On 21.06.24 07:20, Jeff Pang via mailop wrote:
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
I use ipset:
REJECT tcp -- anywhere anywhere match-set
block-mail src reject-with tcp-reset
ipsets should be much more effective to work and maintain than iptables.
On 21.06.24 07:03, Ralph Seichter via mailop wrote:
Are you worried about iptables slowing systems down compared to Postfix
(and whatever authentication backend is involved) having to deal with
all the unsuccessful login attempts? I don't think that is likely. Also,
what is a theoretical performance hit worth to you, when compared to the
possible cost of even a single hacked mail account?
I guess the main problem is that iptables run at kernel level.
another one is that adding/removing rules are much work for kernel.
Not sure about nftables.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
