Am I paying AWS to let people try and hack my server?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
bigted
New user
New user
Posts: 2
Joined: 2019-01-03 11:26

Am I paying AWS to let people try and hack my server?

Post by bigted » 2019-01-03 11:42

Hi,

I use AWS to host hMailServer exclusively and at the begining (post honeymoon) the charges were around $10 a month.

These have been creeping up and currenly run at $18 a month.

I'm looking at the growing list of AutoBans on the server (~50) and I'm thinking "am I paying for these hackers to attempt to login?"

So I started to think I should use the AWS network rules to stop them before they get to the server.

So I thought I could restrict SMTP Auth to a certain port then configure my clients to use this port, I was hoping to then restrict AWS to only allow connections on this SMPT Auth port from my two IP addresses - but this is complicated by the mobile/cell phone working over 4G (or dipping in and out of WIFI) and being assigned different IP addresses.

Any one got any ideas?

Cheers

BigTed.

User avatar
Dravion
Senior user
Senior user
Posts: 1489
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Am I paying AWS to let people try and hack my server?

Post by Dravion » 2019-01-03 13:48

Youre rught.

The more traffic, the more your pay :lol:

palinka
Senior user
Senior user
Posts: 1294
Joined: 2017-09-12 17:57

Re: Am I paying AWS to let people try and hack my server?

Post by palinka » 2019-01-03 16:13

There are a few scripts in the scripting forum that automate putting the autoban list into windows firewall. Perhaps you can do the same with AWS?

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Am I paying AWS to let people try and hack my server?

Post by insomniac2k2 » 2019-01-03 17:41

I highly recommend using SorenR's showshoe logic with windows firewall ban scripting. I have at least 50,000 bans from this alone. Here is a snippet of the code that I use on my servers (Not all my code. Many deserve credit.):

Note that you will need to have a version of Hmailserver that supports OnHELO if you use my scripting the way it is. But im sure that you can just do the same from OnClientConnect as well.

Code: Select all

Sub OnHELO(oClient)
	If(Left(oClient.IPAddress, 8) = "127.0.0.") Then Exit Sub ' Webmail should not process

	Dim oRegEx
	Set oRegEx = CreateObject("VBScript.RegExp")
	oRegEx.IgnoreCase = True
	oRegEx.Global = False

	oRegEx.Pattern = "^(User)$|^(ylmf-pc)$|^(Welcome-PC)$|^(THP-PC)$|^(Administrator)$|^(localhost\.localdomain)$|^(127\.0\.0\.1)$"
	If oRegEx.Test(oClient.HELO) Then Call AutoBan(oClient.IPAddress, oClient.HELO, 2, "d")
	Set oRegEx = Nothing

   '
   ' SnowShoe SPAM detection
   '
   If IsSnowShoe(oClient.IPAddress) Then
      Result.Value = 2
      Result.Message = "5.7.1 CODE01 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
	Dim objShell
	Dim objExec
	Dim strPSResults
	Dim ip
	ClientIp				= oClient.IpAddress			'Connecting remote IP address

	' Add to firewall rule
		' Create shell object
		Set objShell = CreateObject("Wscript.Shell")
		' Execute the combined command
		Set objExec = objShell.Exec("powershell -windowstyle hidden -command (Get-NetFirewallRule -DisplayName Hmailblock | Get-NetFirewallAddressFilter ).RemoteAddress")
		' Read output into VBS variable
		strPSResults = objExec.StdOut.ReadAll
		ip = ClientIP
		' Replace in output powershell 
		strPSResults = Replace(strPSResults, chr(13), ",",1,1000)
		strPSResults = Replace(strPSResults, chr(10), "",1,1000)
			
		' Add detected ip to output powershell
		ip = strPSResults + ip
		' Send old ip's and new ip to Firewall Rule
		Set objExec = objShell.Exec("powershell -windowstyle hidden -command Set-NetFirewallRule -DisplayName Hmailblock -RemoteAddress"&" "&ip)
		Set objShell = Nothing
		' End Add to firewall

