Re: sucessor for denyhosts?
- Date: Sat, 9 Mar 2019 13:08:34 +0100 (CET)
- From: Roger Price <debian@xxxxxxxxxxxxxx>
- Subject: Re: sucessor for denyhosts?
On Sat, 9 Mar 2019, mj wrote:
We are using fail2ban to do this. It offers many more options, and works by
creating iptables rules. This gives you much more control over what ports
exactly are blocked.
Plus I think (correct me if Im wrong) that using /etc/hosts.deny to block
access only works with programs that are compiled to do so, and iptables will
/etc/hosts.deny is part of TCP Wrappers for which Wietse Venema stopped
maintenance in 1995. See https://en.wikipedia.org/wiki/TCP_Wrappers . See also
October 2014 Linux Weekly News article https://lwn.net/Articles/615173/
I find that it is much easier to use an ipset with set type hash:net to define
the IP nets and addresses that are to be rejected. It avoids messing with the
iptable commands. The ipset can be initialized with the IP addresses of
originating countries to be rejected using block lists such as those at
http://ipverse.net/ipblocks/data/countries/ I recommend enabling the counter
associated with each net.
I have had no problems with ipsets of over 140000 sub-net entries. I wouldn't
like to do that with just iptables.