Am 17.06.2014 19:43, schrieb Giles Coochey: > On 17/06/2014 18:16, Reindl Harald wrote: >> after having my own dnsbl feeded by a honeypot and even >> mod_security supports it for webservers i think dovecot >> sould support the same to prevent dictionary attacks from >> known bad hosts, in our case that blacklist is 100% >> trustable and blocks before SMTP-Auth while normal RBL's >> are after SASL >> >> i admit that i am not a C/C++-programmer, but i think >> doing the DNS request and in case it has a result block >> any login attemt should be not too complex >> >> setup a own honeypot and feed rbldnsd with the sources >> is quite easy and in case of a own, trustable RBL where >> no foreigners report somebody by mistake it's relieable >> and scales well over many machines and services as long >> services supporting it >> >> mod_security: >> http://blog.inliniac.net/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blacklists/ >> > If you have the bllist as a file then you may as well drop with iptables (in > Linux) or ipfw (BSD). > > Use an IP tool for an IP block, not the application. > > Spamhaus project has a kind of script for this type of thing: > > http://www.spamhaus.org/faq/section/DROP%20FAQ > > I'm quite happy to use fail2ban, yes - dovecot has to handle a few failed > logins for each blocked IP, but it works > for me and pretty much mitigates the attack
that's not the point, to achieve the same as with a RBL you need to manipulate iptables on every machine - the RBL is centrally for HTTP/SMTP and so it makes sense to use it also for IMAP/POP3 additionally you have no log - thats bad with a RBL you have a dedicated log containign much more data than source / target IP and ports also i don't want to have fail2ban on every machine, the point of a RBL with a honeypot is that bad machines are blocked for 7 days just beause they touch any unused IP and likely before they even hit the production servers iptables-rules are managed here also centralized over a lot of machines and i really don't want to marry the honeypot with the iptables
signature.asc
Description: OpenPGP digital signature