IP drop list

Reindl Harald h.reindl at thelounge.net
Mon Mar 2 18:03:00 UTC 2015


Am 02.03.2015 um 18:56 schrieb Robert Schetterer:
> perhaps and i mean really "perhaps" go this way
>
> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
>
> https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/
>
> 45K+ IPs will work in a recent table
> i have them too but for smtp only like
>
> echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot
>
> combine with geoip might be a good idea too
>
> is ultra faster then fail2ban cause no log file parsing is needed
>
> or an other idea
> you might test, configure a syslog filter pumping in a recent table the
> direct way

that is all nice

but the main benefit of RBL's is always ignored:

* centralized
* no log parsing at all
* honeypot data are "delivered" to any host
* it's cheap
* it's easy to maintain
* it don't need any root privileges anywhere

we have a small honeypot network with a couple of ipranges detecting 
mass port-scans and so on and this data are available *everywhere*

so if some IP hits there it takes 60 seconds and any service supportings 
DNS blacklists can block them *even before* the bot hits the real 
mailserver at all



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/cbb958d7/attachment.sig>


More information about the dovecot mailing list