	EventLog.Write("SnowShoeBAN: " & ClientIp & "")
	With CreateObject("WScript.Shell")
		.Run """C:\Program Files (x86)\hMailServer\Events\Disconnect.exe"" " & ClientIp & "", 0, True 'optional
	End With
      Exit Sub
   End If
End Sub

Function IsSnowShoe(strIP) : IsSnowShoe = False
   Dim a
   a = Split(strIP, ".")
   With CreateObject("SScripting.IPNetwork")
      strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
   End With
   If (strIP = "127.0.0.3") Then IsSnowShoe = True
End Function

Give it a week, and your servers will never talk to the spammers again :)
ban.PNG

User avatar
mattg
Moderator
Moderator
Posts: 20301
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Am I paying AWS to let people try and hack my server?

Post by mattg » 2019-01-03 23:56

bigted wrote:
2019-01-03 11:42
So I thought I could restrict SMTP Auth to a certain port then configure my clients to use this port
In your hMaislerver.ini
at the bottom add

Code: Select all

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.
Keep port 25 open, just don't all any AUTH on that port
Change your clients to use port 587 (submission via StartTLS)

What are your AutoBan Settings?
I currently have around 170, but mine goes as high as 400, but I only Autoban for a week (and I Autoban via a script for any overseas access via POP or IMAP and more) Someone the other day said that they had thousands of Autoban Entries
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Am I paying AWS to let people try and hack my server?

Post by insomniac2k2 » 2019-01-04 02:30

I used to have 40000 per serveruntil I purged them and moved bans to to windows firewall. While hmail seemed OK with this many bans, the client did not like to enumerate and crashed a lot towards the end. Banning at the server level drastically reduced the load and traffic on hmail.

bigted
New user
New user
Posts: 2
Joined: 2019-01-03 11:26

Re: Am I paying AWS to let people try and hack my server?

Post by bigted » 2019-01-04 10:59

Hi,

Thanks for the suggestions.

I had a quick look to see if there was some sort of API for AWS console but couldn't turn up anything promising.

I found some reference to "AWS WAF by Using AWS Lambda" but this looked like I'd end up buying more appliances from AWS and was really all about websites.

My AutoBan settings are 1,3600,3600 at the moment - I did wonder how big and integer variable was behind the ban times the other day.

I'll have a go with port 25/587 setup as well.

I was also thinking about writing the banned IPs out to a file so I could look for duplication over time - and manually add these into the AWS setup.

Cheers

BigTed
PS Thanks Matt for this software - I gave a donation via PayPal yesterday.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Am I paying AWS to let people try and hack my server?

Post by SorenR » 2019-01-04 11:03

I have found that "shoot first, ask questions later" is not good with banning. A huge "banning list" on a small server really kills performance.

Sooo many "attacks" are 1-2 attempts every 8-12 hours so I have my banning set up differentiated.

- SnowShoe SPAM is only rejected as I only see recurring connects from same IP 1-2 times a week.

- 4-letter TLD's I ban instantly. 99% is SPAM anyways in my part of the world.

- Non-compliant HELO/EHLO greetings are rejected. Not very frequent anyways. Usually bots trying first EHLO, then HELO and never seen again.

- Like Matt I also only allow client connections from a limited geographic region. Attempts are banned for 7 days when registered 3 times in a 3 hour window.

- I also have an IDS system where ANY SMTP traffic not resulting in an email is banned for 7 days when registered 3 times in a 3 hour window.

- I have found that a 20 second delay of SMTP traffic in Sub OnClientConnect(oClient), Sub OnHELO(oClient) and Sub OnSMTPData(oClient, oMessage) have eliminated to need for GreyListing completely.

As from other posts here it is obviousthat there is no "default set of rules" to combat SPAM and BOT's. The best way is to spend a month or so monitoring the server - add a lot of "EventLog.Write" to log events and build your defence from there :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20301
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Am I paying AWS to let people try and hack my server?

