Web lists-archives.com

Re: sucessor for denyhosts?




Hi,

On 3/9/19 1:08 PM, Roger Price wrote:
I find that it is much easier to use an ipset with set type hash:net to define the IP nets and addresses that are to be rejected.  It avoids messing with the iptable commands.  The ipset can be initialized with the IP addresses of originating countries to be rejected using block lists such as those at http://ipverse.net/ipblocks/data/countries/ I recommend enabling the counter associated with each net.

Yes, we do the same. Additionally we also block many IPs (using ipsets) with https://github.com/trick77/ipset-blacklist

And perhaps is no real need for a counter, as iptables -L -v provides counters already:

root@server:~# iptables -L filter_countries -v
Chain filter_countries (4 references)
pkts bytes target prot opt in out source destination 760 44108 DROP all -- any any anywhere anywhere -m geoip --source-country CN 5 300 DROP all -- any any anywhere anywhere -m geoip --source-country AG 43 2548 DROP all -- any any anywhere anywhere -m geoip --source-country MX 0 0 DROP all -- any any anywhere anywhere -m geoip --source-country NI 0 0 DROP all -- any any anywhere anywhere -m geoip --source-country MF 2 120 DROP all -- any any anywhere anywhere -m geoip --source-country VE 6260 326K DROP all -- any any anywhere anywhere -m geoip --source-country CO 118 6840 DROP all -- any any anywhere anywhere -m geoip --source-country AR 353 20104 DROP all -- any any anywhere anywhere -m geoip --source-country RU 69 4092 DROP all -- any any anywhere anywhere -m geoip --source-country UA 38 2040 DROP all -- any any anywhere anywhere -m geoip --source-country MD 0 0 DROP all -- any any anywhere anywhere -m geoip --source-country SD 0 0 DROP all -- any any anywhere anywhere -m geoip --source-country SS

MJ