Большое количество блока IP-адресов
1 ответ
CSF can do country blocks itself, from the config file:
##############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Warning: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# Warning: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# Warning: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY =
CC_ALLOW =
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER =
# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
CC_IGNORE =
# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
CC_LOOKUPS = Default: 1 [0-2]
# This option tells lfd how often to retrieve the Maxmind GeoLite Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = Default: 7 [1-31]
however the problem still remains, having that large an iptables setup will slow you down, so its better done on dedicated hardware if possible, depending on how powerful your server is and the amount of traffic you get will decide how feasible this is for you, low power and/or high traffic may make this option not a great idea.
the question I would ask though, is why do you need to block such a large range of IP's? if its just to stop attacks from them, its probably better to just let CSF&LFD do its job to auto block those attacking IP's as they come and go fairly frequently so your block list might not be all encompassing very quickly especially with bot nets
1