Markus Stumpf([EMAIL PROTECTED])@2001.04.25 14:38:38 +0000:
> On Wed, Apr 25, 2001 at 03:12:31AM +0200, Karsten W. Rohrbach wrote:
> > maybe add it to tcpserver?
>
> tcpserver ist not in control of checkpassword and has no knowledge
> of corrrect/incorrect user:password pairs.
oh yes it is in control of at least the process it calls directly
(qmail-popup) which terminates nonzero on auth error
>
> The solution I would like most (and which would be rather flexible and
> also working with clusters) would be to have a fast http server (maybe
> based on djb's publicfile).
> This server would have a configurable sized hash table (similar to
> dnscache) and a strategy for expiring entries.
>
> There would be two clients/APIs:
> - one would send "ip:fail" or "ip:ok"
> and the server would either increment or delete an internal counter
> - the other would send "ip:query" and the server would return
> "allow" or "deny".
> These two clients could be placed withing the calling queue after
> tcpserver and checkpassword.
tcpserver lacks the feature of connection rate limiting which exactly
would be the application in our case. i also thought about defining a
scheme like openssh does (max simultaneous connections, "soft"
threshold for sessions, percentage of connections to drop) combined with
some advanced tarpitting per ip address (like "accept n connections per
minute from each ip address and back off with delay d and increase that
delay each connection attempt, and perhaps multiply it with the
exitcode of the process called).
does this make sense?
>
> Within this framework one could write other clients/servers that would
> e.g. allow for controlling the number of smtp connects per IP per time
> interval:
> - have a client that sends
> "ip:connect" to the server and the server returns "ok" or "fail".
> - if the answer the "ok" give over to the next program in queue
> - if the answer is "fail" act similar to rblsmtpd and send a 4xx
> to every SMTP protocol request from the sender.
client server is too errorprone and too mighty for this. we are talking
about pop3 here, not smtp, primarily. the functionality you ar talking
about in checkpassword is there afaik with a version that supports ldap.
i would prefer hashing the ip and timestamp directly to disk.
>
> I've been working on the last server/client with a friend. We have some
> code but it's not finished yet.
>
> \Maex
>
> --
> SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
> Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
> Stress is when you wake up screaming and you realize you haven't fallen
> asleep yet.
>
--
> "Dort wo andere Moral besitzen hat sie ein Loch." -- Erich Kaestner
KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de
[Key] [KeyID---] [Created-] [Fingerprint-------------------------------------]
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
