IP drop list
Robert Schetterer
rs at sys4.de
Mon Mar 2 19:00:30 UTC 2015
Am 02.03.2015 um 19:03 schrieb Reindl Harald:
>
> Am 02.03.2015 um 18:56 schrieb Robert Schetterer:
>> perhaps and i mean really "perhaps" go this way
>>
>> https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/
>>
>>
>> https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/
>>
>>
>> 45K+ IPs will work in a recent table
>> i have them too but for smtp only like
>>
>> echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot
>>
>> combine with geoip might be a good idea too
>>
>> is ultra faster then fail2ban cause no log file parsing is needed
>>
>> or an other idea
>> you might test, configure a syslog filter pumping in a recent table the
>> direct way
>
> that is all nice
>
> but the main benefit of RBL's is always ignored:
>
> * centralized
> * no log parsing at all
> * honeypot data are "delivered" to any host
> * it's cheap
> * it's easy to maintain
> * it don't need any root privileges anywhere
>
> we have a small honeypot network with a couple of ipranges detecting
> mass port-scans and so on and this data are available *everywhere*
>
> so if some IP hits there it takes 60 seconds and any service supportings
> DNS blacklists can block them *even before* the bot hits the real
> mailserver at all
>
centralize may also work with syslog filters acting to a "grand"
firewall/loadbalancers in front of all hosts, anyway depending to setups
combine
many solutions may goal the best results, your solution is fine too.
At the end everything is fine what solves the task, and the admin has to
decide which way he want to go
MfG Robert Schetterer
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the dovecot
mailing list