under some kind of attack

Joseph Tam jtam.home at gmail.com
Thu Jul 20 01:59:17 EEST 2017


mj <lists at merit.unu.edu> writes:

>>> However, it seems almost all IPs are different, and I don't think I can
>>> keep the above settings permanently.
>>
>> Why not?  Limited by firewall rules overload?  You could probably use
>> a persistent DB, can't you?
>
> I meant: keep the "block after the first failed attempt" setting. People
> need the chance to change their password, so I have increased it to two.

A timeout feature is handy here; even though you allow attackers several
kicks at the can, it will allow your users to eventually gain control
to their accounts again after a suitable penalty period.

>> You can also use a third party RBL that specialized in brute forcers like
>> blocklist.de.  You can also feed back fail2ban data and crowdsource BFD
>> data to them.
>
> Yes, I will look into that now.
> ...
>
> Anyone aware of other blocklists that are worth bocking? Because the
> list.blocklist.de/lists/all.txt blocks some, but not anywhere near all.

There are other RBLs that overlap with this (like CBL), but they include
entries will produce false positives.  There was OpenBL but that is defunct.

The different lists at blocklist.de have varying efficacy: the ssh and
smtp BFD detection are fairly good (they have a 90+% hit rate at my site),
but the IMAP/POP BFD detection not as good (maybe 20%).  However,
if people start feeding IMAP/POP fail2ban data back to blocklist.de,
that will get better.

> I now know  how to block large lists of ips, so if anyone has additional
> lists to block?

Yeah, all of ChinaNet.  May produce false positives.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list