So I just collected about 29,000 IPs that were up to no good from one of my websites log files.
- I created a new deny_host_custom.rules file (using the deny_host.rules as a template) and dumped in this file.
- I pointed to this file with a new $DENY_HOST_CUSTOM var in the internals.conf file
- I then edited the function.apf file to include the code to read this file
Problem is, I think it worked because I restarted APF 5 mins ago and it’s still “Starting APF:”. I guess every time I restart it has to read this file in? Is there a better way to do this?
I know one way is blocking chunks of networks instead of 29,000 individuals IPs, but not sure how I could generate that from my 29k list?
Any advice you can give would be welcome!
What I did was put this list into Excel. Then I broke the IP into 4 columns. I then did a remove duplicates on the first 2 columns combine. I then put 0’s in the last 2 columns and added a /16 onto the end. So I’m blocking more IPs then I had intended, but I’m still pretty sure I’ll be safe with this block list. This took the list down from 29k to about 5k.
I hope you don’t mind but have you seen this post, which gives some good program’s to do what I think you want to do very well, and it’s automated, as you can set it to read different logs.
I’m sorry if you have already read the post, which I think you may have and your post about reducing your ip list is good.
I have not seen that post, but have heard of BFD. I guess it might be time to get going on that!
On a related note, do you know where APF saves it’s block logs in the InterWorx setup?
To be honest I’ve never had reason to look before for apf list but I’m guessing it would be defaults, etc/apf/
Also, I seem to remember that with apf, depending upon where the rules lie, it might be possible for a blocked ip or cidr allowed through, but I am tired sorry and could be entirely wrong sorry.
I hope that helps a little