| Posted by Jesmarin, 04-14-2016, 04:32 AM | |
I have CentOS 7, Plesk 12, 8GB RAM VPS.
I have around 1000 rules in my IPtables to block abusive users. But when reloading IPtables it takes 15 seconds to reload all 1000 rules.
First of all, is it an expected outcome to reload IPtables in 15 seconds if there are 1000 rules? This comes a bit slow to me. Fairly, my server is idle and any other thing runs pretty fast. Is it a misconfiguration on my server or is it normal?
So I wanted to install IPset but it is not available for my VPS because it uses OpenVZ. IPset is simply not available for OpenVZ.
What other alternative do I have other than IPset to decrease IPtables rules?
|
| Posted by itsyndicateorg, 04-14-2016, 07:07 AM | |
1000 rules in 15 seconds - is OK
|
| Posted by Afterburst-Jack, 04-14-2016, 07:08 AM | |
I'd say 1000 rules is excessive. What exactly are you trying to achieve with all those rules?
|
| Posted by Jesmarin, 04-14-2016, 07:32 AM | |
Thank you very much for your help.
But strangely when the iptables is reloaded, during that 15 seconds, the blocked ips can connect to my server for a few requests, probably the rule is removed from iptables and then readded. Is not this ridiculous?
That is also why I need to decrease that 15 seconds duration.
|
| Posted by Jesmarin, 04-14-2016, 07:35 AM | |
Thank you very much for your help.
Simply they are DROP rules. They keep coming with different IPs. Because I can not use IPset, the IPtables getting bigger and bigger.
Can GeoIP for Apache module may help? Maybe I can prevent them in PHP? But I am not sure what is the burden it may add to the server load?
Cheers
|
| Posted by DeltaAnime, 04-14-2016, 07:41 AM | |
Is the issue that they're connecting period, or that they're maxing your apache out? One option would be to use blackhole routes but the SYN packet would still hit your server, but nothing else will occur.
You really don't want to have 1000+ rules if you can help it, it hurts your network performance a fair bit.
Francisco
|
| Posted by Jesmarin, 04-14-2016, 07:50 AM | |
Thank you very much for your help.
Well, actually they are click bombing for Adsense. I got Adsense warning because of them. They are not actually bringing my server down but they are connecting to my server sporadically with different countries and bot servers.
Yes during IPtables reloading, I can not use whois or nslookup commands till it completes reloading. Although httpd service is not affected, I find this cumbersome.
But just because IPset restriction, I am not keen onto switch to KVM or Xen servers. So trying to figure out a way for better performance on IPtables.
Cheers
|
| Posted by DeltaAnime, 04-14-2016, 07:52 AM | |
blackholes won't affect your packet performance so you could stop using iptables all together and just use the routes.
Francisco
|
| Posted by Jesmarin, 04-14-2016, 08:06 AM | |
Oh thank you very much Francisco. This looks great. I will definetely will give it a try now.
But is there any limitation or performance lose when adding lots of IPs into route? Currently I am also blocking Indonesia and Philippines IP ranges with HTACCESS file. There are about 1500 IP ranges. Do you think I can transfer all those coıuntry IPs to route?
Cheers
|
| Posted by DeltaAnime, 04-14-2016, 08:23 AM | |
Nope. Routes are entirely kernel based so there's no overhead like iptables. You use a tiny bit of RAM usage for each one but for what it's worth 500,000 routes takes < 512MB of kernel RAM so you would have to have one serious bot issue.
You should 100% move the htaccess entries to blackholes. With it being an htaccess you're putting an insane amount of overhead on apache to process that for every single lookup.
Francisco
|
| Posted by Afterburst-Jack, 04-14-2016, 08:26 AM | |
Have you checked what useragent these bots are using? You might be able to deny them by useragent if it's something uncommon/clearly a bot which would save you collating&keeping up to date a list of their IP's.
|
| Posted by Jesmarin, 04-14-2016, 08:39 AM | |
Thank you so much Francisco. That really helped. I will transfer the IPs to blackholes now.
One last question about blackholes please. Does blackholes or IPtables rule take precedence? Say, if I insert an ACCEPT rule for an IP in IPtables but meanwhile blackhole the same IP, which one wins?
Cheers
|
| Posted by DeltaAnime, 04-14-2016, 08:41 AM | |
Blackholes always win since they direct which way the packet will go returning the user. The VPS will ask "Which way do I go? ho ho, ho ho" when trying to send the data back, and the kernel will say "send it to the abyss", to which its never heard from again.
Francisco
|
| Posted by Jesmarin, 04-14-2016, 08:45 AM | |
They use different techniques. Request come generally from bot servers. Users agent are mostly Firefox based.
Some users have "user agent" browser extensions which change browser user agent, so I do not want to block them unintentionally. Also I tried to block some of the user agents by rewrite rule but they add a log entry in access_log. I use some bash scripts to check certain patterns. And those unnecessary log entries make it hard to handle them.
Actually mostly they send a direct request which do not have a referrer part. It means they are not actually visiting and surfing through my site but simply calling my server with bots.
|
| Posted by Jesmarin, 04-14-2016, 08:51 AM | |
Thanks again @Francisco. Good to know that.
How can I whitelist some IPs by route? I have some insert ACCEPT rules for my CDN service IP ranges. I do not want to block them unintentionally.
Is there something like INSERT for route which will make sure some IP ranges will always have whitelisted?
Cheers
|
|
 Add to Favourites
 Print this Article
|
