Connection throttling POP3.

Jorey Bump list at
Mon May 21 20:55:05 EDT 2007

David S. Madole wrote:
>> From Matthew Schumacher on Monday, May 21, 2007 6:35 PM
>> The first iptables suggestion blocked the offending IP, which is
>> fine, but also requires me to babysit the server.  The second
>> suggestion would correctly limit connections, but if I'm reading it
>> right, would lump all connections together, not just connections
>> per originating IP address.
> If you are talking about the suggestion I made, which looked like
> this:
> iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m
> recent --update --seconds 60 -j DROP
> iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m
> recent --set -j ACCEPT
> then you did not read it right. It limits to one connection per IP
> address per minute. Each source address is kept track of in enforcing
> the limit. Using the --hitcount option in addition to the --seconds
> option, you can also create limits such as a maximum of four
> connections in two minutes, etc.

I also use this for blocking brute force SSH attacks, and can't 
understand why anyone would choose a log parsing script instead. It 
stops them dead in their tracks (even with a much lower time limit). It 
would be interesting if it could also be applied to POP3. Your logs 
indicate that a much lower time limit would suffice (not sure why your 
second line is -1 seconds after the first, though). Even if the protocol 
allows it, I'm willing to bet you'll find some brain-dead mail client 
that has problems, though.

More information about the Info-cyrus mailing list