[Dovecot] need to block user by IP address (tried denyhosts, xinetd, iptables etc)
David Ford
david at blue-labs.org
Wed Nov 10 06:04:14 EET 2010
On 11/09/2010 10:59 PM, Eric Rostetter wrote:
> Quoting David Ford <david at blue-labs.org>:
>
>> I'm not a proponent of fail2ban as I think going straight to the horse's
>> mouth is wiser (keep it all in iptables in the first place).
>
> I'm not a fan of fail2ban (tail/grep a log file, really?) but there
> are other options which do this kind of thing "better" and still
> allow iptables/routing to handle the issue.
if i establish a rate limit in iptables, then accounting and reaction
never makes it to userspace. horribly more expensive, especially at the
occurance of a DoS attack. unfortunately not an option in Tom's case.
>> I agree
>> with Stan that your VPS provider is on the wal-mart list. If no other
>> solution avails, code up a quick little ditty that does the actual
>> socket listen. If the incoming IP matches an allow list, hand it off to
>> dovecot as an exec(), if not, deal with it as you see fit - normally,
>> dropping the packet on the floor.
>
> That is a fine solution, if it meets their "package" requirements.
> If not, then something like pam_shield or a similar package may due.
> But even then, those types of packages may not meet the site's packaging
> requirements.
>
> I can't believe a company with a packaging requirement run a Fedora
> though.
> That seems incongruous to me... Seems like they only have half a clue...
>
agreed. a VPS should be fully functional. that's what 'VPS' implies.
not almost-but-not-quite-VPS.
More information about the dovecot
mailing list