View previous topic :: View next topic |
Author |
Message |
Shadbolt -
Joined: 09 Dec 2008 Posts: 12
|
Posted: Mon Jan 05, 2009 10:14 pm Post subject: How do I block ranges of IPs? |
|
|
I apologize if I am missing something obvious but I would appreciate some help with blocking ranges of IPs.
By way of example, let’s say I want to block all of the IPs allocated to Aruba.
There are several places that list all of the addresses allocated to each country. Here’s the one I am using at the moment: http://www.countryipblocks.net/index.php
CountryBlocks states that Aruba has two blocks of IPs: 200.12.248.0 - 200.12.255.255 and 201.229.0.0 - 201.229.63.255
CountryBlocks outputs information in seven different formats. Again by way of example, here is the output for Aruba in “.htaccess deny” format.
<Limit GET HEAD POST>
order allow,deny
# Country: ARUBA
# ISO Code: AW
# Total Networks: 2
# Total Subnets: 18,432
deny from 200.12.248.0/21
deny from 201.229.0.0/18
#
allow from all
</Limit>
Here are my questions…… How can I take this information and input it to my Abyss web server? I understand that it is possible to input one block at a time manually in the IP Address Control screen. I’m hoping there is a better way.
Again by way of example, suppose I want to deny all IPs coming from China. This is a formidable list to input manually.
Is there a way I can build a list of IPs to deny in a text file and either have the Abyss web server refer to the file directly or input the entire file (not manually) in one go? _________________ Thou art a very brute - but even brutes must marry, I suppose. |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
|
Back to top |
|
|
Shadbolt -
Joined: 09 Dec 2008 Posts: 12
|
Posted: Tue Jan 06, 2009 7:09 pm Post subject: |
|
|
Hello Axix and thanks for the response.
The document you reference is a good summary of what makes up a valid IP address and how to express a range of addresses in CIDR (eg. 192.168.0.0/16) format.
However, it does NOT suggest how ranges may be entered into the Abyss web server IN BULK.
I hope there is a way better way to present, say, 200 IP ranges to be blocked than typing them one at a time into the IP Access Control screen.
The .htaccess deny format in my earlier post looks perfect but is there a way to use it with the Abyss server? _________________ Thou art a very brute - but even brutes must marry, I suppose. |
|
Back to top |
|
|
DonQuichote -
Joined: 24 Dec 2006 Posts: 68 Location: The Netherlands
|
Posted: Tue Jan 06, 2009 8:01 pm Post subject: abyss.conf |
|
|
I suggest that you just enter a few ranges by hand and then take a good look at your abyss.conf file. It is XML and quite human-readable. It should not be that hard to insert the ranges into it with a text editor and a little conversion/scripting/programming. Make a backup of the original config in case you accidentally mess things up off course. |
|
Back to top |
|
|
Shadbolt -
Joined: 09 Dec 2008 Posts: 12
|
Posted: Fri Jan 09, 2009 4:01 am Post subject: |
|
|
Thanks for the suggestion about editing the config file. I think it ought to work.
I'll give it a try and report back in a few days. Life just got busy. _________________ Thou art a very brute - but even brutes must marry, I suppose. |
|
Back to top |
|
|
Shadbolt -
Joined: 09 Dec 2008 Posts: 12
|
Posted: Tue Jan 13, 2009 8:01 pm Post subject: |
|
|
I have been thinking further about the problem of blocking ranges of IPs.
I am running a small web site that serves a very local population in the northwestern corner of the United States. The only legitimate traffic is going to come from the US and Canada. I am getting a significant number of malicious scans from Asia and Europe. Denying access to most parts of the world seems to be a practical way to reduce hacking attempts and other evils.
Using the site http://www.countryblocks.net/ I have extracted a list of all of the IP ranges allocated to the US and Canada. Then, following a suggestion from DonQuichote (see above) I formatted this list so it might be inserted into the abyss.conf file.
Below I have shown my proposed additions the abyss.conf file, including the first and last IP range entries. The initial underscores on each line are to preserve formatting.
<ipcontrol>
__<rules>
____<rule>
______<allow> 47.0.0.0/8 </allow>
______<allow> 63.135.0.0/19 </allow>
.
. >>>>>>>>>>_almost 42,000 extra lines here!
.
______<allow> 216.255.192.0/19 </allow>
______<allow> 216.255.240.0/20 </allow>
______<vpath>/</vpath>
______<order>ad</order>
____</rule>
__</rules>
</ipcontrol>
This list of IP ranges for the US and Canada has almost 42,000 entries. To say that I think this might slow down the server a bit is somewhat of an understatement. I have yet to try running this!
Questions:
1. If I insert my 42,000 lines of Allowed IP Ranges into the Abyss.conf file will I exceed some limit? Currently the file is only 14kbytes. This size increases to 1400kbytes with the IP ranges added.
2. Are my fears about slowing the server justified?
3. Assuming the server works at all with the extra entries, iIs there a good way to compare its speed using the large and small versions of the abyss.conf file?
4. Is there a better way to do this? Can this be done easily inside a firewall, for example?
Thanks. _________________ Thou art a very brute - but even brutes must marry, I suppose. |
|
Back to top |
|
|
|