Subj : Alternative(s) to ipset on OpenVZ
To   : Nelgin
From : Alexey Vissarionov
Date : Tue Dec 12 2017 09:55:50

Good ${greeting_time}, Nelgin!

11 Dec 2017 22:42:26, you wrote to Joaquim Homrighausen:

 >> Does anyone know of an alternative to ipset for blocking IP ranges
 >> of entire countries, that works with OpenVZ containers?
 Ne> I wish... I use fail2ban.

Very dangerous thing... However, it makes some fun to use it against the 
admin^Widiot who installed it :-)

 Ne> OpenVZ containers have limited memory

Netfilter rules are count as separate resourses. Look at the source or in BC.

 Ne> and you can soon fill it up with an all the subnets. With fail2ban
 Ne> you can block the offenders easily. I have a "permaban" chain for
 Ne> those repeat offenders.

Being a security expert, I know (and use; and, obviously, recommend) better 
method: limit the number of connections per minute to 2 or 3, thus making any 
and all bruteforce attacks time-ineffective.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-cmlxxvii-mmxlviii

.... that's why I really dislike fools.
--- /bin/vi
 * Origin: http://openwall.com/Owl (2:5020/545)

.