Re: Alternate Solution to Iptables???
From: Colin McKinnon (colin.thisisnotmysurname_at_ntlworld.deletemeunlessURaBot.com)
Date: 12/27/03
- Next message: Richard Steven Hack: "Re: Backup media; comments would be appreciated."
- Previous message: Colin McKinnon: "Re: hardening a linux server against local exploits"
- In reply to: Jim G.: "Alternate Solution to Iptables???"
- Next in thread: notbob: "Re: Alternate Solution to Iptables???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Dec 2003 01:36:18 +0000
Jim G. spilled the following:
> I do alot of Ip blocks in my business, my iptables has over 800 ip's that
> are being blocked because of users committing fraudulant activities. Is
> there an alternate solution that I can use rather than having so many ip's
> listed in my iptables. Do you know if I can achieve the same results of an
> iptables DROP with entering Ip's in the hosts.deny file?
>
I guess you could recompile Apache against WV's tcpwrappers socket lib
(which would be cool if you setup an NIS map with the blocked addresses int
it). Or run a reverse proxy with squid and do something intelligent with
the ACLs / URL rewriting stuff. But isn't it just simpler to keep the
blocking in the iptables? Personally I would go with this and build a
wrapper so I wasn't editing my core firewall settings every time I wanted
to plonk an address.
> Also I will need to block certain countries as well, for example the
> philippines, any idea on how to do this too?
Last time I looked:
1) the methods for doing this weren't 100% successful (one commercail
product did a reverse DNS lookup)
2) most methods were expensive in terms of time to resolution
3) there are plenty of free proxies out there before they even start looking
for a zombie.
> Running 3 Fedora core apache servers (Load balance) and a mysql server.
>
You could just wrap your pages up with an automatic prepend or a mod_rewrite
that includes a script which will check against a blacklist. I'd still go
with using ip[tables for keeping out the bad guys though.
HTH
C.
- Next message: Richard Steven Hack: "Re: Backup media; comments would be appreciated."
- Previous message: Colin McKinnon: "Re: hardening a linux server against local exploits"
- In reply to: Jim G.: "Alternate Solution to Iptables???"
- Next in thread: notbob: "Re: Alternate Solution to Iptables???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
