IP drop list
Reindl Harald
h.reindl at thelounge.net
Thu Mar 5 00:56:35 UTC 2015
Am 04.03.2015 um 23:00 schrieb Felix Zandanel:
> I am not against block lists. I just say their use should be justified as they may decrease overall service quality as well. There is another solution for auth based services: As soon as you detect a possible attack (# auth reqs > x etc.), keep the connection open, slow it down and just never let it succeed regardless of the credentials provided. This is done on a per-connection basis. No block list needed. Can be accomplished with fail2ban and iptables and therefore uses minimal server resources.
well, i have iptables rate controls which blocks most dictionary attacks
and small DOS-attacks perfectly well
but that won't change the fact that if from an IP address starts a large
dictionary attack and that IP is a CGN it *would* affect users from the
same IP anyways
and since this is fact it is reasonable to
* enter that IP in the wbeinterface feeding rbldnsd
* enter in the scond field 1800 seconds or whatever value
* apply it that way for any service supporting RBL's
* release that lock automatically after X seconds
security and defense is always layered but such things don't work well
if half or mail-subsytems needs sepcial handling
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20150305/c65526bd/attachment.sig>
More information about the dovecot
mailing list