On Wednesday, 9 December 2020 07:03:17 GMT Remco Rijnders wrote: > On Tue, Dec 08, 2020 at 11:18:49PM -0700, thelma wrote in > > <94662af9-b159-65ca-371d-1521ab4fa...@sys-concept.com>: > >Steve, suggested a good alternative database of IP's with two letter > >country beside them. It can be sorted by country in a spreadsheet. This > >16MB file would seem like an ideal solution; but checking is it is > >missing 212.114.17 number I've checked earlier from the other source. > >The number 212.114.16 correctly identified as "FR" (France). > > > >deny from 212.114.16.0/24 > >deny from 212.114.17.0/24 > > > >The dbip-country-lite-2020-12.csv lists: > >212.114.10.0 212.114.15.255 RU > >212.114.16.0 212.114.31.255 FR > >212.114.32.0 212.114.49.39 DE > > Just wanted to point out that "212.114.17.0/24" is included in the > "212.114.16.0 212.114.31.255 FR" entry you show, so it doesn't seem to be > missing at all. For reasons of efficiency, it is preferable to have blocks > listed that are bigger than /24's if they roll up to bigger blocks per > country.
The above can be written as 212.114.16.0/20 in CIDR block notation. Unwelcome website visitors are difficult to block, without incurring some processing penalty and consequently cause undesirable latency for legitimate visitors. As has already been commented a network/firewall level solution, which drops connections before they arrive at apache is more efficient, because it avoids putting any load on the webserver application itself. Apache configuration files in /etc are loaded in RAM and as long as there is enough memory will be much faster than having to parse .htaccess files for each and every page/visitor. The geoip solution works better when only a few countries are allowed to connect and everyone else is dropped. However, botnets can use VPNs or anonymising proxy servers to bypass such restrictions. Also, IP subnets change all the time, so geoip addresses have to be refreshed regularly. Depending on the website design there are various php and other scripts which function similar to fail2ban, when a visitor tries unsuccessfully to authenticate repeatedly. The sensitivity of the trigger can be adjusted for the number of failed attempts and the time the failed IP address is blocked for. I guess such a script could be deployed along with some firewall geoip block to minimise the load on the webserver.
signature.asc
Description: This is a digitally signed message part.
