Re: apache 'deny from' vs iptables

To: debian-isp@lists.debian.org
Subject: Re: apache 'deny from' vs iptables
From: Steve Suehring <debisp2007@braingia.org>
Date: Sat, 2 Feb 2008 18:49:13 -0600
Message-id: <20080203004913.GA13403@mail.braingia.org>
Mail-followup-to: Steve Suehring <debisp2007@braingia.org>, debian-isp@lists.debian.org
In-reply-to: <47A4F4C5.3060809@thecsl.org>
References: <47A4F4C5.3060809@thecsl.org>

On Sat, Feb 02, 2008 at 05:55:01PM -0500, Dan MacNeil wrote:
> Would things be faster with iptables ?

Yes, I would think so.  By denying them at the Apache level, a TCP 
connection must be setup whereas with iptables the connection would be 
denied prior to getting to the Apache server.  By denying it at the 
kernel level (with iptables) you're saving Apache from having to deal 
with the request at all.

You might also look for patterns in the IP addresses to find out if 
there are subnets that can be denied with iptables rather than 
individual addresses.  Obviously doing so can have unintended side 
effects if the subnet is too wide and you deny legitimate requests, 
so it's a trade-off.

Also, you might want to analyze the IPs that are being denied.  Over 
time some of those entries are likely to become stale as the IP address 
owners change.  You'll probably notice some patterns of IP addresses or 
networks that are always doing something bad while others are just one 
time hits.

Steve

Reply to:

References:
- apache 'deny from' vs iptables
  - From: Dan MacNeil <dan@thecsl.org>

Prev by Date: apache 'deny from' vs iptables
Next by Date: iptables masquerading
Previous by thread: apache 'deny from' vs iptables
Next by thread: iptables masquerading
Index(es):
- Date
- Thread