* Alessandro Vesely via mailop:
> Researchshows that thousands of rules are fine, but hundreds of
> thousands bring it on its knees. I attach a picture.
Nobody spoke of hundreds of thousands of rules. That includes the
OP. Unless this magnitude is ever even remotely reached, I see little
incenti
On Fri 21/Jun/2024 18:12:13 +0200 Ralph Seichter via mailop wrote:
* Jeff Pang via mailop:
given currently I have 3000+ block IPs, every normal client requests
to submission, the ip will be checked through those 3000+ list, which
slow down the normal client's connection certainly.
I consider
before it gets resolved I have to take time to do:
1. setup iptables + ipset for fail2ban, or
2. update the system to use nftables, or
3. use null route, and/or
4. use spamhaus XBL
Thanks for all the help.
regards
But I feel like this discussion has been resolved already.
--
Jeff Pang
jef
On Fri, 2024-06-21 at 01:01 +, Ferris, Rhys (SCC) via mailop
wrote:
>
>
>
> I guess my mentality is a large IPTables is still less of a load
> than letting them establish a connection and attempt to
> authenticate, but I'm certainly open to better ideas.
Somewhat OT, but if you can switch t
* Jeff Pang via mailop:
> given currently I have 3000+ block IPs, every normal client requests
> to submission, the ip will be checked through those 3000+ list, which
> slow down the normal client's connection certainly.
I consider this is a case "measure, don't guess". I am right now logged
into
Matus UHLAR - fantomas via mailop skrev den 2024-06-21 17:27:
But I feel like this discussion has been resolved already.
unless :)
i have solve to just know my custummers asn's, and only let there isp
asn be allowed, this saves much more lines in shorewall then if i did
shorewall blacklisti
On 2024-06-21 04:53, Jeff Pang via mailop wrote:
given currently I have 3000+ block IPs,
every normal client requests to submission,
the ip will be checked through those 3000+ list,
which slow down the normal client's connection certainly.
On 21.06.24 10:57, Anthony Howe via mailop wrote:
I th
On 2024-06-21 04:53, Jeff Pang via mailop wrote:
given currently I have 3000+ block IPs,
every normal client requests to submission,
the ip will be checked through those 3000+ list,
which slow down the normal client's connection certainly.
I think you are worrying about nothing.
3000+ IPv4 o
On 2024-06-21 22:04, Bill Cole via mailop wrote:
On 2024-06-20 at 20:10:32 UTC-0400 (Fri, 21 Jun 2024 08:10:32 +0800)
Jeff Pang via mailop
is rumored to have said:
And in an hour it gets double IPs blocked.
$ sudo iptables -L -n|grep DROP|wc -l
2805
any idea?
About what?
Unless you are ser
On 2024-06-21 at 02:56:44 UTC-0400 (Fri, 21 Jun 2024 08:56:44 +0200)
Dominique Rousseau via mailop
is rumored to have said:
Also, if the same IPs are comming back often, you could look the
"recidive" rules, for long term ban, and/or (semi)manually check
wether
IPs are from somme common netblo
On 2024-06-20 at 20:10:32 UTC-0400 (Fri, 21 Jun 2024 08:10:32 +0800)
Jeff Pang via mailop
is rumored to have said:
And in an hour it gets double IPs blocked.
$ sudo iptables -L -n|grep DROP|wc -l
2805
any idea?
About what?
Unless you are seriously memory or cpu-constrained, 2805 simple drop
Dňa 21. júna 2024 13:43:15 UTC používateľ Alessandro Vesely via mailop
napísal:
>Login attempts don't seem to follow any kind of decent dictionary attack
>strategy, as they try random userid/ password combinations, and repeat failed
>ones.
My devocot's auth daemon (mentioned early) can distin
On Fri 21/Jun/2024 14:55:16 +0200 Slavko via mailop wrote:
Dňa 21. júna 2024 11:50:23 UTC používateľ Alessandro Vesely via mailop
napísal:
That db currently holds 2,014,973 records. Rather than ipset or single
iptables rules, the IPs are stored on a Berkeley DB. They get blocked by a few
Dňa 21. júna 2024 11:50:23 UTC používateľ Alessandro Vesely via mailop
napísal:
>That db currently holds 2,014,973 records. Rather than ipset or single
>iptables rules, the IPs are stored on a Berkeley DB. They get blocked by a
>few iptables rules ending in -j NFQUEUE. That passes the packe
Am 21.06.2024 um 10:46:02 Uhr schrieb L. Mark Stone via mailop:
> It's not uncommon for us to be blocking 30K-50K IP addresses, with no
> performance issues. Reboots do take about a minute or two longer
> however; Fail2Ban rewrites the route table on service start/stop to
> populate/depopulate the
On Fri, 21 Jun 2024, Jeff Pang via mailop wrote:
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
it seems the black ips are coming endlessly.
most of the bad actions are like this one:
postfix/smtps
that's really nice info. I will read them. thanks.
Consider switching to ipset-s or null routes, both have a lower overhead
than plain rules.
Ipset-s also have the benefit of supporting expiration (timeout).
--
Jeff Pang
jeffp...@aol.com
___
mailo
On Fri, Jun 21, 2024 at 10:46:02AM +, L. Mark Stone via mailop wrote:
> We use "route" as the banaction in our Fail2Ban.
If iptables or other filtering performance is a concern, I would definitely
support the suggestion to use blackhole routes instead.
Searching on obvious keywords dug out th
On Fri 21/Jun/2024 10:55:53 +0200 Jeff Pang wrote:
Here is the drop list by iptables,
https://cloud.hostcache.com/drop.list
can you help take a look?
Of those 2805 addresses, 2726 are also on my block db, 79 are not.
