New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Best way to block large IP ranges? (software-level)
Hi!
We want to use this list - http://paste.ee/p/VSAtJ , and block all the IP ranges on it from accessing our site. What is an effective software-level system to block these?
I'm aware it wouldn't fully tackle proxies & VPN's, but it would help.
Thanks.
Comments
iptables or .htaccess (if you use apache)
With that list you'd be better denying all IP's and allowing some IP's lol.
Is there any way to automate it? There's a few hundred ranges on the list.
It's a list list of provider ip ranges, which we want to block from accessing. (in turn blocking a percentage of VPN & proxies)
Write yourself a simple bash script, or hire someone to do it.
Thanks. Will iptables be able to handle blocking so many IP ranges?
This should do the trick, I converted all your lines to a script.
https://www.dropbox.com/s/4myboo2h1ld7r40/iptables.sh
Let me know if this works.
If it isn't I'd be very worried
Useful.
iptables dosn't like mega large lists but that should be OK.
IPTables doesn't work with CloudFlare.
I've done it through quite large lists before and IPtables - should be okay.. still have the scripts kicking around on dropbox I think.
https://www.dropbox.com/s/4myboo2h1ld7r40/iptables.sh Let me know if this works.
Thanks buddy!
The said site doesn't deploy CF.
Was concerned to see all my IPs covered in your list. Then I read the rest of the thread and realised why you want to do it lol.
For zoom zoom go smush smush on them small ranges.
It should work fine as long as you have something like mod_cloudflare installed to make sure original visitor IP is being returned. We have plenty of using .htaccess or IPtables without issue.
If you have a large list, you can greatly speed up matching with it with ipset - if available.
Hello,
If you're going to blindly block ranges, why not do what other blind-blocklist users do; and just ping the known proxy ports, and block the host if you get a response [ such as a SOCKS response from a SOCKS port, or forwarding response from a 8080 / 8443 / 8888 / 80 / 443 or other related port.)
Frankly, both means are just as stupid, as you're going to block legitimate traffic too.
Ok, I worded that wrong.
IPTables does not work in the way he expects with CloudFlare.
Wow wow wow, OP don't use that list.
Omni generated that 2 years ago meaning it's so outdated it has started to crumble to dust if you want an updated list I have blocked like 100-270m host IPs
Here is a trick that was discussed long ago http://www.lowendguide.com/3/networking/easy-add-ip-to-be-blocked-by-iptables/
Excuse the bad formatting, it uses shortcodes from an old template. I will update it shortly.
A very useful dynamic IP blacklist update script using IPSet:
(Note: IPSet may not work under OpenVZ)
Efficiently use a live blacklist feed in iptables (w/ ipset)
Scroll down and you will find more scripts by the same author. I currently use this to load several dynamic blacklist feeds into IPTables. A few of the popular feeds are listed below. Just edit the "target" and "ipset_params" lines in the script to use them.
https://www.dshield.org/block.txt
https://www.dshield.org/ipsascii.html?limit=100
(can get up to 10000. Has false positives & private IPs - NOT recommended)
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules
(Page also contains update scripts)
http://www.stopforumspam.com/downloads/
I plan to write a tutorial about this on my tech blog (see my sig) when I have more time. Stay tuned.