Bloquear gran número de direcciones IP

Estoy funcionando un server de centos con WHM y Cpanel y usando CSF ​​como el cortafuego. Me gustaría bloquear toda una gama de direcciones IP.

Yo quería comenzar con China, y obtuvo una list de IP de http://www.countryipblocks.net/ – esto equivale a alnetworkingedor de 3500 direcciones IP / ranges.

Uso de CSF, me di count de que el valor pnetworkingeterminado para DENY_IP_LIMIT se establece en 100. Obviamente, puedo boost esto, pero CSF ​​estados:

# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be # important as a large number of IP addresses create a large number of iptables # rules (4 times the number of IP's) which can cause problems on some systems # where either the the number of iptables entries has been limited (esp VPS's) # or where resources are limited. This can result in slow network performance, # or, in the case of iptables entry limits, can prevent your server from # booting as not all the requinetworking iptables chain settings will be correctly # configunetworking. 

Por lo tanto, 3500 es un gran aumento de más de 100. ¿Debo estar preocupado, y si es así, hay otras alternativas?

CSF puede hacer los bloques del país sí mismo, del file de configuration:

 ############################################################################## # SECTION:Country Code Lists and Settings ############################################################################### # Country Code to CIDR allow/deny. In the following two options you can allow # or deny whole country CIDR ranges. The CIDR blocks are generated from the # Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry # and entirely relies on that service being available # # Specify the the two-letter ISO Country Code(s). The iptables rules are for # incoming connections only # # Warning: These lists are never 100% accurate and some ISP's (eg AOL) use # non-geographic IP address designations for their clients # # Warning: Some of the CIDR lists are huge and each one requires a rule within # the incoming iptables chain. This can result in significant performance # overheads and could render the server inaccessible in some circumstances. For # this reason (amongst others) we do not recommend using these options # # Warning: Due to the resource constraints on VPS servers this feature should # not be used on such systems unless you choose very small CC zones # # Warning: CC_ALLOW allows access through all ports in the firewall. For this # reason CC_ALLOW probably has very limited use # # Each option is a comma separated list of CC's, eg "US,GB,DE" CC_DENY = CC_ALLOW = # An alternative to CC_ALLOW is to only allow access from the following # countries but still filter based on the port and packets rules. All other # connections are dropped CC_ALLOW_FILTER = # This Country Code list will prevent lfd from blocking IP address hits for the # listed CC's CC_IGNORE = # Display Country Code and Country for reported IP addresses. This option can # be configunetworking to use the MaxMind Country Database or the more detailed (and # much larger and therefore slower) MaxMind City Database # # "0" - disable # "1" - Reports: Country Code and Country # "2" - Reports: Country Code and Country and Region and City CC_LOOKUPS = Default: 1 [0-2] # This option tells lfd how often to retrieve the Maxmind GeoLite Country # database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in # days) CC_INTERVAL = Default: 7 [1-31] 

sin embargo, el problema sigue siendo, teniendo una gran configuration de iptables se ralentizará, por lo que es mejor hacer en hardware dedicado, si es posible, en function de lo potente de su server y la cantidad de tráfico que obtendrá decidirá cuán viable es esto para usted, baja potencia y / o alto tráfico puede hacer que esta opción no sea una gran idea.

la pregunta que me gustaría hacer, sin embargo, es por qué necesita bloquear una gama tan amplia de IP? si es sólo para detener los ataques de ellos, es probablemente mejor dejar que CSF & LFD hacer su trabajo para bloquear los ataques de los IP como vienen y van con bastante frecuencia por lo que su list de locking no puede ser todo abarcando muy rápidamente, especialmente con las networkinges de bots