IP drop list

[Nick Edwards]

You can script fail2ban to send the entries to a rbldnsd file on a
remote server, I know someone who does it based on apache, since it
uses fail2ban, i shouldnt matter if its apache, or dovecot.

I thought Timo once said dovecot had tarpitting, its useless if it is
there, and  if it is, it needs user configurable timings, or maybe its
one of those things thats been in the gunna happen list
for a long time, like other stuff

On 3/4/15, David Myers <david.myers.24j74 at gmail.com> wrote:
> hi all
>
> I've been reading this thread with interest. As a rather novice programmer.
> I'm not being humble here, I really am not very good, I can do stuff, but
> it takes a LONG time. My spaghetti code even has meatballs in it !
>
> Not being a great programmer I'm not really able to code something up, but
> it occurred to me something could be scripted, are the other posters
> suggesting something like the following ....
>
> It does use fail2ban, which I understand isn't the ideal solution, but in
> brief....
>
> extract the IP's from the fail to ban log file (or any other log file if
> you so desire).
> Use these to push up to the firewall or insert into your dovecot 'if'
> statement (which programmatically even I could probably manage ;) )
>
> I understand that this wasn't exactly what the OP was looking for but
> creating the 'if' on the fly, as it were , is certainly better than putting
> the values in manually .
>
> An outline for the first part, extracting the ips from a log file, if
> anyone is interested can be found here.
>
> http://www.the-art-of-web.com/system/fail2ban-log/
>
> The second bit, adding in the values to the if statement, shouldn't be that
> hard... I could probably push something out in Java (but that would
> obviously not be any good for anyone!), maybe even PERL it would take me
> longer, at a push even a bash script... (I feel like my hair is going grey
> ;) ...
>
> Maybe even a good bash project for me as a beginner.
>
> Just a question to see if I am understanding the general preposition of
> this thread.
>
> thanks for you time, and to helping me to learn this stuff.
>
> David
>
>
> On 4 Mar 2015 05:04, "Earl Killian" <dovecot at lists.killian.com> wrote:
>
>> On 2015/3/2 10:03, Reindl Harald wrote:
>>
>>>
>>> that is all nice
>>>
>>> but the main benefit of RBL's is always ignored:
>>>
>>> * centralized
>>> * no log parsing at all
>>> * honeypot data are "delivered" to any host
>>> * it's cheap
>>> * it's easy to maintain
>>> * it don't need any root privileges anywhere
>>>
>>> we have a small honeypot network with a couple of ipranges detecting
>>> mass
>>> port-scans and so on and this data are available *everywhere*
>>>
>>> so if some IP hits there it takes 60 seconds and any service supportings
>>> DNS blacklists can block them *even before* the bot hits the real
>>> mailserver at all
>>>
>>>  I would like to reiterate Reindl Harald's point above, since subsequent
>> discussion has gotten away from it. If Dovecot had DNS RBL support
>> similar
>> to Postfix, I think quite a few people would use it, and thereby defeat
>> the
>> scanners far more effectively than any other method. It is good that
>> other
>> people are suggesting things that will work today, but in terms of what
>> new
>> feature would be the best solution, I can't think of one better than a
>> DNS
>> RBL.
>>
>