My website is USA based and offers a local service. My apache logs are filled with attacks from Korea, Germany, Russia, ... The fewer automated attacks i see in my logs, the happier i am.

What is the best way to ban blocks of IP addresses - meaning what option has the best performance. I do not want to bring my server down to a crawl.

Ways I have found (please suggest others too)
* iptables
* mod_security 1.9
* mod_access

I am planning on using the blocks obtained from
http://www.ipdeny.com/ipblocks/

Be careful blocking whole groups of IPs.

If you want to, you can use an Ipatables rule like this:
This will drop all connections on port 80 from any IP address starting 192.168.0

I hope this helps
--Ian

It sounds like you want to block IP addresses based on perceived attacks.

There are several packages that will automatically maintain iptables for you, based on attack patterns. "snort" might be the most prominent freely available package that does this (www.snort.org). Another package, "ipcop" is a package that includes snort, and wraps everything in a GUI to ease the whole thing for the end-user.

I use the iptables save/restore mechanisms because I'm an old gheezer. But I am considering snort to help detect attacks and add short-term rules to thwart them.

i'd like a smart way to do it because a banlist with 20K lines of ip masks is

ipcop is a firewall distro, i only have 1 box so i can't use it.

snort looks nice but i did not see anything that interfaces with iptables (at least a few months ago). there was something to change snort rules to modsec rules, not sure how production ready it is.

iptables will have better performance than the other methods you mentioned