IP drop list

Robert Schetterer rs at sys4.de
Mon Mar 2 17:56:18 UTC 2015


Am 02.03.2015 um 11:34 schrieb Joseph Tam:
> Dave McGuire writes:
> 
>>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
>>>
>>> then setup fail2ban to manage extrafields
>>
>>  Now that's a very interesting idea, thank you!  I will investigate this.
> 
> If you don't expect yor firewall to handle 45K+ IPs, I'm not how you
> expect dovecot will handle a comma separated string with 45K+ entries
> any better.  If you want to turn your global backlist into a per-user
> whitelist, that would be perfectly doable though.
> 
> Joseph Tam <jtam.home at gmail.com>

perhaps and i mean really "perhaps" go this way

https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/

https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/

45K+ IPs will work in a recent table
i have them too but for smtp only like

echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot

combine with geoip might be a good idea too

is ultra faster then fail2ban cause no log file parsing is needed

or an other idea
you might test, configure a syslog filter pumping in a recent table the
direct way


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein


More information about the dovecot mailing list