如何阻止100,000+单个IP地址 [英] How to Block 100,000+ Individual IP addresses
问题描述
简介
如何从Web应用程序/服务方框大量 IP地址
的。很明显,可以轻松地在 PHP来完成
或任何编程语言
How do you Block large number of IP address
from your web application/server. Obviously that can easily be done in PHP
or any programming language
$ipList = []; // array list or from database
if (in_array(getIP(), $ipList)) {
// Log IP & Access information
header("https://www.google.com.ng/search?q=fool"); // redirect
exit(); // exit
}
或者使用的htaccess
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
# .... the list continues
allow from all
的问题
- 我试图阻止整个
10万加单独的IP
不是子网
- 我试图避免让用户阻止此类IP之前,PHP
- 100000+超过1.5MB,这是很多,如果信息被加载在
的htaccess
所有时间 - IP数据库还在不断增加......而他们将是娘家动态添加更多的值
- 要设置
的iptables
禁令为100000+仅仅是荒谬的(可能是错误的)
- Am trying to block a whole
100k plus individual IPs
notsubnets
- Am trying to avoid user getting to PHP before blocking such IP
- 100000+ is over 1.5MB and that is a lot if information to be loading in
htaccess
all the time - Database of IP still growing ... and they would be nee to dynamically add more values
- To set bans in
iptables
for 100000+ is just ridiculous (Might Be wrong)
愚蠢的想法
order allow,deny
deny from database <-------- Not sure if this is possible
allow from all
问题
- 是否有可能为
的htaccess
来从数据库中获得的列表(Redis的,Crunchbase,蒙戈,MySQL或甚sqlite的)...任何 - 有没有明显的解决方案,在生产经营这类问题
- 在我所知道的最好的解决办法就是
块中的IP地址在防火墙级别
有没有什么办法来务实地添加/删除IP防火墙
- Is it possible for
htaccess
to get the list from database (Redis,Crunchbase,Mongo, MySQL or even Sqlite) ... any - Is there a visible solution to manage such kind of issue in production
- I know the best solution is
Block the IPs at the firewall level
is there any way to pragmatically add/remove IP to the firewall
最后
我的方法可能是完全错误的......我要的是因为垃圾邮件发送者一个明显的解决方案和僵尸网络都在上升...
My approach might be totally wrong ... all I want is a visible solution since spammers and botnets are on the rise ...
请这有没有关系 DOS
攻击它的一个简单... 迷失响应
Please this has nothing to do with DOS
attack its a simple ... get lost response
更新
- 防火墙:的Cisco PIX 515UR
推荐答案
您想在一个的text文件或将其转换为的 DBM哈希文件,然后使用mod_rewrite的 RewriteMap指令
。你不得不设置这个在您的服务器/虚拟主机配置。 您不能初始化一个htaccess文件中的地图
Something that you can try is keeping a list of the IP addresses you want to block in a text file or convert it to a dbm hash file, then use mod_rewrite's RewriteMap
. You'd have to set this up in your server/vhost config. You cannot initialize a map in an htaccess file.
RewriteEngine On
RewriteMap deny_ips txt:/path/to/deny_ips.txt
RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0
RewriteRule ^ - [L,F]
在 /path/to/deny_ips.txt 文件看起来是这样的:
The /path/to/deny_ips.txt file would look something like this:
12.34.56.78 1
11.22.33.44 1
etc.
从本质上讲,要否定一个IP和一个空格,然后一个1。任何IP在这个文本文件将导致服务器返回的 403禁止的。为了加快速度一点,你可以使用 httxt2dbm
来生成一个散列DBM,然后你定义的映射像这样:
Essentially, an IP that you want to deny and a space then a "1". Any IP in this text file will cause the server to return a 403 Forbidden. To speed things up a bit you can use the httxt2dbm
to generate a dbm hash and then you'd define the mapping as so:
RewriteMap deny_ips dbm:/path/to/deny_ips.dbm
我不知道的性能影响是使用mod_rewrite这样有很多IP地址什么的,但是在linux下一个3GHz的i686的运行在Apache 2.2快速基准测试,在列表中与102418 5 IP地址之间的差异是微不足道的。据 AB 的输出,他们是几乎相同的。
I'm not sure what the performance hit is for using mod_rewrite like this with a lot of IPs, but a quick benchmark test on apache 2.2 running on a 3Ghz i686 under linux, the difference between 5 IPs in the list versus 102418 is negligible. According to ab's output, they're nearly identical.
