Subj : Alternative(s) to ipset on OpenVZ
To   : Alexey Vissarionov
From : Joaquim Homrighausen
Date : Sun Dec 10 2017 19:11:10

 JH>> Does anyone know of an alternative to ipset for blocking IP
 JH>> ranges of entire countries, that works with OpenVZ containers?

 av> If you want to do exactly that, simply use CIDR notation with -s
 av> parameter.

Using IPTABLES ... or did you mean with ipset? I can't use ipset in this 
specific case, and listing thousands of nets using IPTABLES is usually a bad 
idea.

 av> However, if you need (just a guess) to protect SSH against
 av> bruteforcing the passwords, that's normally performed a bit
 av> differently.

I prefer using F2B, it works quite well if you up blocking time to something 
like 24-48 hours.



 -joho

---
 * Origin: code.code.code (2:20/4609)

.