New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is faster iptables or mod_security when working with large blocklist?
If i regularly update an file containing approx. 100 000 IPs (and subnets?), and i won't use ipset, is it faster to block website visitor by:
1) somehow making IPtables to adopt this file while this file will be updated like hourly
2) adding file to the tmpfs (ramdrive) and setting up some mod_security rule to 403 all those whose IP match line/IP in the tmpfs based 100 000 lines file
?
If there is someone who can spend time, it would help (maybe not just me) to share on how to include regularly updated file into iptables or how to make mod security rule compare visitor IP to the localhost/URL based file. Thx
Comments
best is ipset
Use iptables with ipset.
Refer to my IPSet tutorial at:
https://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists/
Sounds like he is using OVZ...
yes, i will not use ipset in this case, mod security with ram based big blocklist (if possible to use file based blocklist in its rule) will not be better than iptables?
No, as you're already on the application level. It's better, and safer, to drop the attackers at the edge of your server.
Some of my recommended ways to block a large amount of IPs/networks
All of the above ways to block an IP list still happens in the kernel level and are as such the most efficient ways of blocking IPs (sorted by efficiency).
@Fusl
thx, it would be nice to know what this mean
iptables -t raw -N blocklist
iptables -t raw -I PREROUTING -i venet0 -p tcp --dport 80 -j blocklist
the third command i assume is filling some blocklist with bad IPs, but where this bloclist reside and how to work with it (export, save)
Neither is a good solution.
Apache will have to read that file and process it for every single visit. You could try putting something like nginx in front since that's just the initial startup.
// shill
Why not get a slice?
http://buyvm.net/kvm-dedicated-server-slices
Francisco