apache 'deny from' vs iptables
We got a few honeypot scripts:
awstats.pl formmail.pl .. that append 'deny from $REMOTE_ADDRESS' to: /etc/apache/conf.d/naughty_ip.txt Right now there 419 individual ip# in the file. At what point is apache likely to slow down ? Would things be faster with iptables ? -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
apache 'deny from' vs iptables
On Sat, Feb 02, 2008 at 05:55:01PM -0500, Dan MacNeil wrote:
> Would things be faster with iptables ? Yes, I would think so. By denying them at the Apache level, a TCP connection must be setup whereas with iptables the connection would be denied prior to getting to the Apache server. By denying it at the kernel level (with iptables) you're saving Apache from having to deal with the request at all. You might also look for patterns in the IP addresses to find out if there are subnets that can be denied with iptables rather than individual addresses. Obviously doing so can have unintended side effects if the subnet is too wide and you deny legitimate requests, so it's a trade-off. Also, you might want to analyze the IPs that are being denied. Over time some of those entries are likely to become stale as the IP address owners change. You'll probably notice some patterns of IP addresses or networks that are always doing something bad while others are just one time hits. Steve -- To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
| All times are GMT. The time now is 04:51 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.