[Dovecot] SSL renegotiation vulnerability

Ed W lists at wildgooses.com
Thu Oct 27 11:25:21 EEST 2011


On 26/10/2011 10:01, Robert Schetterer wrote:
> the most problem is see , not everybody can use fail2ban on his servers
> by keeping out dummy auth users over nat ( I have such case )
>
> anyway ,firewalls should slow down ddos attacks, which might cause other
> problems then *g, but for sure not from one ip
...
>
> just a few thoughts..,for sure ,best way would be, getting it fixed

If you google (I think it was on slashdot), I saw a couple of posts with
a simple iptables rule with some rate limits attached to it.  Clearly
you could also read the iptables instructions and figure it out for
yourself, but just highlighting that even the footwork has been done if
you want copy/paste

I think it's generally not such a bad idea to say limit tcp connections
per second from a source IPs.  There are plenty of big services that
might not be able to implement this as a blanket, but for many shops it
could probably be just added as a default for the server...

Cheers

Ed W


More information about the dovecot mailing list