under another kind of attack
mj
lists at merit.unu.edu
Sat Jul 29 21:39:02 EEST 2017
On 07/29/2017 07:44 PM, Doug Barton wrote:
> On 07/25/2017 07:54 AM, mj wrote:
>> Since we implemented country blocking,
>
> Please don't do that. Balkanizing the Internet doesn't really benefit
> anyone, and makes innovation a lot more difficult.
Perhaps I need to be more specific:
I block certain countries from accessing imap/smtp directly, as that is
where all the botnets seem to be trying their passwords.
I do not block entire countries from accessing us completely (the
hammer) but rather block their access of imap and smtp for my
mailserver. (this is what I like to see as a precision tool)
For the record I improved my iptables rules a lot compared to the mail
you replied to. I am now using a chain, like this:
> $IPTABLES -N filter_countries
> $IPTABLES -A filter_countries -m geoip --src-cc CN,AG,MX,etc -j DROP
> $IPTABLES -A filter_countries -m geoip --src-cc MD,SD,SS,etc -j DROP
and then:
> $IPTABLES -I INPUT 1 -p tcp --dport 143 -j filter_countries
> $IPTABLES -I INPUT 1 -p tcp --dport 993 -j filter_countries
> $IPTABLES -I INPUT 1 -p tcp --dport 465 -j filter_countries
This makes it a lot more efficient, compared to the (many) rules I was
using earlier.
MJ
More information about the dovecot
mailing list