Connection throttling POP3.

Matthew Schumacher matt.s at aptalaska.net
Mon May 21 18:35:17 EDT 2007


Blake Hudson wrote:
> 
> These types of threats are becoming more and more common and in reaction
> awareness is increasing and more software seems to be implementing
> mechanisms to cope. I would personally love to see Cyrus implement some
> sort of connection limit or throttling per IP/network/user. The current
> process limits do help ensure that one daemon does not make the machine
> unusable, but does nothing to prevent a DoS attack.
> 
> -Blake

I agree with Blake, while I can do it with IPtables it's not a good
solution.

The first iptables suggestion blocked the offending IP, which is fine,
but also requires me to babysit the server.  The second suggestion would
correctly limit connections, but if I'm reading it right, would lump all
connections together, not just connections per originating IP address.

The pam suggestion doesn't really free up processes since the
connections would still be made, not to mention that I'm not using pam,
so that is pretty much out.

Fail2ban is interesting (I could whip this up in perl in 10 minutes) but
it's kind of a hack.

In the end it would be best to have this part of cyrus.  That way we can
do different things based on number of connections in a time period,
number of simultaneous connections, or password failure.

Perhaps someone can add it to the wish list, I would write it myself
except my C skills are lacking.  Perhaps I'll just write some perl hack
to scan the logs until there is a better way to do it.

Thanks,
schu


More information about the Info-cyrus mailing list