阻止大量IP地址
阻止大量IP地址
提问于 2011-09-02 08:36:41
我正在运行一个带有WHM和Cpanel的centos服务器,并使用CSF作为防火墙。我想阻止所有的IP地址。
我想从中国开始,从http://www.countryipblocks.net/得到一个ip列表--这相当于3500个ip地址/范围。
使用CSF,我注意到DENY_IP_LIMIT的默认设置为100。我可以很明显地增加这一点,但CSF说:
# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be
# important as a large number of IP addresses create a large number of iptables
# rules (4 times the number of IP's) which can cause problems on some systems
# where either the the number of iptables entries has been limited (esp VPS's)
# or where resources are limited. This can result in slow network performance,
# or, in the case of iptables entry limits, can prevent your server from
# booting as not all the required iptables chain settings will be correctly
# configured.因此,3500是一个大的增长超过100。我是否应该关注,若然,是否有其他选择?
回答 1
Server Fault用户
发布于 2011-09-02 08:48:01
CSF可以从配置文件中自己创建国家块:
##############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Warning: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# Warning: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# Warning: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY =
CC_ALLOW =
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER =
# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
CC_IGNORE =
# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
CC_LOOKUPS = Default: 1 [0-2]
# This option tells lfd how often to retrieve the Maxmind GeoLite Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = Default: 7 [1-31]然而,问题仍然存在,拥有这么大的iptables设置会减慢速度,因此,如果可能的话,在专用硬件上做得更好,这取决于服务器的功能以及您获得的通信量,这将决定这对您来说是否可行,低功耗和/或高流量可能使此选项不是一个好主意。
我想问的问题是,你为什么要阻止这么大范围的IP?如果只是为了阻止来自他们的攻击,也许最好让CSF和LFD在他们频繁的来来往往的时候自动阻止那些攻击IP的人,这样你的阻止列表可能就不会很快涵盖所有的内容,特别是在bot网络中。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/307504
复制相关文章
相似问题
腾讯云开发者
