On Sun, 8 Jun 2014, li...@rhsoft.net wrote:
Am 08.06.2014 17:18, schrieb Joe Laffey:
On Sun, 8 Jun 2014, Kai Krakow wrote:
Noel Jones <njo...@megan.vbhcs.org> schrieb:
But I want to (automatically) block the suspicious networks and not first
block all then whitelist the known-good.
Not sure I completely understand the issue, but is this something where you
could use fail2ban to monitor your logs
in real time and autoban via iptables any ip that had failed logins? You could
whitelist your own ip range so they
never get bannned regardless.
the idea of using a RBL is that you can setup your own honeypot
like i did last weekend, feed your own RBL and most likely get
only real bad bots and *before* they ever touch your machine
our honeypot ist using free public IP's and listens on every
common port writing every connecting IP into a RBL
within a week 40000 client IP's and 15%-20% don't expire
after the configured 7 days because they come alaways back
you can assume no customer ever will touch the honeypot
Could you possibly set up a honeypot that feeds its logs via syslogging to
your main server... then use fail2ban to ban ips from that log as well?
You could even used separate regexes that matched only logs from the
honeypot and have a much greater ban time on those.
I do see the speed advantage to an RBL, and we used to run one that was
mainly manually set up (using djbdns's rbl). I have just fallen in love
with the auto operation of tools like fail2ban.
Either way, the honeypot is a good idea to catch some known spammers.
Though are we talking about spammers trying to guess SASL passwords, or
ones that already have account credentials, or open relays?
Note that I believe fail2ban could be setup with custom regexps to be used
as a rate limiting tool for sending mail with valid credentials. Perhaps
not the best solution for that, as it completely blocks the ip, but it
would be automatic.
--
Joe Laffey
The Stable
Visual Effects
http://TheStable.tv/?e34525M/
