You could try ipset (yum install ipset) and create live lists of ips/blocks and create a single lined rule in iptables to handle the lists. The only downside is the lists are lost on a reboot, which can be overcome with a little scripting.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Max Pyziur Sent: Wednesday, May 29, 2013 10:08 PM To: CentOS mailing list Subject: Re: [CentOS] Size limitations in .htaccess
On Wed, 29 May 2013, m.roth@5-cent.us wrote:
Max Pyziur wrote:
Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Have you considered running fail2ban, and banning them using iptables?
I've considered that.
But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via
tcp
wrappers, and now starting to output "Deny from" lines to place in
.htaccess
files. "Deny From" lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit
somewhere,
and whether or not I could put multiple Deny From lines?
WHile fail2ban looks good, the little that I've tried it, I like keeping
the firewall
iptables neat, and doing the blocking as I have described above (maybe
it's
familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a
learning
curve ...)
markMuch thanks for the advice.
Max Pyziur pyz@brama.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos