Connection throttling POP3.
Jorey Bump
list at joreybump.com
Mon May 21 20:55:05 EDT 2007
David S. Madole wrote:
>> From Matthew Schumacher on Monday, May 21, 2007 6:35 PM
>>
>> The first iptables suggestion blocked the offending IP, which is
>> fine, but also requires me to babysit the server. The second
>> suggestion would correctly limit connections, but if I'm reading it
>> right, would lump all connections together, not just connections
>> per originating IP address.
>
> If you are talking about the suggestion I made, which looked like
> this:
>
> iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m
> recent --update --seconds 60 -j DROP
>
> iptables -A INPUT -p tcp --dport 22 \ -m state --state NEW \ -m
> recent --set -j ACCEPT
>
> then you did not read it right. It limits to one connection per IP
> address per minute. Each source address is kept track of in enforcing
> the limit. Using the --hitcount option in addition to the --seconds
> option, you can also create limits such as a maximum of four
> connections in two minutes, etc.
I also use this for blocking brute force SSH attacks, and can't
understand why anyone would choose a log parsing script instead. It
stops them dead in their tracks (even with a much lower time limit). It
would be interesting if it could also be applied to POP3. Your logs
indicate that a much lower time limit would suffice (not sure why your
second line is -1 seconds after the first, though). Even if the protocol
allows it, I'm willing to bet you'll find some brain-dead mail client
that has problems, though.
More information about the Info-cyrus
mailing list