Where to find and how to block blacklisted IPs and proxies?

Solution 1:

There's an excellent howto for installing MoBlock on your server; it's written for Ubuntu, but the directions can be adapted for any distribution. This is a tool which lets you load arbitrary blocklists and translates them into firewall rules, so your server can discard the traffic quickly and efficiently long before Apache has to bother with it.

As for the blocklists themselves, there's the BISS IP Blocklists; they're mostly geared towards blocking entities that attempt to monitor peer-to-peer traffic, which they do quite well. They do however have a "Tor / proxy" list which purports to block open proxies and Tor routers, but I can't make any particular claim as to its accuracy or efficacy.

I also found a program called DDoS-Deflate which purports to automatically add firewall rules to block high-connection sources, but again, I've never used it myself so I can't tell you how well it works.

Finally, apparently iptables has a hitcount command that automatically rate-limits incoming connections:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

This would limit incoming SSH connections to 8 per 60 seconds, and is already built-in.