IP drop list

Michael Orlitzky michael at orlitzky.com
Wed Mar 4 19:12:20 UTC 2015


On 03/03/2015 11:03 PM, Earl Killian wrote:
> On 2015/3/2 10:03, Reindl Harald wrote:
>>
>> that is all nice
>>
>> but the main benefit of RBL's is always ignored:
>>
>> * centralized
>> * no log parsing at all
>> * honeypot data are "delivered" to any host
>> * it's cheap
>> * it's easy to maintain
>> * it don't need any root privileges anywhere
>>
>> we have a small honeypot network with a couple of ipranges detecting
>> mass port-scans and so on and this data are available *everywhere*
>>
>> so if some IP hits there it takes 60 seconds and any service
>> supportings DNS blacklists can block them *even before* the bot hits
>> the real mailserver at all
>>
> I would like to reiterate Reindl Harald's point above, since subsequent
> discussion has gotten away from it. If Dovecot had DNS RBL support
> similar to Postfix, I think quite a few people would use it, and thereby
> defeat the scanners far more effectively than any other method. It is
> good that other people are suggesting things that will work today, but
> in terms of what new feature would be the best solution, I can't think
> of one better than a DNS RBL.

Please add this support to iptables instead of Dovecot. It's a waste of
effort to code it into every application that listens on the network.

Combined with "--ctstate NEW" and a chain for IMAP packets, it would be
no less efficient.



More information about the dovecot mailing list