On 17/06/2014 18:16, Reindl Harald wrote:
If you have the bllist as a file then you may as well drop with iptables (in Linux) or ipfw (BSD).after having my own dnsbl feeded by a honeypot and even mod_security supports it for webservers i think dovecot sould support the same to prevent dictionary attacks from known bad hosts, in our case that blacklist is 100% trustable and blocks before SMTP-Auth while normal RBL's are after SASLi admit that i am not a C/C++-programmer, but i think doing the DNS request and in case it has a result block any login attemt should be not too complex setup a own honeypot and feed rbldnsd with the sources is quite easy and in case of a own, trustable RBL where no foreigners report somebody by mistake it's relieable and scales well over many machines and services as long services supporting it mod_security: http://blog.inliniac.net/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blacklists/
Use an IP tool for an IP block, not the application. Spamhaus project has a kind of script for this type of thing: http://www.spamhaus.org/faq/section/DROP%20FAQI'm quite happy to use fail2ban, yes - dovecot has to handle a few failed logins for each blocked IP, but it works for me and pretty much mitigates the attack.
-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net
smime.p7s
Description: S/MIME Cryptographic Signature
