>>Does anyone know of an alternative to ipset for blocking IP ranges   
    >>of entire countries, that works with OpenVZ containers?   
      
    n> I wish...   
      
    n> I use fail2ban. OpenVZ containers have limited memory and you can   
    n> soon fill it up with an all the subnets. With fail2ban you can block   
    n> the offenders easily. I have a "permaban" chain for those repeat   
    n> offenders.   
      
   Well, you can have some nicely sized containers if you want, but putting 500   
   000 drops (or rejects if you like them better) in an IPTABLE chain is perhaps   
   not a wise thing for anyone, thus the need for ipset.   
      
   Permaban is a good idea, until an IP range is re-assigned to someone else of   
   course :), but then again, I think it's better to err on the inclusive side in   
   this case.   
      
   It annoys me that ISPs don't have this as a service, and I'm quite surprised   
   they don't actually. I can understand the fact that they don't want to   
   subscribe to something like Cyren or similar, but they could quite easily do   
   it on their own.   
      
      
    -joho   
      
   ---   
    * Origin: code.code.code (2:20/4609)