>>Does anyone know of an alternative to ipset for blocking IP ranges
>>of entire countries, that works with OpenVZ containers?
n> I wish...
n> I use fail2ban. OpenVZ containers have limited memory and you can
n> soon fill it up with an all the subnets. With fail2ban you can block
n> the offenders easily. I have a "permaban" chain for those repeat
n> offenders.
Well, you can have some nicely sized containers if you want, but putting 500
000 drops (or rejects if you like them better) in an IPTABLE chain is perhaps
not a wise thing for anyone, thus the need for ipset.
Permaban is a good idea, until an IP range is re-assigned to someone else of
course :), but then again, I think it's better to err on the inclusive side in
this case.
It annoys me that ISPs don't have this as a service, and I'm quite surprised
they don't actually. I can understand the fact that they don't want to
subscribe to something like Cyren or similar, but they could quite easily do it
on their own.
-joho
---
* Origin: code.code.code (2:20/4609)
|