If your database stores user-generated content along with client IPs, you may need a way to detect and block abusive users. A common approach is to analyze database records to identify IPs with excessive activity, group them by subnet, and apply firewall rules to mitigate potential abuse. First, we retrieve a list of IPs with multiple records over the past 21 days that exhibit patterns of potential abuse—such as frequent spam submissions, excessive requests, or other suspicious activity.

If you are using dovecot and postfix with a SQLite backend you can easily add a new user account with just a few steps. If you are using a different database such as MySQL, the following steps should be easily transferrable. We are assuming this is a new user account for an already configured and existing domain name on your mail server. First we’ll need to generate a new password using SHA512-CRYPT encryption using the doveadm utility.

One of the critical components of hosting a mail server and ensuring that your emails get delivered to inboxes is DKIM. DomainKeys Identified Mail is an email authentication protocol that allows receiving mail servers to verify that the email message truly came from the domain that it claims to have arrived from. DKIM uses public-key cryptography to enable senders to sign emails, and together with DNS, recipients can verify the signatures.

In case you need to quickly ban a list of IP addresses from connecting to your server, iptables is perfect for the job. iptables is a user-space firewall that can control incoming and outgoing connections with policies and filter rules. Blocking ingress from a single IP is easily done with a single iptables rule. We can use this same command to automate the creation of many rules with a bash script that will read our list of IP addresses from a file.

When running an Apache web server, you can find yourself in a situation where you need to capture and log POST data to do some analysis and perhaps to investigate a bad actor to determine a fingerprint pattern. This can be done with the mod_security module, which is a powerful web application firewall that also provides HTTP traffic monitoring, logging and analysis capabilities. Although this can also be done with mod_dumpio, I wanted to be able to create rulesets to shape the traffic after doing the analysis.