>>Does anyone know of an alternative to ipset for blocking IP ranges
 >>of entire countries, that works with OpenVZ containers?

 n> I wish...

 n> I use fail2ban. OpenVZ containers have limited memory and you can
 n> soon fill it up with an all the subnets. With fail2ban you can block
 n> the offenders easily. I have a "permaban" chain for those repeat
 n> offenders.

Well, you can have some nicely sized containers if you want, but putting 500
000 drops (or rejects if you like them better) in an IPTABLE chain is perhaps
not a wise thing for anyone, thus the need for ipset.

Permaban is a good idea, until an IP range is re-assigned to someone else of
course , but then again, I think it's better to err on the inclusive side in
this case.

It annoys me that ISPs don't have this as a service, and I'm quite surprised
they don't actually. I can understand the fact that they don't want to
subscribe to something like Cyren or similar, but they could quite easily do it
 on their own.


 -joho

---
 * Origin: code.code.code (2:20/4609)