On 27-Nov-06, at 10:43 AM, Bryan Scott wrote:
The first thought I had was if we could make the forkserver code perform similarly. It wouldn't be able to block just based on the SYN packets, but it could immediately close the connection (no banner, no error message, very un-RFC like), freeing it up for another host that much quicker. Not something a plugin can do.
This is something a plugin can do. The 'connect' hook is called before the banner is sent. Just lookup there, and return DENY_DISCONNECT.
The idea progressed to have some other plugin keep track of how many times a particular host errors out, assigning higher weights to 5xx errors vs. 4xx errors. After hitting a certain threshold, the forkserver code begins closing connections from those hosts (I personally don't care if I can hang up on known spam hosts).
See the plugin I wrote for the O'Reilly article. Matt.
