IP drop list

Gene Heskett gheskett at wdtv.com
Mon Mar 2 14:26:09 UTC 2015 


On Monday 02 March 2015 05:02:49 Jochen Bern wrote:
> On 03/01/2015 08:53 AM, Jim Pazarena wrote:
> > I wonder if there is an easy way to provide dovecot a flat text file
> > of ipv4 #'s which should be ignored or dropped?
> >
> > I have accumulated 45,000+ IPs which routinely try dictionary and
> > 12345678 password attempts. The file is too big to create firewall
> > drops [...]
>
> The inherent assumption here is that dovecot, using a "flat file",
> will be able to process the block list more effectively than the
> firewall, which is a tool written for the *purpose* but supposedly
> unable to even *try* due to the list's size. That sounds ...
> counterintuitive.
>
> To clarify, the governing influence on performance of *most* firewalls
> is the average number of rules a packet has to be matched against, and
> the two main tools to help with that are (if I may use iptables lingo
> here) a) --state ESTABLISHED to get everything but the
> connection-initiating packets out of the way ASAP and b) branching
> tree-like into dedicated-purpose subchains, rather than building
> linear lists. Assuming that the IPs to be blocked are randomly
> distributed, I'ld try something along the following lines:
>
> [main chain]
> --state ESTABLISHED,RELATED -j ACCEPT
> -p tcp --dport pop3 -j dove-blocks
> -p tcp --dport imap -j dove-blocks
>
> [subchain dove-blocks]
> -d 1.0.0.0/8 -j sub-1
> -d 2.0.0.0/8 -j sub-2
> ...
> -d 254.0.0.0/8 -j sub-254
>
> [subchain sub-1]
> -d 1.2.0.0/16 -j sub-1-2	# We've seen 1.2.3.4 and 1.2.2.1
> ...
>
> [subchain sub-1-2]
> -d 1.2.2.1 -j DROP
> -d 1.2.3.4 -j DROP
>
> Regards,
> 								J. Bern
I rather like this idea, but let me point out that this list should be 
pre-sorted with something that puts them in numerical order, and that 
order then pre-processed again to condense them into sequential blocks.
And those sequential blocks are what you would present to iptables of 
ipset.

You might have to trigger a new sort & condense session each time a new 
address is harvested and added to the list,  but on a busy server that 
would have to be much less of a cpu hog than just searching a flat 
random list for every access.

I use pop3 for access to 3 accounts, with mailfilter in front of 
fetchmail here, and occasionally will sort the reference files, and if a 
given class d address block gets hit several times, I re-arrange the 
regex to kill on "[xx.xx.xx'" alone, killing the whole class D.  I watch 
the logs, and I don't recall that this policy has cost me a single 
message I should have received.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

More information about the dovecot mailing list