I am trying to decide between using hosts.deny and ipset/iptables or the route command for blocking botnets and things like that.

I came to find out that SSH and possibly Apache does not use the tcpwrappers mechanism that hosts.deny uses to block hosts. It looks like this approach is not used often anymore and it looks like it requires starting the services like in the old days with xinetd and it may not even work? What is really weird is if you check this issue here it was not long ago and it worked with the hosts.deny file?:
https://github.com/Ultimate-Hosts-Bl...ist/issues/588
Should hosts.deny be working or not on a modern Linux server?
This is the preferred route if it will work.
Since it is getting complicated anyway, I will ask a further question:
Should hosts.deny be working on a virtualizations server like Proxmox for the VM guests if the host has the hosts.deny?

As for using iptables my wild idea was to get the hosts0.deny file from here:
https://github.com/Ultimate-Hosts-Bl...osts.Blacklist
and use "cut" to get just the IP addresses which worked ok. But when using ipset to feed the addresses into a table I get:
"ipset v7.10: hash is full cannot add more elements".
I do see some addresses in that list that are connecting to my servers so it would help to use it.

I also read that using the "route" command to block addresses would incur less of a performance penalty than using iptables but I do not see a way to quickly add addresses in the way that ipset does. The blacklist file is 7.8M after being processed by cut so it would take some time to load by script.

I wanted to rule out using a hardware appliance/firewall or other computer in front of this one. I also wanted to rule out using application level blocking because I know that will not scale with so many addresses needing to be blocked.

Philosophically, are we getting to the point that one computer cannot "comprehend" the entire internet at once? Yet we are going to add even more IP addresses with IPv6?

No. You should not see hosts.deny or hosts.allow any more. The early 1990s have long since passed and tcpwrappers aka tcpd was rendered unnecessary with the later arrival of ipchains. The kernel has subsequently moved on past ipchains, through iptables, and on to nftables. nftables has more functionality in the area you are asking about compared to iptables and, at least to me, is much easier to use. It is also where the development is happening little to no development is happening to iptables while it waits for an official deprecation announcement.

Therefore nftables is what you should use to block large numbers of networks or IP addresses.

https://wiki.nftables.org/

https://wiki.nftables.org/wiki-nftab..._in_10_minutes

The function you would be looking for there would be named sets.

I've been using it with some AWK scripts which pull IPv4 address (several ISPs in use don't seem to have IPv6 set up yet) from various log files, verify the format, and then call nft to add the address to a named set.

Which distro will this be for?

1 members found this post helpful.

I ended up choosing a different method for each of each of my gateways that can host servers.

With the Linux gateway I did use hosts.deny. Testing showed that hosts.deny works to block SSH connections on the gateway itself. Testing showed that hosts.deny on a Proxmox host does not block Apache or SSH for guests. Testing showed that hosts.deny on the guest does not block Apache on the guest. Note that these blocked connections will still show up in iftop on the Linux gateway. It was not clear at what network level things were happening because being an application iftop should not see blocked connections but it is reaching down below the layer 7 level to do the work that it does. tcpwrappers is probably high in the stack like level 5 or 6 anyway. I was actually ok with the way hosts.deny is working here because the Linux gateway is a fallback gateway and should not be doing much web routing.

For the main PFSense gateway I used a block list and did not use the PFblockerNG plugin because I did not want to add extra software for one thing. That procedure is detailed here:
https://linuxincluded.com/using-firewall-block-lists/
Obviously this blocks everything at a lower level.

Neither of these methods is a perfect solution because rogue IP addresses are popping up all the time. But my monitoring systems are quieter now and networks like shodan.io and recyber.net are being kept at bay. I am still seeing requests from IP addresses inside random hosting providers but nothing organized now. This is but a layer of security inside other layers of security.

It is pretty clear that messing with the route command or using iptables for this is the wrong approach. It is also clear that a trustworthy hardware firewall or semi-hardware firewall like PFSense is the best approach if time and money and space and power and configuration patience will allow for it.

Turbocapitalist, thank you for adding to the information in this thread. It is good to know that there is a more performant solution for Linux than the ones I have used.