New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
*BSD blocklist support #198
Comments
@skarnet offers a third option:
For opportunistic TLS, it could be a while before we can retrieve the right socket in the right state. Say we set a 30-second timeout on the fd-holder; if an initially unencrypted connection finally establishes TLS 31 seconds later, the fd-retriever program (example: Alternatively, |
Note that on opportunistic TLS, you already have the network socket (it's the plaintext one that you're not supposed to use anymore once you activate TLS, but you still have a fd to it), so you don't need that workaround. |
Remembered that a user has requested this. |
I'd been thinking about this for the case of "too many" failed authentication attempts on a port 587 service, but after seeing a particularly intent dictionary-attack spammer I'm thinking sysadmins might also want this for the case of "too many" rejected recipients on a port 25 service. |
NetBSD and FreeBSD have a blocklist daemon and associated library (formerly blacklist) that provide a sensible alternative to
fail2ban
. Given a network service that's been adapted to invoke the library on both successful and failed logins, the sysadmin can configureblocklistd
policy to dynamically block source-IP/dest-port combinations at the OS firewall when enough failed logins have happened quickly enough, and then unblock when it's been long enough.It's a very easy API to integrate iff you can pass it the listening network socket. This probably works under
tcpserver
and probably doesn't work under TLS-enabled analogues, especially if they support delayed encryption, because the file descriptors they provide are pipe ends.Talked it through with the blocklist author. The API needs to be this way for security reasons. If we want to integrate blocklist support for e.g. authenticated mail submission, two options (both involving patching the various UCSPI server programs and trying to get the changes upstreamed) are:
libblocklist
themselves and provide some small API for the child program to invoke itThe text was updated successfully, but these errors were encountered: