Am 17.06.2014 20:23, schrieb Giles Coochey: > On 17/06/2014 18:56, Reindl Harald wrote: >> >> Am 17.06.2014 19:43, schrieb Giles Coochey: >>> On 17/06/2014 18:16, Reindl Harald wrote: >>>> after having my own dnsbl feeded by a honeypot and even >>>> mod_security supports it for webservers i think dovecot >>>> sould support the same to prevent dictionary attacks from >>>> known bad hosts, in our case that blacklist is 100% >>>> trustable and blocks before SMTP-Auth while normal RBL's >>>> are after SASL >>>> >>>> i admit that i am not a C/C++-programmer, but i think >>>> doing the DNS request and in case it has a result block >>>> any login attemt should be not too complex >>>> >>>> setup a own honeypot and feed rbldnsd with the sources >>>> is quite easy and in case of a own, trustable RBL where >>>> no foreigners report somebody by mistake it's relieable >>>> and scales well over many machines and services as long >>>> services supporting it >>>> >>>> mod_security: >>>> http://blog.inliniac.net/2007/02/23/blocking-comment-spam-using-modsecurity-and-realtime-blacklists/ >>>> >>> If you have the bllist as a file then you may as well drop with iptables >>> (in Linux) or ipfw (BSD). >>> >>> Use an IP tool for an IP block, not the application. >>> >>> Spamhaus project has a kind of script for this type of thing: >>> >>> http://www.spamhaus.org/faq/section/DROP%20FAQ >>> >>> I'm quite happy to use fail2ban, yes - dovecot has to handle a few failed >>> logins for each blocked IP, but it works >>> for me and pretty much mitigates the attack >> that's not the point, to achieve the same as with a RBL you >> need to manipulate iptables on every machine - the RBL is >> centrally for HTTP/SMTP and so it makes sense to use >> it also for IMAP/POP3 > Or just do it on the firewall...
* you need to centralize it * it don't fit my environment >> additionally you have no log - thats bad with a RBL you have a >> dedicated log containign much more data than source / target IP >> and ports > Iptables has a log option please read again what you quoted iptables logs hardly contain the username postfix rejections based on RBLs contain From/To a huge difference if it comes to analyze logs iptables logs are *packet based* >> also i don't want to have fail2ban on every machine, the point >> of a RBL with a honeypot is that bad machines are blocked >> for 7 days just beause they touch any unused IP and likely >> before they even hit the production servers > That's your personal choice yes, and that's why i asked for RBL support and not fail2ban >> iptables-rules are managed here also centralized over a lot >> of machines and i really don't want to marry the honeypot with >> the iptables > That's specific to your deployment yes, that's why i ask for a feature i know fail2ban and like tools well > I don't know how much use such a feature within dovecot would get as there > are quite a few specific tools that > could accomplish pretty much the same goals of what you're looking for - it > is just unfortunate that they don't > fit in your own environment. yes
signature.asc
Description: OpenPGP digital signature