"Michael Smith (DF)" writes:
Or another option, is there any good DNS based RBLs for botnet IPs, and
is there any way to tie that in to the dovecot auth system? I've been
looking for botnet rbls, but what I've found so far doesn't seem to
work very well. Most of the IPs that I've had to firewall don't exist
in them.
/dev/rob0 writes:
The problem with using XBL, anyway, is that you might have legitimate
logins from listed hosts. Example: a traveler using hotel wifi. We
(TINW) really would need a new DNSBL type (or a special result) for
this sort of abuse.
It's a nice idea, worth building upon, if someone can fund it (or
find the time to develop it, which really amounts to the same thing.)
Imagine also a Dovecot network of reporters, where brute force
attempts worldwide are reported from Dovecots to the DNSBL, not
merely a one-way tie in.
I'd also suggest listing SSH brute force attacks in the same DNSBL,
possibly with a different result (127.0.0.$port, so IMAP attackers
list as 127.0.0.143, SSH attackers as 127.0.0.22. Yes, we'd have to
incorporate the third quad for ports > 255, but the general idea is
for result codes to be both machine and human readable as much as
possible.)
I use bl.blocklist.de as a DNSRBL for ssh BFD, but I think it also
detects BFD for other protocols:
http://www.blocklist.de/en/index.html
The nice thing about this RBL is that you can also contribute by
configuring your Fail2Ban/DenyHost to forward logs to the maintainers,
to widen the detection network. I get about a 60% hit on ssh BFD attacks.
I also found
http://openbl.org
but they distribute it as a downloadable file rather than as a DNSRBL.
Maybe I can introduce the latter to the former.
Joseph Tam <jtam.h...@gmail.com>
