如何阻止 100,000 多个个人 IP 地址 [英] How to Block 100,000+ Individual IP addresses
问题描述
简介
您如何从您的 Web 应用程序/服务器阻止大量 IP 地址.显然,这可以在 PHP 或任何编程语言
How do you Block large number of IP address from your web application/server. Obviously that can easily be done in PHP or any programming language
$ipList = []; // array list or from database
if (in_array(getIP(), $ipList)) {
// Log IP & Access information
header("https://www.google.com.ng/search?q=fool"); // redirect
exit(); // exit
}
或者使用htaccess
order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
# .... the list continues
allow from all
问题
- 我试图阻止整个
100k 加上单个 IPs而不是subnets - 我试图在阻止此类 IP 之前避免用户访问 PHP
- 100000+ 超过 1.5MB,如果信息一直在
htaccess中加载 - IP 数据库仍在增长......他们需要动态添加更多值
- 在
iptables中设置 100000+ 的禁令是荒谬的(可能是错误的)
- Am trying to block a whole
100k plus individual IPsnotsubnets - Am trying to avoid user getting to PHP before blocking such IP
- 100000+ is over 1.5MB and that is a lot if information to be loading in
htaccessall the time - Database of IP still growing ... and they would be nee to dynamically add more values
- To set bans in
iptablesfor 100000+ is just ridiculous (Might Be wrong)
愚蠢的想法
order allow,deny
deny from database <-------- Not sure if this is possible
allow from all
问题
htaccess是否可以从数据库(Redis、Crunchbase、Mongo、MySQL 甚至 Sqlite)中获取列表......任何- 是否有可见的解决方案来管理生产中的此类问题
- 我知道最好的解决方案是
在防火墙级别阻止 IP是否有任何方法可以务实地向防火墙添加/删除 IP
- Is it possible for
htaccessto get the list from database (Redis,Crunchbase,Mongo, MySQL or even Sqlite) ... any - Is there a visible solution to manage such kind of issue in production
- I know the best solution is
Block the IPs at the firewall levelis there any way to pragmatically add/remove IP to the firewall
终于
我的方法可能完全错误......我想要的只是一个可见的解决方案,因为垃圾邮件发送者和僵尸网络正在崛起......
My approach might be totally wrong ... all I want is a visible solution since spammers and botnets are on the rise ...
请这与 DOS 攻击无关,它是一个简单的... 丢失响应
Please this has nothing to do with DOS attack its a simple ... get lost response
更新
- 防火墙:Cisco PIX 515UR
推荐答案
您可以尝试将要阻止的 IP 地址列表保存在 文本文件 或将其转换为 dbm 哈希文件,然后使用 mod_rewrite 的 RewriteMap.您必须在服务器/虚拟主机配置中进行设置.您不能在 htaccess 文件中初始化地图.
Something that you can try is keeping a list of the IP addresses you want to block in a text file or convert it to a dbm hash file, then use mod_rewrite's RewriteMap. You'd have to set this up in your server/vhost config. You cannot initialize a map in an htaccess file.
RewriteEngine On
RewriteMap deny_ips txt:/path/to/deny_ips.txt
RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0
RewriteRule ^ - [L,F]
/path/to/deny_ips.txt 文件看起来像这样:
12.34.56.78 1
11.22.33.44 1
etc.
本质上,您要拒绝的 IP 和一个空格然后是1".此文本文件中的任何 IP 都会导致服务器返回 403 Forbidden.为了加快速度,您可以使用 httxt2dbm 来生成 dbm 哈希,然后您可以这样定义映射:
Essentially, an IP that you want to deny and a space then a "1". Any IP in this text file will cause the server to return a 403 Forbidden. To speed things up a bit you can use the httxt2dbm to generate a dbm hash and then you'd define the mapping as so:
RewriteMap deny_ips dbm:/path/to/deny_ips.dbm
我不确定像这样使用具有大量 IP 的 mod_rewrite 对性能有何影响,但是在 linux 下在 3Ghz i686 上运行的 apache 2.2 上的快速基准测试,列表中的 5 个 IP 与 102418 之间的差异可以忽略不计.根据 ab 的输出,它们几乎相同.
I'm not sure what the performance hit is for using mod_rewrite like this with a lot of IPs, but a quick benchmark test on apache 2.2 running on a 3Ghz i686 under linux, the difference between 5 IPs in the list versus 102418 is negligible. According to ab's output, they're nearly identical.
