On 11/09/2010 10:59 PM, Eric Rostetter wrote:
Quoting David Ford david@blue-labs.org:
I'm not a proponent of fail2ban as I think going straight to the horse's mouth is wiser (keep it all in iptables in the first place).
I'm not a fan of fail2ban (tail/grep a log file, really?) but there are other options which do this kind of thing "better" and still allow iptables/routing to handle the issue.
if i establish a rate limit in iptables, then accounting and reaction never makes it to userspace. horribly more expensive, especially at the occurance of a DoS attack. unfortunately not an option in Tom's case.
I agree with Stan that your VPS provider is on the wal-mart list. If no other solution avails, code up a quick little ditty that does the actual socket listen. If the incoming IP matches an allow list, hand it off to dovecot as an exec(), if not, deal with it as you see fit - normally, dropping the packet on the floor.
That is a fine solution, if it meets their "package" requirements. If not, then something like pam_shield or a similar package may due. But even then, those types of packages may not meet the site's packaging requirements.
I can't believe a company with a packaging requirement run a Fedora though. That seems incongruous to me... Seems like they only have half a clue...
agreed. a VPS should be fully functional. that's what 'VPS' implies. not almost-but-not-quite-VPS.