Dave McGuire writes:>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >> >> then setup fail2ban to manage extrafields > > Now that's a very interesting idea, thank you! I will investigate this.If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any better. If you want to turn your global backlist into a per-user whitelist, that would be perfectly doable though. Joseph Tam <jtam.home at gmail.com>
Am 02.03.2015 um 11:34 schrieb Joseph Tam:> Dave McGuire writes: > >>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >>> >>> then setup fail2ban to manage extrafields >> >> Now that's a very interesting idea, thank you! I will investigate this. > > If you don't expect yor firewall to handle 45K+ IPs, I'm not how you > expect dovecot will handle a comma separated string with 45K+ entries > any better. If you want to turn your global backlist into a per-user > whitelist, that would be perfectly doable though. > > Joseph Tam <jtam.home at gmail.com>perhaps and i mean really "perhaps" go this way https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ 45K+ IPs will work in a recent table i have them too but for smtp only like echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot combine with geoip might be a good idea too is ultra faster then fail2ban cause no log file parsing is needed or an other idea you might test, configure a syslog filter pumping in a recent table the direct way Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstra?e 15, 81669 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 02.03.2015 um 18:56 schrieb Robert Schetterer:> perhaps and i mean really "perhaps" go this way > > https://sys4.de/de/blog/2014/03/27/fighting-smtp-auth-brute-force-attacks/ > > https://sys4.de/de/blog/2012/12/28/botnets-mit-rsyslog-und-iptables-recent-modul-abwehren/ > > 45K+ IPs will work in a recent table > i have them too but for smtp only like > > echo 10000000 > /sys/module/xt_recent/parameters/ip_list_tot > > combine with geoip might be a good idea too > > is ultra faster then fail2ban cause no log file parsing is needed > > or an other idea > you might test, configure a syslog filter pumping in a recent table the > direct waythat is all nice but the main benefit of RBL's is always ignored: * centralized * no log parsing at all * honeypot data are "delivered" to any host * it's cheap * it's easy to maintain * it don't need any root privileges anywhere we have a small honeypot network with a couple of ipranges detecting mass port-scans and so on and this data are available *everywhere* so if some IP hits there it takes 60 seconds and any service supportings DNS blacklists can block them *even before* the bot hits the real mailserver at all -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150302/cbb958d7/attachment.sig>
On March 2, 2015 11:35:24 AM Joseph Tam <jtam.home at gmail.com> wrote:> Dave McGuire writes: > > >> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets > >> > >> then setup fail2ban to manage extrafields > > > > Now that's a very interesting idea, thank you! I will investigate this. > > If you don't expect yor firewall to handle 45K+ IPs, I'm not how you > expect dovecot will handle a comma separated string with 45K+ entries > any better. If you want to turn your global backlist into a per-user > whitelist, that would be perfectly doable though.lets call it denynets so :) avises is bad when users does not understand why its allownets and still fokus on block bad ips then just keep list of good client ips where login is not fail, if dovecot is hard to understand try windows 10 then :)
> >>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNetsrethink why its allownets not denynets> 45K+ IPs will work in a recent table > i have them too but for smtp only likehave you seem a single user with 45k ips that does not make logs of login fails ?
On 03/02/2015 05:34 AM, Joseph Tam wrote:>>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets >>> >>> then setup fail2ban to manage extrafields >> >> Now that's a very interesting idea, thank you! I will investigate this. > > If you don't expect yor firewall to handle 45K+ IPs, I'm not how you > expect dovecot will handle a comma separated string with 45K+ entries > any better.My firewall can handle that without breaking a sweat. I just haven't found a way (that I'm comfortable with) to automatically inject rules into it from a machine on the network. Doing it via a DNSBL is an elegant solution to the problem, IMO. It offloads the IP address indexing to the DNS server; BIND (and most anything else I'd imagine, but I run BIND) uses a pretty respectable in-memory btree system which gives fast lookups. (well, at least that's what it used the last time I looked at its internals) I myself just want a mechanism to deny certain IP addresses when I spot them, regardless of the implementation. But anything that offloads my mail servers from anything that doesn't involve serving mail makes me happy. -Dave -- Dave McGuire, AK4HZ/3 New Kensington, PA
On March 2, 2015 10:50:59 PM Dave McGuire <mcguire at neurotica.com> wrote:> On 03/02/2015 05:34 AM, Joseph Tam wrote: > >>> http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNetsits not a big hint its not called denynets is it ?> I myself just want a mechanism to deny certain IP addresses when I > spot them, regardless of the implementation. But anything that offloads > my mail servers from anything that doesn't involve serving mail makes me > happy.fokus on not blocking 500000 ips, but that users not have 500000 ips i will stop saying this again