解决具体问题:
htaccess 是否可以从数据库(Redis、Crunchbase、Mongo、MySQL 甚至 Sqlite)中获取列表...任何
Is it possible for htaccess to get the list from database (Redis,Crunchbase,Mongo, MySQL or even Sqlite) ... any
使用重写映射,您可以使用prg"映射类型来为映射类型运行外部程序.然后,您可以编写 perl、php 等脚本与数据库对话以查找 IP 地址.另请注意注意"下列出的注意事项.然后,您可以像使用任何其他地图一样使用此地图 (RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0).这实质上会为所有请求造成瓶颈.不是与数据库对话的最佳解决方案.
Using a rewrite map, you can use the "prg" map type to run an external program for a mapping type. You can then write a perl, php, etc. script to talk to a database in order to look up an IP address. Also note that caveats listed under "Caution". You'd then use this map like you would any other map (RewriteCond ${deny_ips:%{REMOTE_ADDR}|0} !=0). This would essentially create a bottleneck for all requests. Not the best solution for talking to a database.
在 apache 2.4 中,有一个 dbd/fastdbd 映射类型,它允许您通过 mod_dbd 创建查询.这是一个更好的选择,并且 mod_dbd 模块管理到数据库的连接、池连接等.所以地图定义看起来像:
In apache 2.4 though, there is a dbd/fastdbd map type, which allows you to create queries through mod_dbd. This is a much better option and the mod_dbd module manages connections to the database, pools connections, etc. So the map definition would look something like:
RewriteMap deny_ips "fastdbd:SELECT active FROM deny_ips WHERE source = %s"
假设您有一个表deny_ips",其中包含 2 列source"(IP 地址)和active"(1 列表示活动,0 表示不活动).
Assuming you have a table "deny_ips" with 2 columns "source" (the IP address) and "active" (1 for active, 0 for inactive).
是否有可见的解决方案来管理生产中的此类问题
Is there a visible solution to manage such kind of issue in production
如果您将所有被阻止的 IP 存储在数据库中,则需要管理数据库表的内容.如果您使用的是 dbm 映射类型,我至少知道 perl 有一个 DBI 用于管理 dbm文件,因此您可以使用它从拒绝列表中添加/删除 IP 条目.我以前从未使用过它,所以我不能说太多.管理一个纯文本文件会更加棘手,特别是如果你打算删除条目,而不仅仅是附加到它上面.除了使用数据库和 apache 2.4 的 mod_dbd,我认为这些解决方案中的任何一个都不是开箱即用的或生产就绪的.这将需要定制工作.
If you are storing all of the blocked IPs in the database, it's a matter of managing the contents of your database table. If you are using the dbm map type, I know at least perl has a DBI for managing dbm files, so you can use that to add/remove IP entries from the deny list. I've never used it before so I can't really say much about it. Managing a flat text file is going to be a lot trickier, especially if you plan on removing entries, and not just append to it. Outside of using a database and apache 2.4's mod_dbd, I don't think any of these solutions are out of the box or production ready. It's going to require custom work.
我知道最好的解决方案是在防火墙级别阻止 IP 是否有任何方法可以务实地向防火墙添加/删除 IP
I know the best solution is Block the IPs at the firewall level is there any way to pragmatically add/remove IP to the firewall
对于 IPtables,有一个标记为 Beta 的 perl 接口,但我以前从未使用过它.有 libiptc 但根据 netfilter 的常见问题:
For IPtables, there is a perl interface that's marked as Beta, but I've never used it before. There's libiptc but according to netfilter's faq:
是否有用于添加/删除规则的 C/C++ API?
不幸的是,答案是:不.
The answer unfortunately is: No.
现在您可能会想但是 libiptc 怎么样?".正如邮件列表中多次指出的那样,libiptc 从不 旨在用作公共接口.我们不保证一个稳定的接口,并计划在 Linux 包过滤的下一个化身中删除它.libiptc 太底层了,无论如何都不能合理使用.
Now you might think 'but what about libiptc?'. As has been pointed out numerous times on the mailinglist(s), libiptc was NEVER meant to be used as a public interface. We don't guarantee a stable interface, and it is planned to remove it in the next incarnation of linux packet filtering. libiptc is way too low-layer to be used reasonably anyway.
我们很清楚这种 API 存在根本性的缺失,我们正在努力改善这种情况.在此之前,建议使用 system() 或打开一个管道进入 iptables-restore 的 stdin.后者会给你更好的表现.
We are well aware that there is a fundamental lack for such an API, and we are working on improving that situation. Until then, it is recommended to either use system() or open a pipe into stdin of iptables-restore. The latter will give you a way better performance.
因此,如果没有 API 稳定性,我不知道 libiptc 解决方案的可行性.
So I don't know how viable a libiptc solution is if there's no API stability.
这篇关于如何阻止 100,000 多个个人 IP 地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
