Configure UFW Rate Limiting on Ubuntu VPS: Advanced DDoS Protection

Understanding UFW Rate Limiting for VPS Protection

Rate limiting controls how many connection attempts can reach your server within a specific timeframe. Ubuntu's UFW makes this protection accessible through simple commands that work immediately after configuration.

When you configure UFW rate limiting on your Ubuntu VPS, you create a buffer against automated attacks. Most brute force attempts and basic DDoS attacks rely on rapid, repeated connections. Rate limiting disrupts this pattern by temporarily blocking IP addresses that exceed your defined thresholds.

UFW's default rate limiting blocks an IP address after 6 or more connections within 30 seconds. You can modify these values based on your specific needs and traffic patterns.

Prerequisites and System Requirements

You'll need root access or sudo privileges on your Ubuntu VPS. This tutorial works on Ubuntu 20.04, 22.04, and 24.04. UFW comes pre-installed on most Ubuntu systems.

Check if UFW is installed and view its current status:

sudo ufw status verbose

If UFW isn't installed, install it now:

sudo apt update
sudo apt install ufw

Before enabling any firewall rules, ensure you have alternative access to your server. Rate limiting rules can potentially lock you out if configured incorrectly.

Basic Rate Limiting Configuration

Start with SSH protection since it's the most common target for brute force attacks. The limit option tells UFW to apply rate limiting to the specified service:

sudo ufw limit ssh

This rule allows normal SSH usage while blocking IPs that attempt more than 6 connections in 30 seconds. You can also specify the port number directly:

sudo ufw limit 22

For web services, apply rate limiting to HTTP and HTTPS ports:

sudo ufw limit 80
sudo ufw limit 443

Enable UFW if it's not already active:

sudo ufw enable

Verify your rate limiting rules are active:

sudo ufw status numbered

Advanced Rate Limiting Rules

UFW's built-in rate limiting works well for basic protection, but you may need more granular control. Create custom iptables rules through UFW for specific scenarios.

Limit connections from specific IP ranges while allowing others full access:

sudo ufw allow from 10.0.0.0/8 to any port 22
sudo ufw limit from 0.0.0.0/0 to any port 22

This configuration allows unlimited SSH access from your private network while rate limiting external connections. Order matters here - UFW processes rules sequentially.

For mail servers running on custom ports, apply rate limiting to prevent spam relay attempts:

sudo ufw limit 587
sudo ufw limit 993

When hosting applications on non-standard ports, include rate limiting in your initial rule creation:

sudo ufw limit 8080 comment 'Rate limited application port'

Protocol-Specific Rate Limiting

Different protocols require different approaches to rate limiting. TCP connections work well with UFW's default behavior, but UDP services need special consideration.

For DNS servers, limit UDP queries while maintaining functionality:

sudo ufw limit 53/udp

Game servers and real-time applications often use UDP. Apply rate limiting carefully to avoid disrupting legitimate traffic:

sudo ufw limit 27015/udp comment 'Game server rate limit'

ICMP rate limiting prevents ping floods while allowing network diagnostics:

sudo ufw limit out on eth0 to any port 53
sudo ufw limit in on eth0

This approach limits both incoming and outgoing connections on your primary network interface.

Monitoring and Logging Rate Limited Connections

Enable UFW logging to track which IPs are being rate limited:

sudo ufw logging on

View recent UFW blocks and rate limit actions:

sudo tail -f /var/log/ufw.log

Look for entries containing "[UFW LIMIT BLOCK]" to identify rate limited connections. These logs show the source IP, destination port, and timestamp of blocked attempts.

Create a simple monitoring script to count rate limited IPs:

#!/bin/bash
echo "Rate limited IPs in the last hour:"
grep "$(date '+%b %d %H')" /var/log/ufw.log | grep "LIMIT BLOCK" | awk '{print $13}' | sort | uniq -c | sort -rn

Save this as rate_limit_check.sh and run it periodically to identify persistent attackers.

For better monitoring, consider integrating with your existing server backup and monitoring setup to track patterns over time.

