Re: apache 'deny from' vs iptables
On Sat, Feb 02, 2008 at 05:55:01PM -0500, Dan MacNeil wrote:
> Would things be faster with iptables ?
Yes, I would think so. By denying them at the Apache level, a TCP
connection must be setup whereas with iptables the connection would be
denied prior to getting to the Apache server. By denying it at the
kernel level (with iptables) you're saving Apache from having to deal
with the request at all.
You might also look for patterns in the IP addresses to find out if
there are subnets that can be denied with iptables rather than
individual addresses. Obviously doing so can have unintended side
effects if the subnet is too wide and you deny legitimate requests,
so it's a trade-off.
Also, you might want to analyze the IPs that are being denied. Over
time some of those entries are likely to become stale as the IP address
owners change. You'll probably notice some patterns of IP addresses or
networks that are always doing something bad while others are just one
time hits.
Steve
Reply to: