[Dovecot] need to block user by IP address (tried denyhosts, xinetd, iptables etc)

[David Ford]

On 11/09/2010 10:59 PM, Eric Rostetter wrote:
> Quoting David Ford <david at blue-labs.org>:
>
>> I'm not a proponent of fail2ban as I think going straight to the horse's
>> mouth is wiser (keep it all in iptables in the first place).
>
> I'm not a fan of fail2ban (tail/grep a log file, really?) but there
> are other options which do this kind of thing "better" and still
> allow iptables/routing to handle the issue.

if i establish a rate limit in iptables, then accounting and reaction
never makes it to userspace.  horribly more expensive, especially at the
occurance of a DoS attack.  unfortunately not an option in Tom's case.

>> I agree
>> with Stan that your VPS provider is on the wal-mart list.  If no other
>> solution avails, code up a quick little ditty that does the actual
>> socket listen.  If the incoming IP matches an allow list, hand it off to
>> dovecot as an exec(), if not, deal with it as you see fit - normally,
>> dropping the packet on the floor.
>
> That is a fine solution, if it meets their "package" requirements.
> If not, then something like pam_shield or a similar package may due.
> But even then, those types of packages may not meet the site's packaging
> requirements.
>
> I can't believe a company with a packaging requirement run a Fedora
> though.
> That seems incongruous to me...  Seems like they only have half a clue...
>

agreed.  a VPS should be fully functional.  that's what 'VPS' implies. 
not almost-but-not-quite-VPS.