All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Block all subnets of a certain country using iptables
Hi everybody,
We were experiencing extremely high loads on one of our web-servers, generating enormous loads on Apache, eventually resulting in the server running out of memory and just locking up.
Most IP's were coming from a certain country, so in the end, I ended up simply blocking all subnets from that specific country (no interesting information for them on our websites anyway).
I did this by using the following script:
http://www.cyberciti.biz/faq/block-entier-country-using-iptables/
Very effective - a tail -f /var/log/messages is very amusing once the script is active.
And of course, iptables --list -v -n ; gotta love those counters.
At the moment it is running on the webserver itself in test, will probable move it to our firewall at a later stage, if it proves to be effective (so far it seems to be very effective).
Thought I might share this with you guys, I'm probably not the only one experiencing this kind of trouble
(And yeah, I should probably move to something like NGINX etc... but that's not an option right now )
(a thank you goes out to my colleague for finding the above script on the internet)
Comments
Instead of manually playing about with IPTables rules, you're probably better off using a firewall like CSF. Easier to get around, etc..
So rather than properly configuring your web server, you resort to nazism, how sad.
He is using apache, what do you expect.. :P
thanks now I can block India
@Chief should implement this imo
Exactly! You only need to add the two-letter ISO Country Code in the CC_DENY line of csf.conf and voila! :-)
Don't be a hater :P
Clinging to my apache!
@Jacob - correction - the people using (abusing ? ) that VM are using Apache
@George_Fusioned & @Jacob - that implies installing CSF - I needed something quick and dirty that does the same
Euhm ? What ? I'd prefer you take that back, instantly !
I agree with @jacob, CSF is easy to install, and more extensive than doing it manually, better for rapid-fire IP blocking.
Agreed. That would be the quick, copy/paste solution. Just about any other effective solution is going to be more work rather than less.
While you in CSF --
unixsurgeon.com/kb/how-to-prevent-from-ddos.html
Add some additional protection...
@connercg
there we go again, filter tools against 10gbps+ attack using 1gbit nic, seems legit
@BronzeByte
It was presented as an additional option -- whether the OP decides implement any thing in the article is their choice, and I didn't create the article / URL name.
I've personally used the connection limit (CT_LIMIT) from the article to address some issues I've had with multiple connection from an IP scraping an image repository.
@bitprocessor just out of interest - how did you get to be the sort of person that spams forums with the ill-thought-out, poorly executed crap on cybercity.biz ?
Eek.. you guys are way to harsh... give the guy a break.