Post by mattg » 2019-01-04 23:36

bigted wrote:
2019-01-04 10:59
PS Thanks Matt for this software - I gave a donation via PayPal yesterday.
Just for the record, Martin is the owner / developer of hMailserver. I'm sure that he will appreciate the donation - thanks

SorenR wrote:
2019-01-04 11:03
I have found that a 20 second delay of SMTP traffic in Sub OnClientConnect(oClient), Sub OnHELO(oClient) and Sub OnSMTPData(oClient, oMessage) have eliminated to need for GreyListing completely.
+1

bigted wrote:
2019-01-04 10:59
My AutoBan settings are 1,3600,3600 at the moment
I'd probably make the 1 into a 2 or 3

My Autoban settings are 3,30,10080 (10080 is 7 days) but it rarely gets triggered. I mostly ban for X days using scripts.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Am I paying AWS to let people try and hack my server?

Post by insomniac2k2 » 2019-01-05 00:06

SorenR wrote:
2019-01-04 11:03
I have found that "shoot first, ask questions later" is not good with banning. A huge "banning list" on a small server really kills performance.
I definitely did experience this in the end by using Hmailserver bans. Although, now that I switched bans to my firewall, my servers are screaming fast and much less busy
SorenR wrote:
2019-01-04 11:03
- SnowShoe SPAM is only rejected as I only see recurring connects from same IP 1-2 times a week.
Man I wish that was the case for me. I think my companies are on every spam list world wide! I see constant contact from the same IP's all day long
SorenR wrote:
2019-01-04 11:03
- I have found that a 20 second delay of SMTP traffic in Sub OnClientConnect(oClient), Sub OnHELO(oClient) and Sub OnSMTPData(oClient, oMessage) have eliminated to need for GreyListing completely.
This one didn't work well for me in the past. I'll have to try it now after I have all my firewall bans up. I really wanted this one to work for me.
SorenR wrote:
2019-01-04 11:03
As from other posts here it is obviousthat there is no "default set of rules" to combat SPAM and BOT's. The best way is to spend a month or so monitoring the server - add a lot of "EventLog.Write" to log events and build your defence from there :mrgreen:
Couldn't agree more on that one!

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Am I paying AWS to let people try and hack my server?

Post by SorenR » 2019-01-05 16:37

insomniac2k2 wrote:
2019-01-05 00:06
SorenR wrote:
2019-01-04 11:03
I have found that "shoot first, ask questions later" is not good with banning. A huge "banning list" on a small server really kills performance.
I definitely did experience this in the end by using Hmailserver bans. Although, now that I switched bans to my firewall, my servers are screaming fast and much less busy
SorenR wrote:
2019-01-04 11:03
- SnowShoe SPAM is only rejected as I only see recurring connects from same IP 1-2 times a week.
Man I wish that was the case for me. I think my companies are on every spam list world wide! I see constant contact from the same IP's all day long
SorenR wrote:
2019-01-04 11:03
- I have found that a 20 second delay of SMTP traffic in Sub OnClientConnect(oClient), Sub OnHELO(oClient) and Sub OnSMTPData(oClient, oMessage) have eliminated to need for GreyListing completely.
This one didn't work well for me in the past. I'll have to try it now after I have all my firewall bans up. I really wanted this one to work for me.
SorenR wrote:
2019-01-04 11:03
As from other posts here it is obviousthat there is no "default set of rules" to combat SPAM and BOT's. The best way is to spend a month or so monitoring the server - add a lot of "EventLog.Write" to log events and build your defence from there :mrgreen:
Couldn't agree more on that one!
Ah, well I only host one public domain (5 users) and my fake "acme.inc" domain so that's why numbers are low. Also I have been actively fighting SPAM for a very long time so I am probably taken off of a few lists for being "a black hole" and/or a "slow responder".
Anything that affects their distribution speed is costing them money. :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Post Reply