Am 04.03.2015 um 23:00 schrieb Felix Zandanel:
I am not against block lists. I just say their use should be justified as they may decrease overall service quality as well. There is another solution for auth based services: As soon as you detect a possible attack (# auth reqs > x etc.), keep the connection open, slow it down and just never let it succeed regardless of the credentials provided. This is done on a per-connection basis. No block list needed. Can be accomplished with fail2ban and iptables and therefore uses minimal server resources.
well, i have iptables rate controls which blocks most dictionary attacks and small DOS-attacks perfectly well
but that won't change the fact that if from an IP address starts a large dictionary attack and that IP is a CGN it *would* affect users from the same IP anyways
and since this is fact it is reasonable to
- enter that IP in the wbeinterface feeding rbldnsd
- enter in the scond field 1800 seconds or whatever value
- apply it that way for any service supporting RBL's
- release that lock automatically after X seconds
security and defense is always layered but such things don't work well if half or mail-subsytems needs sepcial handling