On 03/01/2015 08:53 AM, Jim Pazarena wrote:
> I wonder if there is an easy way to provide dovecot a flat text file of
> ipv4 #'s which should be ignored or dropped?
>
> I have accumulated 45,000+ IPs which routinely try dictionary and
> 12345678 password attempts. The file is too big to create firewall
> drops [...]
The inherent assumption here is that dovecot, using a "flat file", will
be able to process the block list more effectively than the firewall,
which is a tool written for the *purpose* but supposedly unable to even
*try* due to the list's size. That sounds ... counterintuitive.
To clarify, the governing influence on performance of *most* firewalls
is the average number of rules a packet has to be matched against, and
the two main tools to help with that are (if I may use iptables lingo
here) a) --state ESTABLISHED to get everything but the
connection-initiating packets out of the way ASAP and b) branching
tree-like into dedicated-purpose subchains, rather than building linear
lists. Assuming that the IPs to be blocked are randomly distributed,
I'ld try something along the following lines:
[main chain]
--state ESTABLISHED,RELATED -j ACCEPT
-p tcp --dport pop3 -j dove-blocks
-p tcp --dport imap -j dove-blocks
[subchain dove-blocks]
-d 1.0.0.0/8 -j sub-1
-d 2.0.0.0/8 -j sub-2
...
-d 254.0.0.0/8 -j sub-254
[subchain sub-1]
-d 1.2.0.0/16 -j sub-1-2 # We've seen 1.2.3.4 and 1.2.2.1
...
[subchain sub-1-2]
-d 1.2.2.1 -j DROP
-d 1.2.3.4 -j DROP
Regards,
J. Bern
--
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
