Block large number of IP addresses

Question

I am running a centos server with WHM and Cpanel and using CSF as the firewall. I would like to block a whole range of IP addresses.

I wanted to start off with China, and got a list of IP's from http://www.countryipblocks.net/ - this amounts to around 3500 ip addresses/ranges.

Using CSF, I noticed that the default for DENY_IP_LIMIT is set to 100. I can obviously increase this, but CSF states:

# Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be
# important as a large number of IP addresses create a large number of iptables
# rules (4 times the number of IP's) which can cause problems on some systems
# where either the the number of iptables entries has been limited (esp VPS's)
# or where resources are limited. This can result in slow network performance,
# or, in the case of iptables entry limits, can prevent your server from
# booting as not all the required iptables chain settings will be correctly
# configured.

So, 3500 is a BIG increase over 100. Should I be concerned, and if so, are there any other alternatives?

Answer 1

CSF can do country blocks itself, from the config file:

##############################################################################
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Warning: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# Warning: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# Warning: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY =
CC_ALLOW =

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER =

# This Country Code list will prevent lfd from blocking IP address hits for the
# listed CC's
CC_IGNORE =

# Display Country Code and Country for reported IP addresses. This option can
# be configured to use the MaxMind Country Database or the more detailed (and
# much larger and therefore slower) MaxMind City Database
#
# "0" - disable
# "1" - Reports: Country Code and Country
# "2" - Reports: Country Code and Country and Region and City
CC_LOOKUPS = Default: 1 [0-2]

# This option tells lfd how often to retrieve the Maxmind GeoLite Country
# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
# days)
CC_INTERVAL = Default: 7 [1-31]

however the problem still remains, having that large an iptables setup will slow you down, so its better done on dedicated hardware if possible, depending on how powerful your server is and the amount of traffic you get will decide how feasible this is for you, low power and/or high traffic may make this option not a great idea.

the question I would ask though, is why do you need to block such a large range of IP's? if its just to stop attacks from them, its probably better to just let CSF&LFD do its job to auto block those attacking IP's as they come and go fairly frequently so your block list might not be all encompassing very quickly especially with bot nets