On 2015-03-02 2:02 AM, Jochen Bern wrote:
On 03/01/2015 08:53 AM, Jim Pazarena wrote:
I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped?
I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops [...]
The inherent assumption here is that dovecot, using a "flat file", will be able to process the block list more effectively than the firewall, which is a tool written for the *purpose* but supposedly unable to even *try* due to the list's size. That sounds ... counterintuitive.
I am the original poster and just came back to this thread. When the first couple replies were "fail2ban" I lost interest.
The reason I contemplated a flat text scan by dovecot is because, for the most part, my dovecot is low volume. So even if parsing a flat text file is less 'efficient' than a firewall insertion, it WOULD serve to defeat dictionary attacks rather readily. I already have a routine which scans my dovecot logs for goofy attacks such as dictionary or 12345 attempts. And since the attacks are pop/IMAP only, that is the only avenue which I wanted to defeat.
This question garnered lots and lots of responses and I appreciate them all and read them all. And out of all the responses I think I will pursue the ipset routine. It seems easy enough and can act at the firewall level. The DNS RBL would be cool.
I am also cognizant that 45,000 SHOULD have a TTL. However, these were IPs attempting to fetch email with obviously hacker type passwords. If, later, a given IP is re-assigned to a 'legitimate' person, they would still be able to send an email to me ' postmaster@ ' asking about an inability to fetch email.
But parsing the flat text file would STILL be my preference. I'll look at the source and see if I can figure out where to inject such code. Like I said, my dovecot is low volume, so a fraction of a second at connection time is low impact. Considering that the flat text file may hang around in the memory cache it could even be less impact than low.