Good ${greeting_time}, Nelgin!

11 Dec 2017 22:42:26, you wrote to Joaquim Homrighausen:

 >> Does anyone know of an alternative to ipset for blocking IP ranges
 >> of entire countries, that works with OpenVZ containers?
 Ne> I wish... I use fail2ban.

Very dangerous thing... However, it makes some fun to use it against the
admin^Widiot who installed it :-)

 Ne> OpenVZ containers have limited memory

Netfilter rules are count as separate resourses. Look at the source or in BC.

 Ne> and you can soon fill it up with an all the subnets. With fail2ban
 Ne> you can block the offenders easily. I have a "permaban" chain for
 Ne> those repeat offenders.

Being a security expert, I know (and use; and, obviously, recommend) better
method: limit the number of connections per minute to 2 or 3, thus making any
and all bruteforce attacks time-ineffective.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-cmlxxvii-mmxlviii

... that's why I really dislike fools.
--- /bin/vi