On 03/01/2015 08:53 AM, Jim Pazarena wrote:
I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped?
I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops [...]
The inherent assumption here is that dovecot, using a "flat file", will be able to process the block list more effectively than the firewall, which is a tool written for the *purpose* but supposedly unable to even *try* due to the list's size. That sounds ... counterintuitive.
To clarify, the governing influence on performance of *most* firewalls is the average number of rules a packet has to be matched against, and the two main tools to help with that are (if I may use iptables lingo here) a) --state ESTABLISHED to get everything but the connection-initiating packets out of the way ASAP and b) branching tree-like into dedicated-purpose subchains, rather than building linear lists. Assuming that the IPs to be blocked are randomly distributed, I'ld try something along the following lines:
[main chain] --state ESTABLISHED,RELATED -j ACCEPT -p tcp --dport pop3 -j dove-blocks -p tcp --dport imap -j dove-blocks
[subchain dove-blocks] -d 1.0.0.0/8 -j sub-1 -d 2.0.0.0/8 -j sub-2 ... -d 254.0.0.0/8 -j sub-254
[subchain sub-1] -d 1.2.0.0/16 -j sub-1-2 # We've seen 1.2.3.4 and 1.2.2.1 ...
[subchain sub-1-2] -d 1.2.2.1 -j DROP -d 1.2.3.4 -j DROP
Regards, J. Bern I rather like this idea, but let me point out that this list should be
On Monday 02 March 2015 05:02:49 Jochen Bern wrote: pre-sorted with something that puts them in numerical order, and that order then pre-processed again to condense them into sequential blocks. And those sequential blocks are what you would present to iptables of ipset.
You might have to trigger a new sort & condense session each time a new address is harvested and added to the list, but on a busy server that would have to be much less of a cpu hog than just searching a flat random list for every access.
I use pop3 for access to 3 accounts, with mailfilter in front of fetchmail here, and occasionally will sort the reference files, and if a given class d address block gets hit several times, I re-arrange the regex to kill on "[xx.xx.xx'" alone, killing the whole class D. I watch the logs, and I don't recall that this policy has cost me a single message I should have received.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>