Subj : Alternative(s) to ipset on OpenVZ
To   : Nelgin
From : Joaquim Homrighausen
Date : Mon Dec 18 2017 21:32:10

 >>Does anyone know of an alternative to ipset for blocking IP ranges
 >>of entire countries, that works with OpenVZ containers?

 n> I wish...

 n> I use fail2ban. OpenVZ containers have limited memory and you can
 n> soon fill it up with an all the subnets. With fail2ban you can block
 n> the offenders easily. I have a "permaban" chain for those repeat
 n> offenders.

Well, you can have some nicely sized containers if you want, but putting 500 
000 drops (or rejects if you like them better) in an IPTABLE chain is perhaps 
not a wise thing for anyone, thus the need for ipset.

Permaban is a good idea, until an IP range is re-assigned to someone else of 
course :), but then again, I think it's better to err on the inclusive side in 
this case.

It annoys me that ISPs don't have this as a service, and I'm quite surprised 
they don't actually. I can understand the fact that they don't want to 
subscribe to something like Cyren or similar, but they could quite easily do it 
on their own.


 -joho

---
 * Origin: code.code.code (2:20/4609)

.