On Tue, 4 Feb 2020 at 05:37, Pete Biggs <pete at biggs.org.uk> wrote: > On Mon, 2020-02-03 at 19:04 -0500, Jerry Geis wrote: > > Hi All, > > > > Over the last 20 some years I have a file with about 200K worth of > address > > that have "wrongly" tried to connect to my boxes running centos. So the > > file has one line per address or group of addresses like: > > 2.244.112.0/24 > > > > So using the OLD iptables I would run through my file build the > > iptables.txt file and start that with DROP for the IP address. iptables > ran > > through the big list in no time. > > > > I was trying to run a script to go through each line and run: > > firewall-cmd --zone=drop --add-source="$ipblock" --permanent > > but this takes a long time. > > > > What is a "better" way or more efficient way to keep my long list of bad > > addresses and apply them? Thanks, > > > > To some extent you need to ask yourself if a 20 year old blacklist is > really effective these days. Lots will have changed in that time and > many of the addresses will have been reassigned. > > Also, a 200k lump of addresses will surely slow down the processing of > incoming packets? > > It will because it is a linear list that every packet has to be 'judged' against. Even if you break it down to 2 or 3 trees it will still take a while. Any list of ip addresses is going to be outdated by a year because of how ranges are so dynamic these days. Most 'bad-guys' can jump around a couple hundred thousand or million ip addresses without much cost on their part and can get new ranges to screw around weekly. > Perhaps it's time to rethink what you do. Can you define what addresses > would "rightly" try and connect to your machine and whitelist those on > a normally closed system (rather than blacklisting those on a normally > open system). > > If you need the system to be open, then I find Fail2Ban useful in > blacklisting addresses that are being naughty. > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen.