Invoking AutoBan from script

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
FixItDik
New user
New user
Posts: 1
Joined: 2019-11-05 17:18

Invoking AutoBan from script

Post by FixItDik » 2020-01-14 16:08

Hi all,

I am getting nuisance attacks that are really doing nothing more than chewing a little processor time and whilst I cannot see the benefit to the "attacker" I feel I ought to be stopping them.

Every morning and sometimes throughout the day I will see the following (a connection without an attempt to log in, repeated every few minutes):

Code: Select all

"SMTPD"	1856	186671	"2020-01-14 00:06:26.573"	"193.56.28.26"	"SENT: 220 gizmail"
"SMTPD"	1884	186671	"2020-01-14 00:06:26.635"	"193.56.28.26"	"RECEIVED: EHLO User"
"SMTPD"	1884	186671	"2020-01-14 00:06:26.635"	"193.56.28.26"	"SENT: 250-myserver[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1856	186752	"2020-01-14 00:14:28.776"	"193.56.28.26"	"SENT: 220 gizmail"
"SMTPD"	1880	186752	"2020-01-14 00:14:28.838"	"193.56.28.26"	"RECEIVED: EHLO User"
"SMTPD"	1880	186752	"2020-01-14 00:14:28.838"	"193.56.28.26"	"SENT: 250-myserver[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1856	186832	"2020-01-14 00:22:29.666"	"193.56.28.26"	"SENT: 220 gizmail"
"SMTPD"	1904	186832	"2020-01-14 00:22:29.729"	"193.56.28.26"	"RECEIVED: EHLO User"
"SMTPD"	1904	186832	"2020-01-14 00:22:29.729"	"193.56.28.26"	"SENT: 250-myserver[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1856	186912	"2020-01-14 00:30:30.635"	"193.56.28.26"	"SENT: 220 gizmail"
"SMTPD"	1864	186912	"2020-01-14 00:30:30.760"	"193.56.28.26"	"RECEIVED: EHLO User"
"SMTPD"	1864	186912	"2020-01-14 00:30:30.760"	"193.56.28.26"	"SENT: 250-myserver[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
hMailServer is not doing anything about these itself as they are not attempting to log on so not triggering the Auto Ban rules, however if I add the IP address to the "IP Ranges" list then sure enough hMailServer blocks them.

What I would like to do is write some code for the OnClientConnect event that detects these and then adds them to the list. I have seen a function used by other scripts (NotifyFailedLogin I think) which may well do the adding of the IP address to this list (I would just have to put some string in the "username" parameter but I am sure hard coding that won't be a problem as I am seeing loads of Auto Ban entries with the same name and hMailServer appears to be simply adding a sequential number to the end of each one.

So the real stumbling block I have is how to detect these - I think I simply need some kind of semi-persitent variable or object where I can store a connection attempt and then any other event (such as successful login or receipt of email) could clear that variable. Now if the OnClientConnect script sees that the variable is not clear and contains matching information to this new connection then it "bans" this IP address (I could get even more clever and allow 3 or 4 attempts as you can see my server is not exactly busy and that would allow for some "natural" occurrence of this which I have never seen but I guess is possible).

So do I have to find some way to access the SQL database and create my own table there just for this semi-persistent data storage or can I declare a variable outside of the event handlers in the script file and will it persist in value from one call to another, or maybe I have to resort to writing something out to a text file (I can't help feel this is all overkill for saving some cycles and frustrating a "hacker").

Thoughts gratefully received please :D

User avatar
mattg
Moderator
Moderator
Posts: 20474
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Invoking AutoBan from script

Post by mattg » 2020-01-14 17:11

Similar story
https://www.hmailserver.com/forum/viewt ... =EHLO+user

One of many types of fixes >> https://www.hmailserver.com/forum/viewt ... er#p208091

May require a newer build of hMailserver though to get OnHelo sub
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1432
Joined: 2017-09-12 17:57

Re: Invoking AutoBan from script

Post by palinka » 2020-01-14 18:03

Firewall Ban those suckers.

palinka
Senior user
Senior user
Posts: 1432
Joined: 2017-09-12 17:57

Re: Invoking AutoBan from script

Post by palinka » 2020-01-14 18:14

FixItDik wrote:
2020-01-14 16:08
So the real stumbling block I have is how to detect these - I think I simply need some kind of semi-persitent variable or object where I can store a connection attempt and then any other event (such as successful login or receipt of email) could clear that variable. Now if the OnClientConnect script sees that the variable is not clear and contains matching information to this new connection then it "bans" this IP address (I could get even more clever and allow 3 or 4 attempts as you can see my server is not exactly busy and that would allow for some "natural" occurrence of this which I have never seen but I guess is possible).
Soren, our resident guru, has a super simple yet pure genius method of doing exactly that. Every connection (IP) is recorded into a database at OnClientConnect. Then, If the connection either a) successfully logs on or b) successfully sends a message, then the IP is deleted from the database. If a or b are not successful, the ip remains in the database. Then when the IP connects again with unsuccessful a or b, the counter goes up +1. When the counter reaches 3 (or whatever number you choose), autoban is called. IPs that don't reach counter=3 are automatically expired after a certain amount of time.

I've also incorporated this into my firewall ban project, among other things I stole from Soren. :mrgreen:

Post Reply