How do I block ranges of IPs?

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
Shadbolt
-


Joined: 09 Dec 2008
Posts: 12

PostPosted: Mon Jan 05, 2009 10:14 pm    Post subject: How do I block ranges of IPs? Reply with quote

I apologize if I am missing something obvious but I would appreciate some help with blocking ranges of IPs.

By way of example, let’s say I want to block all of the IPs allocated to Aruba.

There are several places that list all of the addresses allocated to each country. Here’s the one I am using at the moment: http://www.countryipblocks.net/index.php

CountryBlocks states that Aruba has two blocks of IPs: 200.12.248.0 - 200.12.255.255 and 201.229.0.0 - 201.229.63.255

CountryBlocks outputs information in seven different formats. Again by way of example, here is the output for Aruba in “.htaccess deny” format.

<Limit GET HEAD POST>
order allow,deny
# Country: ARUBA
# ISO Code: AW
# Total Networks: 2
# Total Subnets: 18,432
deny from 200.12.248.0/21
deny from 201.229.0.0/18
#
allow from all
</Limit>

Here are my questions…… How can I take this information and input it to my Abyss web server? I understand that it is possible to input one block at a time manually in the IP Address Control screen. I’m hoping there is a better way.

Again by way of example, suppose I want to deny all IPs coming from China. This is a formidable list to input manually.

Is there a way I can build a list of IPs to deny in a text file and either have the Abyss web server refer to the file directly or input the entire file (not manually) in one go?
_________________
Thou art a very brute - but even brutes must marry, I suppose.
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Tue Jan 06, 2009 5:12 pm    Post subject: Reply with quote

Hello shadbolt--

There is this from the docs:
http://www.aprelium.com/data/doc/2/abyssws-win-doc-html/ipformat.html

Regards,
Axis
Back to top View user's profile Send private message
Shadbolt
-


Joined: 09 Dec 2008
Posts: 12

PostPosted: Tue Jan 06, 2009 7:09 pm    Post subject: Reply with quote

Hello Axix and thanks for the response.

The document you reference is a good summary of what makes up a valid IP address and how to express a range of addresses in CIDR (eg. 192.168.0.0/16) format.

However, it does NOT suggest how ranges may be entered into the Abyss web server IN BULK.

I hope there is a way better way to present, say, 200 IP ranges to be blocked than typing them one at a time into the IP Access Control screen.

The .htaccess deny format in my earlier post looks perfect but is there a way to use it with the Abyss server?
_________________
Thou art a very brute - but even brutes must marry, I suppose.
Back to top View user's profile Send private message
DonQuichote
-


Joined: 24 Dec 2006
Posts: 68
Location: The Netherlands

PostPosted: Tue Jan 06, 2009 8:01 pm    Post subject: abyss.conf Reply with quote

I suggest that you just enter a few ranges by hand and then take a good look at your abyss.conf file. It is XML and quite human-readable. It should not be that hard to insert the ranges into it with a text editor and a little conversion/scripting/programming. Make a backup of the original config in case you accidentally mess things up off course.
Back to top View user's profile Send private message
Shadbolt
-


Joined: 09 Dec 2008
Posts: 12

PostPosted: Fri Jan 09, 2009 4:01 am    Post subject: Reply with quote

Thanks for the suggestion about editing the config file. I think it ought to work.

I'll give it a try and report back in a few days. Life just got busy.
_________________
Thou art a very brute - but even brutes must marry, I suppose.
Back to top View user's profile Send private message
Shadbolt
-


Joined: 09 Dec 2008
Posts: 12

PostPosted: Tue Jan 13, 2009 8:01 pm    Post subject: Reply with quote

I have been thinking further about the problem of blocking ranges of IPs.

I am running a small web site that serves a very local population in the northwestern corner of the United States. The only legitimate traffic is going to come from the US and Canada. I am getting a significant number of malicious scans from Asia and Europe. Denying access to most parts of the world seems to be a practical way to reduce hacking attempts and other evils.

Using the site http://www.countryblocks.net/ I have extracted a list of all of the IP ranges allocated to the US and Canada. Then, following a suggestion from DonQuichote (see above) I formatted this list so it might be inserted into the abyss.conf file.

Below I have shown my proposed additions the abyss.conf file, including the first and last IP range entries. The initial underscores on each line are to preserve formatting.

<ipcontrol>
__<rules>
____<rule>
______<allow> 47.0.0.0/8 </allow>
______<allow> 63.135.0.0/19 </allow>
.
. >>>>>>>>>>_almost 42,000 extra lines here!
.
______<allow> 216.255.192.0/19 </allow>
______<allow> 216.255.240.0/20 </allow>

______<vpath>/</vpath>
______<order>ad</order>
____</rule>
__</rules>
</ipcontrol>


This list of IP ranges for the US and Canada has almost 42,000 entries. To say that I think this might slow down the server a bit is somewhat of an understatement. I have yet to try running this!

Questions:
1. If I insert my 42,000 lines of Allowed IP Ranges into the Abyss.conf file will I exceed some limit? Currently the file is only 14kbytes. This size increases to 1400kbytes with the IP ranges added.
2. Are my fears about slowing the server justified?
3. Assuming the server works at all with the extra entries, iIs there a good way to compare its speed using the large and small versions of the abyss.conf file?
4. Is there a better way to do this? Can this be done easily inside a firewall, for example?

Thanks.
_________________
Thou art a very brute - but even brutes must marry, I suppose.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group