Matt Sergeant wrote:
On 26-Nov-06, at 12:49 PM, Bryan Scott wrote:
Is there a way we could get the forkserver code to look up an IP in a
flat file, DNSBL, or other such system to immediately close
connections from certain addresses?
Isn't that what the dnsbl plugin does?
I think everybody's missing the point. OK, maybe not everybody, but let me
restate.
Up until now I've used a program called packetbl that takes SYN packets sent
to the iptables QUEUE target, performs a DNSBL lookup and decides whether to
ACCEPT or DROP the packet based on the DNSBL response. I did it at my
firewall to help keep the mail servers from even entertaining the blacklisted
hosts. This was very helpful in keeping my number of active connections down
and helped keep the servers from spawning new processes that weren't going to
be doing anything useful anyway. On my new 64-bit firewall, however, the
packetbl code doesn't compile and the i386 binary doesn't stay up enough to work.
The first thought I had was if we could make the forkserver code perform
similarly. It wouldn't be able to block just based on the SYN packets, but it
could immediately close the connection (no banner, no error message, very
un-RFC like), freeing it up for another host that much quicker. Not something
a plugin can do.
The idea progressed to have some other plugin keep track of how many times a
particular host errors out, assigning higher weights to 5xx errors vs. 4xx
errors. After hitting a certain threshold, the forkserver code begins closing
connections from those hosts (I personally don't care if I can hang up on
known spam hosts).
Now does this make sense?
-- Bryan
