eliassal wrote: ↑2020-02-18 13:32
Palinka, can you please let me know which part inserts records in the hm_ids table? VBS in hmailserver or the powershell script "hmsFirewallBan.ps1"?
EventHandlers.vbs
Functions
Code: Select all
Function idsAddIP(sIPAddress)
Include("C:\Program Files (x86)\hMailServer\Events\VbsJson.vbs")
Dim ReturnCode, Json, oGeoip, oXML
Set Json = New VbsJson
On Error Resume Next
Set oXML = CreateObject ("Msxml2.XMLHTTP.3.0")
oXML.Open "GET", "http://ip-api.com/json/" & sIPAddress, False
oXML.Send
Set oGeoip = Json.Decode(oXML.responseText)
ReturnCode = oXML.Status
On Error Goto 0
Dim idsTable
idsTable = ConfigIni.GetKeyValue("hMailServer","idsTable")
Dim strSQL, oDB : Set oDB = GetDatabaseObject
If IsMySQL Then
strSQL = "INSERT INTO " & idsTable & " (timestamp,ipaddress,hits,country) VALUES (" & DBGetCurrentDateTime() & ",'" & sIPAddress & "',1,'" & oGeoip("country") & "') ON DUPLICATE KEY UPDATE hits=(hits+1),timestamp=" & DBGetCurrentDateTime() & ";"
ElseIf IsMSSQL Then
strSQL = "IF NOT EXISTS (SELECT 1 FROM " & idsTable & " WHERE ipaddress = '" & sIPAddress & "') INSERT INTO " & idsTable & " (timestamp,ipaddress,hits,country) VALUES (" & DBGetCurrentDateTime() & ",'" & sIPAddress & "',1,'" & oGeoip("country") & "') ELSE UPDATE " & idsTable & " SET hits=(hits+1), timestamp=" & DBGetCurrentDateTime() & " WHERE ipaddress= '" & sIPAddress & "';"
End If
Call oDB.ExecuteSQL(strSQL)
Set oDB = Nothing
End Function
Function idsDelIP(sIPAddress)
Dim strSQL, oDB : Set oDB = GetDatabaseObject
strSQL = "DELETE FROM " & ConfigIni.GetKeyValue("hMailServer","idsTable") & " WHERE ipaddress = '" & sIPAddress & "';"
Call oDB.ExecuteSQL(strSQL)
Set oDB = Nothing
End Function
Call idsAddIP at OnClientConnect
Code: Select all
Sub OnClientConnect(oClient)
' Exclude Backup-MX & local LAN from test
If (Left(oClient.IPAddress, 12) = "184.105.182.") Then Exit Sub
If (Left(oClient.IPAddress, 8) = "192.168.") Then Exit Sub
If oClient.IPAddress = "127.0.0.1" Then Exit Sub
' Call IDS
Call idsAddIP(oClient.IPAddress)
End Sub
All connections get recorded into hm_ids. Then, if they successfully send a message or successfully logon, the IP gets deleted. Only failures remain.
Code: Select all
Sub OnClientLogon(oClient)
' Successful logons get IDS entry removed
If oClient.Authenticated Then
Call idsDelIP(oClient.IPAddress)
End If
End Sub
Sub OnAcceptMessage(oClient, oMessage)
' Successfully received mail gets IDS entry removed
' Should be the very last in line (if other tests present in OnAcceptMessage)
Call idsDelIP(oClient.IPAddress)
End Sub
Failures are assumed to be password guessers or other bots we don't like.
Powershell picks them up if an IP has > 2 hits (no login, no message) or deletes them after expiration interval.