We have a list of ABOUT 1000-2000 offending i.p.'s and was wondering if we blocked them from our main server through iptables if it will bring the load up.
Thanks,
Thanks,
Well I dont find any reasons for server to catch load due to number of IPs blocked..
We have long iptables rules set on all our server... yeah the only problem we face is we have 3 clients a week saying they cannot access their site but others can....
We have long iptables rules set on all our server... yeah the only problem we face is we have 3 clients a week saying they cannot access their site but others can....
Actually, a long iptables list with thousands of IP's in it can definitely cause load issues. It can also cause a slowdown of every service operating over the network (web, smtp, ftp, etc) as every packet has to be compared against every IP address. It can also render a server unbootable, which I've seen on many an occassion.
You should only really ever have a handful of blocked IP addresses in your firewall for current attacks, otherwise you should clean them out very regularly.
You should only really ever have a handful of blocked IP addresses in your firewall for current attacks, otherwise you should clean them out very regularly.
I agree with chirpy,
Here are my recommendations, take all those out, configure apf to ban people that abuse your server automatically, configure the server to send you that list or remove the blocks on its own.
Also configure traffic shaping so that people who DDos your server don't keep you from SSHing in.
If you really feel you need to have IPbans like that, simply offload them to an external firewall, most NOCs offer them as an addon to dedicateds.
Be aware though that simple router type firewalls, really dont have the ability to do IP bans, nor do they have the memory to store your list.
Here are my recommendations, take all those out, configure apf to ban people that abuse your server automatically, configure the server to send you that list or remove the blocks on its own.
Also configure traffic shaping so that people who DDos your server don't keep you from SSHing in.
If you really feel you need to have IPbans like that, simply offload them to an external firewall, most NOCs offer them as an addon to dedicateds.
Be aware though that simple router type firewalls, really dont have the ability to do IP bans, nor do they have the memory to store your list.
Great information guys, very much appreciated.
I think I will stick with a BFD and a couple permanent i.p.'s per server, then narrow down and keep the large list for our stand alone sonic wall system.
Thanks again,
Chaze
I think I will stick with a BFD and a couple permanent i.p.'s per server, then narrow down and keep the large list for our stand alone sonic wall system.
Thanks again,
Chaze
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| A | Suspicious file uploading issue | Security | 3 | |
| K | open_basedir issue with file uploads | Security | 4 | |
| O | Bizarre CPU Load issue - cpservd-ssl | Security | 0 | |
| S | Mysqladmin processlist load Issue. | Security | 1 | |
| C | Security & Firewall - csf v2.35 - Load Issue | Security | 1 |