Stop Traffic From China
Igor
12 January 2010, 14:32
First let me thank you for all your hard work. Hiawatha is great webserver!
I have little question;
What is the best way to block all traffic from china?
My idea is using .hiawatha file (not to make hiawatha.conf file long like monday):
AccessList = deny 58.14.0.0/15, deny 58.16.0.0/13, deny 58.24.0.0/15, ...
list is long so I am wondering how hard on system this would be?
ty for your help,
Igor
Hiawatha version: 6.19
Operating System: ubuntu 8.xx
Hugo Leisink
12 January 2010, 15:12
A .hiawatha file is read and parsed everytime a file from the same directory is requested. So, to lower the load on your webserver, you better place the AccessList in your hiawatha.conf file. That file is parsed only once during startup.
I have know idea what the impact of that list will be on your server. I don't know how long your AccessList will be and what the processing power of your server is. The best way to find out is to try. You can use Apache's ab tool to stress test your server. Try it with the AccessList and without the AccessList.
I'm very curious about the results. So if you have any, please let me know.
Igor
12 January 2010, 19:26
You are correct .hiawatha file is not the way to go ...
test:
ab -n 1000 -c 5 http://192.168.1.2/speedtest2/speedtest.html
With .hiawatha file 45k in size:
Concurrency Level: 5
Time taken for tests: 3.790250 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 391000 bytes
HTML transferred: 178000 bytes
Requests per second: 263.83 [#/sec] (mean)
Time per request: 18.951 [ms] (mean)
Time per request: 3.790 [ms] (mean, across all concurrent requests)
Transfer rate: 100.52 [Kbytes/sec] received
Without:
Concurrency Level: 5
Time taken for tests: 0.253278 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 391000 bytes
HTML transferred: 178000 bytes
Requests per second: 3948.23 [#/sec] (mean)
Time per request: 1.266 [ms] (mean)
Time per request: 0.253 [ms] (mean, across all concurrent requests)
Transfer rate: 1504.28 [Kbytes/sec] received
will post data for AccessList inside hiawatha.conf later...
Hugo Leisink
13 January 2010, 09:30
45 kilobytes of AccessList entries.... hmmm.... I think you're going the wrong way. Why do you want to block all China actually?
Cristian Gilè
13 January 2010, 13:10
Why not use iptables directly? When a chinese IP source visit your website you could redirect it to a 404 error page.
Hugo Leisink
13 January 2010, 15:04
IP tables does not allow you to redirect HTTP traffic.
Igor
13 January 2010, 16:08
Ty for your help. On net I see two popular ways to block a country. One is with iptables and other with .htaccess file. I can for sure rule out .htaccess .
Why do it? In all my sites I see huge amount of traffic from China... I started new website for US schools and in two months I see raise of China scans and users. They simply do not belong there. Truth I do not want to block everyday China user. I want to stop mass scans and harvesters coming from there. Blocking them all is the last resort...
Hugo Leisink
13 January 2010, 16:12
You better block them via iptables. That's a lot faster than via Hiawatha.
Igor
13 January 2010, 16:33
Found this online. Wanted to add it here... Hiawatha sure is great!
Hiawatha.conf ->Stop China search engines: (add more if you have please)
DenyBot = BaiDuSpider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/
Cristian Gilè
15 January 2010, 17:53
Sorry for my bad tip. You could drop packects coming from China with a simple iptables rule or you could redirect http traffic from a chinese IP to a secondary web server to show 404 error page.
This topic has been closed.