我使用WHM和Cpanel运行一个centos服务器,并使用CSF作为防火墙。 我想阻止一系列的IP地址。
我想从中国开始,并从http://www.countryipblocks.net/获得IP列表 – 这相当于大约3500个IP地址/范围。
使用CSF,我注意到DENY_IP_LIMIT的默认值设置为100.我可以明显地增加这个,但CSF表示:
# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be # important as a large number of IP addresses create a large number of iptables # rules (4 times the number of IP's) which can cause problems on some systems # where either the the number of iptables entries has been limited (esp VPS's) # or where resources are limited. This can result in slow network performance, # or, in the case of iptables entry limits, can prevent your server from # booting as not all the required iptables chain settings will be correctly # configured. 所以,3500是超过100的大幅度增加。我应该担心,如果是的话,还有其他的select吗?
CSF可以从configuration文件自己做国家块:
############################################################################## # SECTION:Country Code Lists and Settings ############################################################################### # Country Code to CIDR allow/deny. In the following two options you can allow # or deny whole country CIDR ranges. The CIDR blocks are generated from the # Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry # and entirely relies on that service being available # # Specify the the two-letter ISO Country Code(s). The iptables rules are for # incoming connections only # # Warning: These lists are never 100% accurate and some ISP's (eg AOL) use # non-geographic IP address designations for their clients # # Warning: Some of the CIDR lists are huge and each one requires a rule within # the incoming iptables chain. This can result in significant performance # overheads and could render the server inaccessible in some circumstances. For # this reason (amongst others) we do not recommend using these options # # Warning: Due to the resource constraints on VPS servers this feature should # not be used on such systems unless you choose very small CC zones # # Warning: CC_ALLOW allows access through all ports in the firewall. For this # reason CC_ALLOW probably has very limited use # # Each option is a comma separated list of CC's, eg "US,GB,DE" CC_DENY = CC_ALLOW = # An alternative to CC_ALLOW is to only allow access from the following # countries but still filter based on the port and packets rules. All other # connections are dropped CC_ALLOW_FILTER = # This Country Code list will prevent lfd from blocking IP address hits for the # listed CC's CC_IGNORE = # Display Country Code and Country for reported IP addresses. This option can # be configured to use the MaxMind Country Database or the more detailed (and # much larger and therefore slower) MaxMind City Database # # "0" - disable # "1" - Reports: Country Code and Country # "2" - Reports: Country Code and Country and Region and City CC_LOOKUPS = Default: 1 [0-2] # This option tells lfd how often to retrieve the Maxmind GeoLite Country # database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in # days) CC_INTERVAL = Default: 7 [1-31]
然而问题仍然存在,有一个大的iptables设置会减慢你的速度,所以如果可能的话,最好在专用的硬件上完成,这取决于你的服务器有多强大,你获得的stream量将决定这是多么可行,低功率和/或高stream量可能使这个选项不是一个好主意。
但我想问的问题是为什么你需要阻止如此大范围的IP? 如果只是为了阻止他们的攻击,那么最好让CSF&LFD能够自动阻止那些攻击性IP,因为它们来来去去相当频繁,所以你的阻止列表可能并不是很快,特别是使用bot网