That db currently holds 2,014,973 records. Rather than ipset or single
ip
thanks Mark. i will check the docs to see how route works.
There is a Zimbra-specific blog post
here:https://wiki.zimbra.com/wiki/Configure_Fail2Ban_for_Zimbra_Server_with_route_instead_of_iptables_to_block_IPs
Our filter/jail for a Zimbra-specific nginx add-on is here (again,
Zimbra-specifi
Consider switching to ipset-s or null routes, both have a lower overhead
than plain iptables rules.
We've tested ipsets with hundreds of thousands of IPs, ipset-s also have
the benefit of supporting entry expiration (timeout).
smime.p7s
Description: S/MIME Cryptographic Signature
__
m: "Jeff Pang via mailop"
| To: "Mailop Mailing List"
| Sent: Thursday, June 20, 2024 7:20:17 PM
| Subject: [mailop] too many bad IP blocked
| today I clear up iptables rules, and run fail2ban again.
| in half of an hour, it blocked 1400+ IPs.
|
| $ sudo iptables -L -n|grep
Am 21.06.2024 um 16:55:53 Uhr schrieb Jeff Pang via mailop:
> Here is the drop list by iptables,
> https://cloud.hostcache.com/drop.list
>
> can you help take a look?
You can create a small script that parses the addresses to the
application rblcheck in linux. IIRC ipset also offers a way to for
Here is the drop list by iptables,
https://cloud.hostcache.com/drop.list
can you help take a look?
regards.
You can also use dnsbl (that may run locally) if that is faster.
Is a valuable amount of those IPs listed in blocklist.de, spamhaus,
uceprotect etc.?
--
Jeff Pang
jeffp...@aol.com
___
Dňa 21. 6. o 6:57 Viktor Dukhovni via mailop napísal(a):
That said, it seemed reasonable to implement a recent suggestion from
the Postfix list and block XBL-listed IPs from connecting to my
submission services. This had a rather noticeable effect on the rate of
failed SASL probes. The suggest
Thanks Dominique. I will check ipset and learn it.
iirc, current fail2ban can put the banned IPs in an ipset, which is very
effcient for iptables filtering.
--
Jeff Pang
jeffp...@aol.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.
Dňa 21. 6. o 8:44 Matus UHLAR - fantomas via mailop napísal(a):
Not sure about nftables.
nowadays both, the iptables & ntables, share the same netfilter code/hooks.
regards
--
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.or
given currently I have 3000+ block IPs,
every normal client requests to submission,
the ip will be checked through those 3000+ list,
which slow down the normal client's connection certainly.
regards.
what is a theoretical performance hit worth to you, when compared to the
possible cost of eve
never know ipsets. I will check it. thank you.
regards.
ipsets should be much more effective to work and maintain than iptables.
--
Jeff Pang
jeffp...@aol.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
I will try to use spamhaus XBL for submission. thanks victor.
the Postfix list and block XBL-listed IPs from connecting to my
--
Jeff Pang
jeffp...@aol.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Hi Jeff,
Le Fri, Jun 21, 2024 at 07:20:17AM +0800, Jeff Pang via mailop
[mailop@mailop.org] a écrit:
> today I clear up iptables rules, and run fail2ban again.
> in half of an hour, it blocked 1400+ IPs.
>
> $ sudo iptables -L -n|grep DROP|wc -l
> 1407
>
>
> it seems the black ips are coming e
On 21.06.24 07:20, Jeff Pang via mailop wrote:
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
I use ipset:
REJECT tcp -- anywhere anywhere match-set
block-mail src rej
Am 21.06.2024 um 07:20:17 Uhr schrieb Jeff Pang via mailop:
> postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL
> LOGIN authentication failed: UGFzc3dvcmQ6
>
> I am afraid too many iptables will slow down the performance of
> systems. do you have any suggestion for handling t
* Jeff Pang via mailop:
> postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL
> LOGIN authentication failed: UGFzc3dvcmQ6
>
> I am afraid too many iptables will slow down the performance of systems.
Are you worried about iptables slowing systems down compared to Postfix
(and what
On Fri, Jun 21, 2024 at 07:20:17AM +0800, Jeff Pang via mailop wrote:
> It seems the black ips are coming endlessly. Most of the bad actions
> are like this one:
>
> postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]: SASL LOGIN
> authentication failed: UGFzc3dvcmQ6
>
> I am afraid
>
> On 21. Jun 2024, at 05:15, Raymond Burkholder via mailop
> wrote:
>
> On 2024-06-20 17:20, Jeff Pang via mailop wrote:
>> today I clear up iptables rules, and run fail2ban again.
>> in half of an hour, it blocked 1400+ IPs.
>>
>> $ sudo iptables -L -n|grep DROP|wc -l
>> 1407
>>
>> I am
On 2024-06-20 17:20, Jeff Pang via mailop wrote:
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
I am afraid too many iptables will slow down the performance of systems.
do you have any suggestion for
I guess my mentality is a large IPTables is still less of a load than letting
them establish a connection and attempt to authenticate, but I'm certainly open
to better ideas.
Rhys (R-ee-s) Ferris
Internet Mail Team | SMAS Support Team
U.S. Senate
Sent from my mobile device
On Jun 20, 2024 8:38
And in an hour it gets double IPs blocked.
$ sudo iptables -L -n|grep DROP|wc -l
2805
any idea?
Thanks
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
it seems the black ips are coming endlessly.
m
today I clear up iptables rules, and run fail2ban again.
in half of an hour, it blocked 1400+ IPs.
$ sudo iptables -L -n|grep DROP|wc -l
1407
it seems the black ips are coming endlessly.
most of the bad actions are like this one:
postfix/smtps/smtpd[451948]: warning: unknown[211.184.190.87]:
40 matches
Mail list logo
