Force TCP socket disconnect on imap login failure?
Bernardo Reino
reinob at bbmk.org
Thu May 26 19:33:30 UTC 2022
On Thu, 26 May 2022, Hippo Man wrote:
> [...]
>
> I also read your other message where you referred to a stackexchange
> conversation about killing existing connections. That conversation confirms
> what I have observed in my own environment: that iptables offers no way to
> terminate an already established connection.
>
> Also, "conntrack" is mentioned in that discussion, but I haven't been able
> to get
> conntrack to work on my debian-8 system.
If you use fail2ban or something which adds a rule to block an ip address using
iptables or nftables, it will work.
You have been already told that if you have a rule allowing established/related
connections having a higher precedence than the blocking rule, then obviously
the blocking will not work.
I use nftables, and have "ct state established,related accept" at the very
bottom of my ruleset (just before the default action: drop).
For fail2ban I use a script which adds the ip to a nftables set (aptly named
fail2ban), and I have the rule "ip saddr @fail2ban drop" near the top of the
ruleset.
I just tested blocking myself (ssh instead of imaps, but there should not be any
difference) and the block is immediate.
Good luck!
More information about the dovecot
mailing list