Web lists-archives.com

Re: sucessor for denyhosts?




On Sat, 9 Mar 2019, mj wrote:

We are using fail2ban to do this. It offers many more options, and works by creating iptables rules. This gives you much more control over what ports exactly are blocked.

Plus I think (correct me if Im wrong) that using /etc/hosts.deny to block access only works with programs that are compiled to do so, and iptables will always work.

/etc/hosts.deny is part of TCP Wrappers for which Wietse Venema stopped maintenance in 1995. See https://en.wikipedia.org/wiki/TCP_Wrappers . See also October 2014 Linux Weekly News article https://lwn.net/Articles/615173/

I find that it is much easier to use an ipset with set type hash:net to define the IP nets and addresses that are to be rejected. It avoids messing with the iptable commands. The ipset can be initialized with the IP addresses of originating countries to be rejected using block lists such as those at http://ipverse.net/ipblocks/data/countries/ I recommend enabling the counter associated with each net.

I have had no problems with ipsets of over 140000 sub-net entries. I wouldn't like to do that with just iptables.

Roger