easy via WHM, making your websites safer without manual config edits.
Not all bots are malicious. Examples of good bots include Googlebot, Bingbot, or monitoring tools like UptimeRobot.
Bad bots, however, can:
Impact: Bad bots can overwhelm your server, slow down legitimate users, and increase hosting costs.
Bad bots scrape, spam, or flood your server with fake requests. We already published an article about this.
Advantages:
http {
#This is the bab bot mapping rules files. Add all your bad bots here .
map $http_user_agent $badbot{
# 0 to enable and 1 for disable add your custom bots here
default 0;
# START GOOD BOTS
"~*(?:\b)Lynx(?:\b)" 0;
"~*(?:\b)UptimeRobot(?:\b)" 0;
"~*(?:\b)bingbot(?:\b)" 0;
"~*(?:\b)msnbot(?:\b)" 0;
"~*(?:\b)checkgzipcompression\.com(?:\b)" 0;
"~*(?:\b)ocsp\.comodoca\.com(?:\b)" 0;
"~*(?:\b)Microsoft\-Crypto(?:\b)" 0;
"~*(?:\b)WordPress(?:\b)" 0;
# END GOOD BOTS
# START BAD BOTS
"~*(?:\b)01h4x.com(?:\b)" 1;
"~*(?:\b)160Spider(?:\b)" 1;
"~*(?:\b)404checker(?:\b)" 1;
"~*(?:\b)404enemy(?:\b)" 1;
"~*(?:\b)80legs(?:\b)" 1;
"~*(?:\b)ADmantX(?:\b)" 1;
"~*(?:\b)AIBOT(?:\b)" 1;
"~*(?:\b)ALittle\ Client(?:\b)" 1;
"~*(?:\b)ASPSeek(?:\b)" 1;
"~*(?:\b)Abonti(?:\b)" 1;
"~*(?:\b)Aboundex(?:\b)" 1;
"~*(?:\b)Aboundexbot(?:\b)" 1;
# END BAD BOTS
}
# Remaining nginx cofiguration
}
server {
if ($badbot) {
return 444;
}
}Referrer spam occurs when bots send fake HTTP referrer headers to your website. These appear in your analytics reports and can:
Impact: Analytics data becomes unreliable, and server performance may degrade if spam requests are excessive.
Advantages:
http{
# Protect from referer spam attacks
map $http_referer $badreferer {
# 0 to block, 1 to allow
default 0;
~(?i)(babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|casino|replica) 1;
"~*asie-art-deco.fr" 1;
"~*torrent" 1;
"~*webxtrakt" 1;
"~vps-quick.xyz" 1;
"~*floating-share-buttons.com" 1;
"~*event-tracking.com" 1;
"~*free-social-buttons.com" 1;
"~*dollars-seo.com" 1;
}
}
server {
if ($badreferer) {
return 444;
}
}Referrer spam protection ensures:
With Cpnginx, enabling referrer spam protection is simple and effective across all hosted sites.
Blocking IPs is a common technique to prevent unwanted visitors from accessing your website. This can include:
Impact: By blocking these IPs, you reduce server load, improve security, and ensure legitimate users can access your site without interruptions.
Advantages:
a) Deny a single IP or a Range of IPS
location / {
# Deny single IP
deny 10.0.0.10;
# Deny range
deny 192.168.1.0/24;
}b) Only allow some IPs and deny the remaining IPS
location / {
# Allow single IP
allow 10.0.0.10;
# Allow range
allow 192.168.1.0/24;
# Deny all other IPS
deny all;
}Keep-Alive is a feature in HTTP that allows a single TCP connection between the client and server to be reused for multiple requests instead of opening a new connection for every request.
Benefits:
Advantages:
server {
keepalive_requests 100;
keepalive_timeout 60s;
}Properly configured Keep-Alive settings in Nginx:
With Cpnginx, these settings are easy to enable via WHM, giving you optimized and secure web performance without manual Nginx edits.
ModSecurity is a Web Application Firewall (WAF) that helps protect web applications from attacks by analyzing HTTP requests and responses.
It can block:
Impact: ModSecurity prevents attackers from exploiting vulnerabilities, protecting both the server and application.
ModSecurity acts as a Web Application Firewall (WAF), blocking SQL injection, XSS, and malicious payloads.
Advantages:
sudo apt install libnginx-mod-securityEnable in nginx.conf:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;Using ModSecurity with Nginx provides:
With Cpnginx, enabling ModSecurity is easy, providing robust WAF protection without manual Nginx configuration.
DDoS protection is not a single configuration—it’s a layered approach. With Nginx, you can combine connection limits, request rate limits, HTTP method restrictions, and WAF rules to effectively mitigate attacks.
For cPanel users, Cpnginx makes it much easier by providing a user-friendly interface in WHM to configure firewall and DDoS modules without editing raw configuration files. Whether you’re running a single website or a hosting business, combining Nginx + Cpnginx ensures better security, stability, and uptime.
Q1: What is a Layer 7 DDoS attack?
A1: Layer 7 attacks target the application layer of your website, overwhelming it with HTTP requests to slow down or crash the server.
Q2: How does Nginx prevent DDoS attacks?
A2: Nginx can limit connections, rate-limit requests, block bad bots, restrict HTTP methods, and defend against Slowloris or range-based attacks.
Q3: Can I use Cpnginx to protect my websites?
A3: Yes. Cpnginx allows you to configure all DDoS protection settings via WHM, including connection limits, rate limits, bad bot protection, and ModSecurity rules.
Q4: What is the difference between limiting connections from a visitor IP and to a website?
A4: Limiting connections from a visitor IP restricts the number of simultaneous connections per user, while limiting connections to a website restricts total concurrent connections to a virtual host.
Q5: How can I protect against Slowloris attacks using Nginx?
A5: Configure client_header_timeout and client_body_timeout to close slow connections, or enable Slowloris protection in Cpnginx via WHM.
Q6: What are Range-based attacks and how can I prevent them?
A6: Range-based attacks exploit the HTTP Range header to overload servers. Nginx can clear or block Range headers, and Cpnginx has a dedicated Range Protection module.
Q7: How do I block bad bots using Nginx?
A7: Use Nginx map to define bad user agents and block them with return 449. Cpnginx provides a GUI option to enable Bad Bot Protection.
Q8: How do I limit HTTP methods for security?
A8: Allow only GET, POST, and HEAD using a map in Nginx and block others with return 444. Cpnginx enables this via the firewall preferences.
Q9: What is ModSecurity and why should I use it?
A9: ModSecurity is a Web Application Firewall (WAF) that blocks SQLi, XSS, and other attacks at the HTTP layer. It integrates with Nginx or Cpnginx for automated protection.
Q10: How do I configure Keep-Alive settings in Nginx?
A10: Use keepalive_requests and keepalive_timeout in the server block. Cpnginx allows you to configure it globally via WHM.
Learn how to protect your cPanel Nginx server from bad bots using Cpnginx firewall settings. Improve website security, …