On 11/09/2010 10:59 PM, Eric Rostetter wrote: > Quoting David Ford <[email protected]>: > >> I'm not a proponent of fail2ban as I think going straight to the horse's >> mouth is wiser (keep it all in iptables in the first place). > > I'm not a fan of fail2ban (tail/grep a log file, really?) but there > are other options which do this kind of thing "better" and still > allow iptables/routing to handle the issue.
if i establish a rate limit in iptables, then accounting and reaction never makes it to userspace. horribly more expensive, especially at the occurance of a DoS attack. unfortunately not an option in Tom's case. >> I agree >> with Stan that your VPS provider is on the wal-mart list. If no other >> solution avails, code up a quick little ditty that does the actual >> socket listen. If the incoming IP matches an allow list, hand it off to >> dovecot as an exec(), if not, deal with it as you see fit - normally, >> dropping the packet on the floor. > > That is a fine solution, if it meets their "package" requirements. > If not, then something like pam_shield or a similar package may due. > But even then, those types of packages may not meet the site's packaging > requirements. > > I can't believe a company with a packaging requirement run a Fedora > though. > That seems incongruous to me... Seems like they only have half a clue... > agreed. a VPS should be fully functional. that's what 'VPS' implies. not almost-but-not-quite-VPS.
