Re: limit connections

2016-12-23 Thread Marcus Schopen via Info-cyrus 
Hi Shawn,

Am Freitag, den 23.12.2016, 16:01 + schrieb Shawn Bakhtiar via
Info-cyrus:
> Well... you really should take this to the Ubuntu iptables; Start
> there and they may be able to give you a better mail list that deals
> specifically with iptables: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
> 
> 
> Having said that you don't necessarily need to use
> the iptables-extensions --rsource option, you can just use --limit
> which is in the standard iptables. This is a debian example but works
> for any iptables based system:
> https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections
> 
> 
> However, I digress, back to the topic at hand, doing this, is going to
> send the users client (based on the client) into a tif. It's going to
> assume the server has gone down and warn the user about a lost
> connection, I imaging a user who is unwilling to change his pop
> interval is going to be even more pissed at having his client pop up
> with connection lost messages. 
> 
> 
> IMHO it would be far more professional to first implement a rule
> change (update their agreement, or make a corporate policy change)
> than inform users not following those policies/agreements that if they
> don't comply their accounts will be disabled. This is not only good
> corporate governance but it is also non-discriminatory, which means
> the offending user is far less likely to be mad, and far more
> embarrassed that it had to come to this.
> 
> 
> Doing what your trying to do, is going to make it look like your
> servers are not working. The user may not understand why every so
> often the client complains that the connection to the server is not
> working, and in fact may result in breach of contract/policy if no
> previous policy/agreement has been put into place regarding the issue.
> 
Thanks for time. I definitely agree to your arguments and I'm on not
that kind of BOFH, who harms users. But if you ask over weeks to stop
that nonsense and the user reduces the interval from 30 seconds to 2
seconds, it's time to play a harder game. And yes, there is an contract,
which allows me to disable accounts or block connections, if a user
harms, attacks or penetrates the system. Technically the client is an
exchange server using popcon to fetch emails. So I guess they will have
some errors in log files of their wild running box, if I block new
established connections in between.

Happy Christmas to all, have a good time and hope to read you next year!

Cheers,
Marcus




Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

Re: limit connections

2016-12-23 Thread Shawn Bakhtiar via Info-cyrus 
Well... you really should take this to the Ubuntu iptables; Start there and 
they may be able to give you a better mail list that deals specifically with 
iptables:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Having said that you don't necessarily need to use the iptables-extensions 
--rsource option, you can just use --limit which is in the standard iptables. 
This is a debian example but works for any iptables based system:
https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections

However, I digress, back to the topic at hand, doing this, is going to send the 
users client (based on the client) into a tif. It's going to assume the server 
has gone down and warn the user about a lost connection, I imaging a user who 
is unwilling to change his pop interval is going to be even more pissed at 
having his client pop up with connection lost messages.

IMHO it would be far more professional to first implement a rule change (update 
their agreement, or make a corporate policy change) than inform users not 
following those policies/agreements that if they don't comply their accounts 
will be disabled. This is not only good corporate governance but it is also 
non-discriminatory, which means the offending user is far less likely to be 
mad, and far more embarrassed that it had to come to this.

Doing what your trying to do, is going to make it look like your servers are 
not working. The user may not understand why every so often the client 
complains that the connection to the server is not working, and in fact may 
result in breach of contract/policy if no previous policy/agreement has been 
put into place regarding the issue.




On Dec 23, 2016, at 5:06 AM, Marcus Schopen via Info-cyrus 
> wrote:

Hi Bron,

I have a user, who logs in every 3 seconds(!) to pop3s with 20 accounts,
completely resistent to change his pop interval. I'd like to limit him
in the way to allow 20 new connections within 5 minutes, then block his
IP for 5 minutes (he is using a static IP) and open the port after five
minutes again. I tried the following rule, but that opens the port only
if the client keeps quiet and doesn't connect while the block is set.

Example:

iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m
recent --set --name pop3s --rsource

iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m
recent --rcheck --seconds 300 --hitcount 20 --name pop3s --rsource -j
REJECT --reject-with icmp-port-unreachable

I know this is off topic and not cyrus specific, but any help would be
great.

cyrus: 2.4.17 on Ubuntu 14.04 LTS.

Ciao
Marcus




Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

limit connections

2016-12-23 Thread Marcus Schopen via Info-cyrus 
Hi Bron,

I have a user, who logs in every 3 seconds(!) to pop3s with 20 accounts,
completely resistent to change his pop interval. I'd like to limit him
in the way to allow 20 new connections within 5 minutes, then block his
IP for 5 minutes (he is using a static IP) and open the port after five
minutes again. I tried the following rule, but that opens the port only
if the client keeps quiet and doesn't connect while the block is set.

Example:

iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m
recent --set --name pop3s --rsource

iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m
recent --rcheck --seconds 300 --hitcount 20 --name pop3s --rsource -j
REJECT --reject-with icmp-port-unreachable

I know this is off topic and not cyrus specific, but any help would be
great.

cyrus: 2.4.17 on Ubuntu 14.04 LTS.

Ciao
Marcus




Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus