IP drop list

[Jochen Bern]

On 03/01/2015 08:53 AM, Jim Pazarena wrote:
> I wonder if there is an easy way to provide dovecot a flat text file of
> ipv4 #'s which should be ignored or dropped?
> 
> I have accumulated 45,000+ IPs which routinely try dictionary and
> 12345678 password attempts. The file is too big to create firewall
> drops [...]

The inherent assumption here is that dovecot, using a "flat file", will
be able to process the block list more effectively than the firewall,
which is a tool written for the *purpose* but supposedly unable to even
*try* due to the list's size. That sounds ... counterintuitive.

To clarify, the governing influence on performance of *most* firewalls
is the average number of rules a packet has to be matched against, and
the two main tools to help with that are (if I may use iptables lingo
here) a) --state ESTABLISHED to get everything but the
connection-initiating packets out of the way ASAP and b) branching
tree-like into dedicated-purpose subchains, rather than building linear
lists. Assuming that the IPs to be blocked are randomly distributed,
I'ld try something along the following lines:

[main chain]
--state ESTABLISHED,RELATED -j ACCEPT
-p tcp --dport pop3 -j dove-blocks
-p tcp --dport imap -j dove-blocks

[subchain dove-blocks]
-d 1.0.0.0/8 -j sub-1
-d 2.0.0.0/8 -j sub-2
...
-d 254.0.0.0/8 -j sub-254

[subchain sub-1]
-d 1.2.0.0/16 -j sub-1-2	# We've seen 1.2.3.4 and 1.2.2.1
...

[subchain sub-1-2]
-d 1.2.2.1 -j DROP
-d 1.2.3.4 -j DROP

Regards,
								J. Bern
-- 
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel