Blocking IP's

[jimwatt]

Is it possible to programatically add IP's to the list of IP's on the autoban list which hmailserver maintains of excessive logins?

Although I drop bad IP's at on the OnEHLO event in VBscript that does not stop them coming and last week I had 8000+ attempts one day basically mailbombing my server.

It seems any response from the server encourages it to continue.

[johang]

Is it possible to programatically add IP's to the list of IP's on the autoban list which hmailserver maintains of excessive logins?

Although I drop bad IP's at on the OnEHLO event in VBscript that does not stop them coming and last week I had 8000+ attempts one day basically mailbombing my server.

It seems any response from the server encourages it to continue.

take a look at this:
https://hmailserver.com/forum/viewtopic.php?f=9&t=34082

[jimwatt]

Interesting but not what I want to do.

The attraction of the hMailserver IP blocking is that it auto expires.

[palinka]

Is it possible to programatically add IP's to the list of IP's on the autoban list

Try this.

Code: Select all

Private Const hMSPASSWORD = "supersecretpassword"

Function LockFile(strPath)
	Const Append = 8
	Const Unicode = -1
	Dim i
	On Error Resume Next
	With CreateObject("Scripting.FileSystemObject")
		For i = 0 To 30
			Err.Clear
			Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
			If (Not Err.Number = 70) Then Exit For
			Wait(1)
		Next
	End With
	If (Err.Number = 70) Then
		EventLog.Write( "ERROR: EventHandlers.vbs" )
		EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
		Err.Clear
	ElseIf (Err.Number <> 0) Then
		EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
		EventLog.Write( "Error       : " & Err.Number )
		EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
		EventLog.Write( "Source      : " & Err.Source )
		EventLog.Write( "Description : " & Err.Description )
		Err.Clear
	End If
	On Error Goto 0
End Function

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
	'
	'   sType can be one of the following;
	'   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
	'
	Dim oApp : Set oApp = CreateObject("hMailServer.Application")
	Call oApp.Authenticate("Administrator", hMSPASSWORD)
	With LockFile(TEMPDIR & "\autoban.lck")
		On Error Resume Next
		Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
		If Err.Number = 9 Then
			With oApp.Settings.SecurityRanges.Add
				.Name = "(" & sReason & ") " & sIPAddress
				.LowerIP = sIPAddress
				.UpperIP = sIPAddress
				.Priority = 20
				.Expires = True
				.ExpiresTime = DateAdd(sType, iDuration, Now())
				.Save
			End With
			AutoBan = True
		End If
		On Error Goto 0
		.Close
	End With
	Set oApp = Nothing
End Function

Sub WhateverYourReasoning(oMessage, oClient, whateverElse)
	'
	' Your criteria for autobanning
	'
	Call AutoBan(oClient.IPAddress, "Your reason for autobanning - " & oClient.IPAddress, 1, "h")
End Sub

edit - Yes, in the example above I'm only banning for one hour. That's my default autoban expiration.

[SorenR]

We have different approaches to the matter

SQL statement is compatible with MySQL and MariaDB.

Code: Select all

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    Dim iUniqueID, strSQL, strDate, SQLDate, oDB : Set oDB = oApp.Database
    strDate = DateAdd(sType, iDuration, Now())
    strSQL = "INSERT INTO hm_securityranges (rangepriorityid, rangelowerip1, rangeupperip1, rangeoptions, rangename, rangeexpires, rangeexpirestime)" & _
             " VALUES (20, INET_ATON('" & sIPAddress & "'), INET_ATON('" & sIPAddress & "'), 0, '(" & sReason & ") " & sIPAddress & "', 1, STR_TO_DATE('" & strDate & "', '%d-%m-%Y %H:%i:%s'))" & _
             " ON DUPLICATE KEY UPDATE rangeexpirestime = STR_TO_DATE('" & strDate & "', '%d-%m-%Y %H:%i:%s');"
    iUniqueID = oDB.ExecuteSQLWithReturn(strSQL)
    If iUniqueID > 0 Then AutoBan = True
    oApp.Settings.SecurityRanges.Refresh
    Set oApp = Nothing
    If Result.Value < 1 Then Result.Value = 1
End Function

This an example of how I use it... (includes additional undocumented function calls )

Code: Select all

If AutoBan(oClient.IPAddress, "GEO Blocked " & strGeo & " " & strPort, 48, "h") Then EventLog.Write( LPad("GEO Blocked", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(oClient.Port, 3, " ") & vbTab & strGeo )

[palinka]

We have different approaches to the matter

Not really. I just haven't upgraded to autoban 2.0.

[SorenR]

We have different approaches to the matter

Not really. I just haven't upgraded to autoban 2.0.

If you are using IPV6 (INET6_ATON/INET6_NTOA) you will need to change the SQL statement. As it is now it is IPV4 only.

[mattg]

Is it possible to programatically add IP's to the list of IP's on the autoban list which hmailserver maintains of excessive logins?

Although I drop bad IP's at on the OnEHLO event in VBscript that does not stop them coming and last week I had 8000+ attempts one day basically mailbombing my server.

It seems any response from the server encourages it to continue.

This is my current method.
This gets called multiple times through my eventhandlers.vbs, and it can also get called stand alone.

I think it works on IPv6 addresses, but I'm not certain.

I have around 1000 banned IP addresses at any one point in time, mostly for a week at a time

Code: Select all

Sub AutobanIP(IPAddress, NumberOfDays, ReasonForBan)
	'custom event
	'uses functions: 
	'uses globals: g_sAdminPassword

	EventLog.Write("Autoban IP Address started for IP = " & IPAddress & " For " & NumberofDays & " days for reason " & Reasonforban)
	Dim oApp
	Set oApp = CreateObject("hMailServer.Application")

' 		Give this script permission to access all
' 		hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)

	Dim i
	On Error Resume next
	For i = 0 To oApp.Settings.SecurityRanges.Count -1
		If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then Exit sub
	Next
	If (Err.Number <> 0) Then
			EventLog.Write("ERROR: EventHandlers.vbs : Function AutoBanIP")
			EventLog.Write("Error       : " & Err.Number)
			EventLog.Write("Source      : " & Err.Source)
			EventLog.Write("Description : " & Err.Description)
			Err.Clear
	End If
	On Error Goto 0
	EventLog.Write("Autoban IP range being set for IP Address " & IPAddress)

	oApp.Settings.SecurityRanges.Refresh
	With oApp.Settings.SecurityRanges.Add()
		.lowerip = ipaddress
		.upperip = ipaddress
		.priority = 20
		.allowdeliveryfromlocaltolocal = False
		.allowdeliveryfromlocaltoremote = False
		.allowdeliveryfromremotetolocal = False
		.allowdeliveryfromremotetoremote = False
		.allowimapconnections = False
		.allowsmtpconnections = False
		.allowpop3connections = False
		.expires = True
		.ExpiresTime = DateAdd("d", NumberOfDays, Now())
		.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress & "[" & CreateGUID & "]"
		On Error Resume Next
		.save
		If (Err.Number = 0) Then
			EventLog.Write("Autoban IP range saved for IP Address " & IPAddress)
		Else
			EventLog.Write("ERROR: EventHandlers.vbs : Function AutoBanIP - Saving")
			EventLog.Write("Error       : " & Err.Number)
			EventLog.Write("Source      : " & Err.Source)
			EventLog.Write("Description : " & Err.Description)
			Err.Clear
		End If
		On Error Goto 0
	End With
End Sub

[jimwatt]

Thanks thats the sort of thing I was looking for;

I need to think about concurrency in processing as the attempts were coming in at 12/second

Although I hold the last bad IP and reject if the same my system log had 4000 entries like this and it kept on going.

SMTPD – 111 – 147.78.103.140 ?

2023-05-15 07:21:45.400
SENT: 220 myserver ESMTP
2023-05-15 07:21:45.448
RECEIVED: HELO win-clj1b0gq6jp.domain
2023-05-15 07:21:47.600
SENT: 554 Rejected due to listed as spam source, see: http://www.sorbs.net

SMTPD – 112 – 147.78.103.140 ?

2023-05-15 07:21:46.495
SENT: 220 myserver ESMTP
2023-05-15 07:21:46.543
RECEIVED: EHLO win-clj1b0gq6jp.domain
2023-05-15 07:21:47.669
SENT: 554 Rejected

SMTPD – 113 – 147.78.103.140 ?

2023-05-15 07:21:47.593
SENT: 220 myserver ESMTP
2023-05-15 07:21:47.641
RECEIVED: EHLO win-clj1b0gq6jp.domain
2023-05-15 07:21:47.712
SENT: 554 Rejected

Manually firewalling the IP range seems to have solved the problem for the moment.

[SorenR]

Thanks thats the sort of thing I was looking for;

I need to think about concurrency in processing as the attempts were coming in at 12/second

That's why I went from API to DB injection. Don't get me wrong, I did build session locking into my first "Function AutoBan()" using the API but updating the database is just so much safer.

To add to the story, I have two servers and if one server bans an IP address ... so does the other via a simple REST (representational state transfer) API using HTTP (IIS) and PHP.

[RvdH]

We have different approaches to the matter

Not really. I just haven't upgraded to autoban 2.0.

If you are using IPV6 (INET6_ATON/INET6_NTOA) you will need to change the SQL statement. As it is now it is IPV4 only.

Afraid that doesn't work for IPv6, as the values are stored differently as (big)int values in rangelowerip1, rangelowerip2 and rangeupperip1, rangeupperip2 in database, not completely sure how that is calculated
IPv4 doesn't use rangelowerip2 and rangeupperip2

IPv6 is a 128-bit number which is too big to stuff into a single BIGINT type, it seems hmailserver splits up a v6 address at the 64-bit boundary, stuff the two halves into dual BIGINT columns.

For example the IPv6 equivalent for localhost is Lower IP ::1 to Upper IP ::1, in hms database stored as:

rangelowerip1 0
rangelowerip2 1
rangeupperip1 0
rangeupperip2 1

The internet range is Lower IP :: to Upper IP ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

rangelowerip1 0
rangelowerip2 0
rangeupperip1 -1
rangeupperip2 -1