Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Is faster iptables or mod_security when working with large blocklist?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is faster iptables or mod_security when working with large blocklist?

postcdpostcd Member
edited August 2016 in Help

If i regularly update an file containing approx. 100 000 IPs (and subnets?), and i won't use ipset, is it faster to block website visitor by:

1) somehow making IPtables to adopt this file while this file will be updated like hourly

2) adding file to the tmpfs (ramdrive) and setting up some mod_security rule to 403 all those whose IP match line/IP in the tmpfs based 100 000 lines file

?

If there is someone who can spend time, it would help (maybe not just me) to share on how to include regularly updated file into iptables or how to make mod security rule compare visitor IP to the localhost/URL based file. Thx

Comments

  • matteobmatteob Barred

    best is ipset

    Thanked by 1deadbeef
  • globalRegistersglobalRegisters Member

    Use iptables with ipset.

  • howardsl2howardsl2 Member

    Refer to my IPSet tutorial at:
    https://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists/

    Thanked by 1deadbeef
  • FalzoFalzo Member

    Sounds like he is using OVZ...

    Thanked by 1postcd
  • postcdpostcd Member

    yes, i will not use ipset in this case, mod security with ram based big blocklist (if possible to use file based blocklist in its rule) will not be better than iptables?

  • ClouviderClouvider Member, Patron Provider

    No, as you're already on the application level. It's better, and safer, to drop the attackers at the edge of your server.

  • FuslFusl Member
    edited August 2016

    Some of my recommended ways to block a large amount of IPs/networks

    1. Use ipset with iptables raw table, or
      • iptables -t raw -I PREROUTING -i venet0 -p tcp --dport 80 -m set --match-set blocklist src -j DROP
    2. Use iptables raw table, or
      • iptables -t raw -N blocklist
      • iptables -t raw -I PREROUTING -i venet0 -p tcp --dport 80 -j blocklist
      • for ip in x x x; do iptables -t raw -I blocklist -s $ip -j DROP; done
    3. Null-route + route path filtering, or
      • Create a dummy0 network interface
      • Create a static /32 route for all blacklisted IP addresses to this dummy0 interface
      • Set the kernel parameter for route path filtering to 1
    4. Use iptables filter table
      • iptables -N blocklist
      • iptables -I INPUT -i venet0 -p tcp --dport 80 -j blocklist
      • for ip in x x x; do iptables -I blocklist -s $ip -j DROP; done

    All of the above ways to block an IP list still happens in the kernel level and are as such the most efficient ways of blocking IPs (sorted by efficiency).

    Thanked by 1howardsl2
  • postcdpostcd Member

    @Fusl

    thx, it would be nice to know what this mean

    iptables -t raw -N blocklist

    iptables -t raw -I PREROUTING -i venet0 -p tcp --dport 80 -j blocklist

    the third command i assume is filling some blocklist with bad IPs, but where this bloclist reside and how to work with it (export, save)

  • FranciscoFrancisco Top Host, Host Rep, Veteran
    edited August 2016

    Neither is a good solution.

    Apache will have to read that file and process it for every single visit. You could try putting something like nginx in front since that's just the initial startup.

    // shill

    Why not get a slice?

    http://buyvm.net/kvm-dedicated-server-slices

    Francisco

Sign In or Register to comment.