<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><pre>Hi Eric,
This is a rather shameless plug here, but I wrote an nginx module
designed to efficiently block (or filter) large numbers of IP addresses.
It's a two part system with the nginx module being
<a href="https://github.com/tmthrgd/nginx-ip-blocker" class="moz-txt-link-freetext">https://github.com/tmthrgd/nginx-ip-blocker</a> and a separate agent daemon
here <a href="https://github.com/tmthrgd/ip-blocker-agent" class="moz-txt-link-freetext">https://github.com/tmthrgd/ip-blocker-agent</a> . It uses shared memory
to store the IP addresses and binary search to iterate through them.
It might not work for your circumstance, but it just might.
Kind Regards,
Tom Thorogood.<br></pre><div><br></div>
<div>On Wed, 2 Nov 2016, at 09:13 AM, Cox, Eric S wrote:<br></div>
<blockquote type="cite"><div><span class="colour" style="color:black"><span class="font" style="font-family:Calibri,Arial,Helvetica,sans-serif"><span class="size" style="font-size:11pt">Unfortunately much like others have stated, we also don't have the automation at the firewall layer to move as quickly as we would like. So at the moment its not an option. <br> <br> <span class="colour" style="color:black">-----Original Message----- <br> <b>From:</b> Rainer Duffner [rainer@ultra-secure.de]<br> <b>Received:</b> Tuesday, 01 Nov 2016, 6:41PM<br> <b>To:</b> nginx@nginx.org [nginx@nginx.org]<br> <b>Subject:</b> Re: Blocking tens of thousands of IP's<br> <br> </span></span></span></span> </div>
<div><div><br></div>
<div><blockquote type="cite"><div>Am 01.11.2016 um 23:35 schrieb Cox, Eric S <<a href="mailto:eric.cox@kroger.com">eric.cox@kroger.com</a>>:<br></div>
<div><br></div>
<div><div style="font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:Calibri,Arial,Helvetica,sans-serif;font-size:11pt;"><span class="font" style="font-family:Calibri,Arial,Helvetica,sans-serif"><span class="size" style="font-size:11pt">Currently we track all access logs realtime via an in house built log aggregation solution. Various algorithms are setup to detect said IPS whether it be by hit rate, country,
known types of attacks etc. These IPS are typically identified within a few mins and we reload to banned list every 60 seconds. We just moved some services from apache where we were doing this without any noticable performance impact. Have this working in
nginx but was looking for general suggestion on how to optimize if at all possible.<span> </span></span></span><br></div>
</div>
</blockquote></div>
<div><br></div>
<div><br></div>
<div>Ah, if you already have the data pre-processed…<br></div>
<div><br></div>
<div>I’d move blocking to the host’s firewall, as suggested.<br></div>
<div><br></div>
<div>Long term, I want to do this (or at least be able to), too. <br></div>
<div><br></div>
<div>We (MSP) have a rather large number of firewalls and telling the network-guys „Block this IP at all of them“ does not work (it would probably take them the better part of the day).<br></div>
<div>They don’t believe in automation...<br></div>
</div>
<div><br></div>
<div><hr><span class="colour" style="color:Gray"><span class="font" style="font-family:Arial"><span class="size" style="font-size:small"><br>This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.<br> </span></span></span> </div>
<div><u>_______________________________________________</u><br></div>
<div>nginx mailing list<br></div>
<div><a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br></div>
<div><a href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></div>
</blockquote><div><br></div>
</body>
</html>