Customizing Rate Limit Thresholds

UFW's default 6 connections per 30 seconds works for most scenarios, but you might need different thresholds. UFW doesn't provide direct commands to modify these values, but you can create custom iptables rules.

Create a more restrictive SSH rule allowing only 3 attempts per minute:

sudo iptables -I ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -I ufw-user-input -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Make these rules persistent by adding them to UFW's configuration:

sudo nano /etc/ufw/before.rules

Add your custom rules in the *filter section, before the COMMIT line. This ensures they load automatically when UFW starts.

For HTTP services experiencing high legitimate traffic, increase the threshold:

sudo iptables -I ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --set
sudo iptables -I ufw-user-input -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP

Testing Rate Limit Configuration

Test your rate limiting configuration safely to ensure it works as expected. Use a separate machine or IP address for testing to avoid locking yourself out.

Test SSH rate limiting with rapid connection attempts:

for i in {1..10}; do ssh -o ConnectTimeout=5 user@your-server-ip && sleep 1; done

After the 6th attempt within 30 seconds, you should see connection timeouts or rejections.

For HTTP testing, use curl with a loop:

for i in {1..15}; do curl -I http://your-server-ip; done

Monitor the UFW logs during testing to confirm blocks are working:

sudo tail -f /var/log/ufw.log | grep LIMIT

Rate limiting rules affect per-IP connections, not total server load. Each source IP gets its own connection counter.

Troubleshooting Rate Limiting Issues

If legitimate users report connection problems, check whether rate limiting is too aggressive. View currently blocked IPs:

sudo iptables -L ufw-user-limit -v -n

Clear the recent connection tracking table to reset rate limit counters:

sudo iptables -Z ufw-user-limit

Remove a specific rate limiting rule if it's causing issues:

sudo ufw status numbered
sudo ufw delete [rule-number]

For applications that legitimately require many rapid connections, whitelist specific IP addresses:

sudo ufw allow from trusted-ip-address to any port 22

Place whitelist rules before rate limiting rules to ensure they take precedence.

Integration with Other Security Tools

UFW rate limiting works alongside other security tools. Combine it with fail2ban for enhanced protection:

sudo apt install fail2ban

Fail2ban monitors log files and can create temporary bans based on patterns, while UFW rate limiting provides immediate connection throttling. Configure fail2ban to work with UFW by editing /etc/fail2ban/jail.local:

[DEFAULT]
banaction = ufw
action = %(action_mw)s

Consider integrating with your existing security monitoring. Our tutorial on comprehensive UFW firewall setup covers additional security layers that complement rate limiting.

Maintenance and Updates

Review your rate limiting rules monthly to ensure they're still appropriate for your traffic patterns. Check UFW logs to identify whether legitimate users are being affected:

sudo grep "LIMIT BLOCK" /var/log/ufw.log | tail -100

Update your rules as your applications and user base grow. What works for a small site might not suit a busy production server.

Keep UFW updated with regular system updates:

sudo apt update && sudo apt upgrade

Document your rate limiting configuration in your server documentation. Include the reasoning behind specific thresholds so future administrators understand your decisions.

Frequently Asked Questions

How long do UFW rate limit blocks last?

UFW rate limit blocks automatically expire after the configured time window (default 30 seconds). The blocked IP can attempt connections again once this window passes.

Can I whitelist IP addresses from rate limiting?

Yes, create allow rules for trusted IPs before your rate limiting rules. UFW processes rules in order, so whitelisted IPs won't be subject to rate limiting.

Does rate limiting affect server performance?

UFW rate limiting has minimal performance impact. It uses efficient iptables rules that process connections at the kernel level without significant CPU overhead.

How do I remove all rate limiting rules?

Use sudo ufw status numbered to list rules, then delete each rate limiting rule with sudo ufw delete [number]. You can also reset UFW completely with sudo ufw --force reset.

Can I set different rate limits for different ports?

UFW's built-in rate limiting applies the same threshold to all ports. For different limits, create custom iptables rules with specific thresholds for each service.