Hello,
In file csf.blocklists, one can enable various external IP blacklists to be included in CSF.
I want to ask how many IPs is too much to be blocked?
I have around 3GB RAM free. One spare CPU core, not sure how to count how many IPs i can afford to block.
openbl.org list has around 2300 IPs
Here someone have a time to move some deny ips into an external blacklist file, not sure what is difference between external blacklist and internal deny list in terms of speed and possible size of the list.
csf.blocklists how many IPs is too many?
Re: csf.blocklists how many IPs is too many?
When using block lists I highly recommend that you enable ipset if your operating system supports it.
Note:
1. Ipset 6+ is required. Legacy operating systems like RHEL 5 or Centos 5 do not support Ipset 6+
2. Ipset will not function on Virtuozzo/OpenVZ.
About ipset
http://www.linuxjournal.com/content/adv ... ions-ipset
Installation
Centos / Redhat
Debian / Ubuntu
Edit the file /etc/csf/csf.conf and change the config item LF_IPSET to 1.
Restart the firewall (as root):
With ipsets enabled you can enable any or all of the blocklists provided by CSF and you really don't need to worry about iptables rules limits. It's really that good. 
Note:
1. Ipset 6+ is required. Legacy operating systems like RHEL 5 or Centos 5 do not support Ipset 6+
2. Ipset will not function on Virtuozzo/OpenVZ.
About ipset
http://www.linuxjournal.com/content/adv ... ions-ipset
Installation
Centos / Redhat
Code: Select all
# yum install ipset
Code: Select all
sudo apt-get install ipset
Restart the firewall (as root):
Code: Select all
# csf -r
Re: csf.blocklists how many IPs is too many?
Thanks alot for reminding ipset, i once been researching about it and found i cant use it as im using OpenVZ:
> 2. Ipset will not function on Virtuozzo/OpenVZ.
> 2. Ipset will not function on Virtuozzo/OpenVZ.
Re: csf.blocklists how many IPs is too many?
You are going to be severely limited by what you can do in Virtuozzo. Newer VPS systems like KVM still support ipset.
I would check if your provider is limiting the amount of iptables rules in your VPS. You can check what your "numiptent" parameter is by issuing the following command:
That will tell you your VPS limits. Then you can set CSF settings accordingly.
I would check if your provider is limiting the amount of iptables rules in your VPS. You can check what your "numiptent" parameter is by issuing the following command:
Code: Select all
cat /proc/user_beancounters
Re: csf.blocklists how many IPs is too many?
Thx for nice advice regarding numiptent. I have this value very high and i can also tweak it as i have access to the host server. It surprised me that OpenVZ says: "It is not recommended to allow containers to create more than 200–300 numiptent."
So still im unsure how to meter/discover safe amount of IPs i can block (having 600 "no delete" IPs in deny ip list already and thousands i wish to block in external blacklists)
So still im unsure how to meter/discover safe amount of IPs i can block (having 600 "no delete" IPs in deny ip list already and thousands i wish to block in external blacklists)