New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DENY_IP_LIMIT, number of blocked IPs in config server firewall, is it in RAM?
Hello, im having CSF (Config server firewall) on a VPS, i want to ask if it is safe to raise DENY_IP_LIMIT to the lets say 2000 entries?
if "it" is stored in RAM i assume any lags would be quite negligible?
Someone said that CSF used around 13GB of RAM when 8000 IPs was blocked:
http://forum.configserver.com/viewtopic.php?t=5653
My "lfd" process is using 74116 VIRT memory
CSF settings:
DENY_IP_LIMIT = 400
DENY_TEMP_IP_LIMIT = 200
but this is the value visible from CSF control panel:
csf.deny, the IP address deny file (Currently: 509 permanent IP bans)
Thank you
Comments
If CSF creates an additional iptables entry for each address that's asking for trouble once you add more than a few hundred entries.. Have a look at ipset which does the same with a much smaller footprint and super fast lookups thanks to hash maps and using a single iptables entry. Check out this tool: https://github.com/trick77/ipset-blacklist
I'm using like 45k entries in ipset. Unfortunately, I don't think ipset works in OpenVZ.