On Monday 02 March 2015 05:02:49 Jochen Bern wrote: > On 03/01/2015 08:53 AM, Jim Pazarena wrote: > > I wonder if there is an easy way to provide dovecot a flat text file > > of ipv4 #'s which should be ignored or dropped? > > > > I have accumulated 45,000+ IPs which routinely try dictionary and > > 12345678 password attempts. The file is too big to create firewall > > drops [...] > > The inherent assumption here is that dovecot, using a "flat file", > will be able to process the block list more effectively than the > firewall, which is a tool written for the *purpose* but supposedly > unable to even *try* due to the list's size. That sounds ... > counterintuitive. > > To clarify, the governing influence on performance of *most* firewalls > is the average number of rules a packet has to be matched against, and > the two main tools to help with that are (if I may use iptables lingo > here) a) --state ESTABLISHED to get everything but the > connection-initiating packets out of the way ASAP and b) branching > tree-like into dedicated-purpose subchains, rather than building > linear lists. Assuming that the IPs to be blocked are randomly > distributed, I'ld try something along the following lines: > > [main chain] > --state ESTABLISHED,RELATED -j ACCEPT > -p tcp --dport pop3 -j dove-blocks > -p tcp --dport imap -j dove-blocks > > [subchain dove-blocks] > -d 1.0.0.0/8 -j sub-1 > -d 2.0.0.0/8 -j sub-2 > ... > -d 254.0.0.0/8 -j sub-254 > > [subchain sub-1] > -d 1.2.0.0/16 -j sub-1-2 # We've seen 1.2.3.4 and 1.2.2.1 > ... > > [subchain sub-1-2] > -d 1.2.2.1 -j DROP > -d 1.2.3.4 -j DROP > > Regards, > J. Bern I rather like this idea, but let me point out that this list should be pre-sorted with something that puts them in numerical order, and that order then pre-processed again to condense them into sequential blocks. And those sequential blocks are what you would present to iptables of ipset.
You might have to trigger a new sort & condense session each time a new address is harvested and added to the list, but on a busy server that would have to be much less of a cpu hog than just searching a flat random list for every access. I use pop3 for access to 3 accounts, with mailfilter in front of fetchmail here, and occasionally will sort the reference files, and if a given class d address block gets hit several times, I re-arrange the regex to kill on "[xx.xx.xx'" alone, killing the whole class D. I watch the logs, and I don't recall that this policy has cost me a single message I should have received. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
