Re: apache 'deny from' vs iptables

On Sat, Feb 02, 2008 at 05:55:01PM -0500, Dan MacNeil wrote:
> Would things be faster with iptables ?

Yes, I would think so. By denying them at the Apache level, a TCP connection must be setup whereas with iptables the connection would be denied prior to getting to the Apache server. By denying it at the kernel level (with iptables) you're saving Apache from having to deal with the request at all.

You might also look for patterns in the IP addresses to find out if there are subnets that can be denied with iptables rather than individual addresses. Obviously doing so can have unintended side effects if the subnet is too wide and you deny legitimate requests, so it's a trade-off.

Also, you might want to analyze the IPs that are being denied. Over time some of those entries are likely to become stale as the IP address owners change. You'll probably notice some patterns of IP addresses or networks that are always doing something bad while others are just one time hits.

Steve

-- 
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org