我正在运行带有 WHM 和 Cpanel 的 centos 服务器,并使用 CSF 作为防火墙。我想阻止整个范围的 IP 地址。
我想从中国开始,然后从http://www.countryipblocks.net/- 这相当于大约 3500 个 IP 地址/范围。
使用 CSF,我注意到 DENY_IP_LIMIT 的默认设置为 100。我显然可以增加这个值,但 CSF 指出:
# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be
# important as a large number of IP addresses create a large number of iptables
# rules (4 times the number of IP's) which can cause problems on some systems
# where either the the number of iptables entries has been limited (esp VPS's)
# or where resources are limited. This can result in slow network performance,
# or, in the case of iptables entry limits, can prevent your server from
# booting as not all the required iptables chain settings will be correctly
# configured.
因此,3500 比 100 有很大增长。我应该担心吗?如果是,还有其他选择吗?
答案1
CSF 可以从配置文件中自行进行国家封锁:
##############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Warning: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# Warning: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# Warning: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY =
CC_ALLOW =
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER =
# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
CC_IGNORE =
# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
CC_LOOKUPS = Default: 1 [0-2]
# This option tells lfd how often to retrieve the Maxmind GeoLite Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = Default: 7 [1-31]
然而问题仍然存在,如此大的 iptables 设置会减慢你的速度,所以如果可能的话最好在专用硬件上完成,这取决于你的服务器有多强大以及你获得的流量大小,这将决定这对你来说有多可行,低功耗和/或高流量可能使这个选项不是一个好主意。
不过我想问的是,为什么你需要屏蔽这么大范围的 IP?如果只是为了阻止他们的攻击,那么最好让 CSF&LFD 自动屏蔽那些攻击 IP,因为它们来去频繁,所以你的屏蔽列表可能不会很快涵盖所有内容,尤其是在僵尸网络中