解决具体的问题:
是否有可能htaccess的获取从数据库(Redis的,Crunchbase,蒙戈,MySQL或甚sqlite的)名单...任何
Is it possible for htaccess to get the list from database (Redis,Crunchbase,Mongo, MySQL or even Sqlite) ... any
使用重写的地图,你可以使用 PRG 地图类型跑了映射类型的外部程序。然后,你可以写一个Perl,PHP等脚本跟一个数据库,以便查找IP地址。还要注意的是上市告诫小心下。然后你会使用这个地图像使用任何其他地图(的RewriteCond $ {deny_ips:%{REMOTE_ADDR} | 0} = 0
!)。这将从根本上创造的所有请求的瓶颈。不为与数据库的最佳解决方案。
Using a rewrite map, you can use the "prg" map type to run an external program for a mapping type. You can then write a perl, php, etc. script to talk to a database in order to look up an IP address. Also note that caveats listed under "Caution". You'd then use this map like you would any other map (RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0
). This would essentially create a bottleneck for all requests. Not the best solution for talking to a database.
在阿帕奇2.4虽然,有一个 DBD / fastdbd 的地图类型,这允许您创建通过 mod_dbd 查询。这是一个更好的选择和mod_dbd模块管理到数据库的连接,连接池等。所以在地图的定义将看起来是这样的:
In apache 2.4 though, there is a dbd/fastdbd map type, which allows you to create queries through mod_dbd. This is a much better option and the mod_dbd module manages connections to the database, pools connections, etc. So the map definition would look something like:
RewriteMap deny_ips "fastdbd:SELECT active FROM deny_ips WHERE source = %s"
假设你有一个表 deny_ips 2列源(IP地址)和有效(1有效,0为不活动)。
Assuming you have a table "deny_ips" with 2 columns "source" (the IP address) and "active" (1 for active, 0 for inactive).
有没有明显的解决方案来管理这类问题在生产
Is there a visible solution to manage such kind of issue in production
如果你是存储数据库中所有的阻挡IP地址,它的管理数据库表的内容的问题。如果您正在使用DBM地图类型,我知道至少有 Perl有一个DBI 管理DBM文件,所以你可以用它来从拒绝列表中添加/删除IP项。我从来没有使用过它之前,所以我真的不能说太多了。管理一个纯文本文件将是很多麻烦,特别是如果你打算删除条目,而不仅仅是追加到它。使用数据库和Apache 2.4的mod_dbd之外,我不认为任何这些解决方案都是现成或生产做好了准备。这将需要自定义工作。
If you are storing all of the blocked IPs in the database, it's a matter of managing the contents of your database table. If you are using the dbm map type, I know at least perl has a DBI for managing dbm files, so you can use that to add/remove IP entries from the deny list. I've never used it before so I can't really say much about it. Managing a flat text file is going to be a lot trickier, especially if you plan on removing entries, and not just append to it. Outside of using a database and apache 2.4's mod_dbd, I don't think any of these solutions are out of the box or production ready. It's going to require custom work.
我知道最好的解决办法就是阻止了IPS的防火墙级别有什么办法务实地添加/删除IP防火墙
I know the best solution is Block the IPs at the firewall level is there any way to pragmatically add/remove IP to the firewall
iptables的,有一个 Perl接口是被标记为Beta版,但我从来没有使用过。有 libiptc如何但根据的网络过滤的常见问题解答:
For IPtables, there is a perl interface that's marked as Beta, but I've never used it before. There's libiptc but according to netfilter's faq:
是否有一个C / C ++ API添加/删除规则?
答案不幸的是:没有
现在你可能会想',但什么libiptc如何?。正如已经指出的无数次在邮件列表上,libiptc如何是的从不的意思是作为一个公共接口。我们不保证一个稳定的接口,并计划将其删除的Linux的包过滤的下一个化身。 libiptc如何是太低层得到合理反正使用。
Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was NEVER meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.
我们都知道,有一个基本的缺乏这样的API,我们正在努力改善这种情况。在此之前,建议任一使用的系统()或打开一个管道进入的标准输入的iptables-恢复。后者会给你一个方法更好的表现。
We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.
所以,我不知道如何可行的一个libiptc如何解决办法是,如果没有API的稳定性。
So I don't know how viable a libiptc solution is if there's no API stability.
这篇关于如何阻止100,000+单个IP地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!