Re: [CentOS] Size limitations in .htaccess
On 5/29/2013 10:08 PM, Max Pyziur wrote: On Wed, 29 May 2013, m.r...@5-cent.us wrote: Have you considered running fail2ban, and banning them using iptables? I've considered that. But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via tcp wrappers, and now starting to output Deny from lines to place in .htaccess files. Deny From lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit somewhere, and whether or not I could put multiple Deny From lines? WHile fail2ban looks good, the little that I've tried it, I like keeping the firewall iptables neat, and doing the blocking as I have described above (maybe it's familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a learning curve ...) Fail2ban keeps all of its rules in it's own chain, so any custom rules that you have created will not get lost in the clutter. You could also do the blocking yourself with iptables rather than having fail2ban manage it for you. Just create iptables rules rather than the hosts.deny format. iptables -I Blacklist -s xxx.xxx.xxx.xxx -j DROP Of course, you need to add a rule in your main ruleset to call the Blacklist chain. And make sure to save the rules from time to time so you don't lose all of them in a reboot. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Size limitations in .htaccess
You could try ipset (yum install ipset) and create live lists of ips/blocks and create a single lined rule in iptables to handle the lists. The only downside is the lists are lost on a reboot, which can be overcome with a little scripting. -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Max Pyziur Sent: Wednesday, May 29, 2013 10:08 PM To: CentOS mailing list Subject: Re: [CentOS] Size limitations in .htaccess On Wed, 29 May 2013, m.r...@5-cent.us wrote: Max Pyziur wrote: Greetings, It seems that I've hit a size limitation when adding unwanted IPs to a Deny From line. Is there any place where this is specified? Also, if I hit the max length on a Deny From line, can I add another Deny From line? (Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64) Have you considered running fail2ban, and banning them using iptables? I've considered that. But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via tcp wrappers, and now starting to output Deny from lines to place in .htaccess files. Deny From lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit somewhere, and whether or not I could put multiple Deny From lines? WHile fail2ban looks good, the little that I've tried it, I like keeping the firewall iptables neat, and doing the blocking as I have described above (maybe it's familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a learning curve ...) mark Much thanks for the advice. Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Size limitations in .htaccess
Greetings, It seems that I've hit a size limitation when adding unwanted IPs to a Deny From line. Is there any place where this is specified? Also, if I hit the max length on a Deny From line, can I add another Deny From line? (Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64) Much thanks, Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Size limitations in .htaccess
On 05/29/2013 10:51 PM, Max Pyziur wrote: Greetings, It seems that I've hit a size limitation when adding unwanted IPs to a Deny From line. Is there any place where this is specified? Also, if I hit the max length on a Deny From line, can I add another Deny From line? (Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64) Much thanks, Max Pyziur p...@brama.com You can have multiple deny from lines, as well as multiple allow from lines (in case you want to configure access like a whitelist). Multiple lines also help readability. -- Marios Zindilis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Size limitations in .htaccess
Max Pyziur wrote: Greetings, It seems that I've hit a size limitation when adding unwanted IPs to a Deny From line. Is there any place where this is specified? Also, if I hit the max length on a Deny From line, can I add another Deny From line? (Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64) Have you considered running fail2ban, and banning them using iptables? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Size limitations in .htaccess
On Wed, May 29, 2013 at 5:24 PM, m.r...@5-cent.us wrote: Max Pyziur wrote: Greetings, It seems that I've hit a size limitation when adding unwanted IPs to a Deny From line. Is there any place where this is specified? Also, if I hit the max length on a Deny From line, can I add another Deny From line? (Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64) Have you considered running fail2ban, and banning them using iptables? Or blocking netblocks rather than individual IPs in your .htaccess file? Netblocks with iptables would work nicely too (keeping the clutter to a minimum). mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- ---~~.~~--- Mike // SilverTip257 // ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Size limitations in .htaccess
On Wed, 29 May 2013, m.r...@5-cent.us wrote: Max Pyziur wrote: Greetings, It seems that I've hit a size limitation when adding unwanted IPs to a Deny From line. Is there any place where this is specified? Also, if I hit the max length on a Deny From line, can I add another Deny From line? (Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64) Have you considered running fail2ban, and banning them using iptables? I've considered that. But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via tcp wrappers, and now starting to output Deny from lines to place in .htaccess files. Deny From lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit somewhere, and whether or not I could put multiple Deny From lines? WHile fail2ban looks good, the little that I've tried it, I like keeping the firewall iptables neat, and doing the blocking as I have described above (maybe it's familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a learning curve ...) mark Much thanks for the advice. Max Pyziur p...@brama.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
