Advice on the use of a blocklist within CSF
Looking for a little advice on the use of a blocklist within CSF.
Of late one of my servers has been getting hammered with brute force attacks on mail accounts - mostly distributed IMAP attacks; having captured and recorded a substantial amount of the offending IP addresses I ran a comparison between what I've collected and the IPs listed in
-
I run over 35,000 IPSet entries in CSF between the Blocklists and Country Codes etc, without any discernable performance impact. 8 core 3.40GHz, 8GB RAM Everything I have read suggests that up to 100,000 entries are easily handled, but I have never tried to load it up that far ! 0 -
Thanks @rpvw for your quick and informed response mate, much appreciated. 0 -
so they could boast of compatibility with CSF as well
They're already in here: /etc/csf/csf.blocklists# Blocklist.de # Set URLGET in csf.conf to use LWP as this list uses an SSL connection # Details: https://www.blocklist.de # This first list only retrieves the IP addresses added in the last hour BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600 # This second list retrieves all the IP addresses added in the last 48 hours # and is usually a very large list (over 10000 entries), so be sure that you # have the resources available to use it #BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt0 -
@Infopro [QUOTE] They're already in here: /etc/csf/csf.blocklists
That excerpt ^^ is not within my csf.blocklists file. Are you saying it was in yours by default?0 -
I was basing my suggestion on their listing on the www.blocklist.de/en/download.html#services page.[quote] The following service-names can be parsed: mail: mail, postfix-blacklist, postfix, exim, postfix2, exim4, postfix-550, postfix550, postfix-554, postfix-blacklst, smtp, postfix-gl, sendmail, postfix-bl, exim-relay, postfix-strict, postfix-connection, postfixblacklist, postfix-tcpwrapper, postfix-rejected, postfix-spamers550, plesk-postfix, mail-ban, postfix-554-3, postfix-550-2, exim-greylist, postfix-554-2, postfix-450
Possibly a stretch, but since they parse exim data for their reports, I shouldn't be surprised if the blacklists contain exim generated IPs. (I might be way off track in how I am interpreting their pages)0 -
@rpvw, thank you. I might just enable the RBL anyway and see how it goes. Fwiw Barracuda's RBL within my exim config has been pure gold when it comes to IP reputation and has been the most effective at repelling spam attempts. 0 -
Wow I am getting behind - I don't have the BDE entry in my CSF either - and it updated last night :( 0 -
Wow I am getting behind - I don't have the BDE entry in my CSF either - and it updated last night
Might be a bit much, but once a year I completely re-install CSF. o_O0 -
OK the BDE was added on the CSF v7.50 but for existing installs, it can be found in /etc/csf/csf.blocklists.new Darn it - he beat me to it ..... again !! Thanks @Infopro 0 -
Happy to help. :) 0 -
# Blocklist.de # Set URLGET in csf.conf to use LWP as this list uses an SSL connection #Details:
For full disclosure, this list is currently loading 3686 entries - which I think is a great compromise as it is updated every hour, and doesn't look as if it would overwhelm the server resources even if IPSet wasn't used.0 -
I would only add that @chirpy's CSF, kicks ass. Always did. :cool: 0 -
My understanding is that it won't affect boot time at all. The use of IPSet reads the IPs from an indexed data structure rather than reading them in from the iptables linear file, which would have to read all the IPs into memory during the boot process. This is why boot can fail with huge iptables lists consuming large amounts of memory, and why one needs to off-load as many of the IPs as possible into IPSet. This is from CSF[quote]Using ipset moves the onus of ip matching against large lists away from iptables rules and to a purpose built and optimised database matching utility. It also simplifies the switching in of updated lists 0
Please sign in to leave a comment.
Comments
17 comments