Stop intruder
Stop intruder
Hi,
It is currently bad to find out that other people were making use of my domain to send out messages like
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru lucas@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru beth@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru dean@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru victoria@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru alexandra@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
such User account were never appear within my AD. How to stop this? I did already create proper SPF record on the domain (and Namecheap.com did confirm to me that SPF record was working fine) but the intruder was still working on my domain!
It is currently bad to find out that other people were making use of my domain to send out messages like
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru lucas@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru beth@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru dean@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru victoria@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru alexandra@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
such User account were never appear within my AD. How to stop this? I did already create proper SPF record on the domain (and Namecheap.com did confirm to me that SPF record was working fine) but the intruder was still working on my domain!
Re: Stop intruder
They are all 550 rejections
No mail being sent there
(Do you have other logging options enabled other than AWStats? AWStats logs aren't really good for troubleshooting)
No mail being sent there
(Do you have other logging options enabled other than AWStats? AWStats logs aren't really good for troubleshooting)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Thanks. All 550 events are rejections, right?
Do you mean to enable other log?"DEBUG" 3812 "2019-06-21 08:35:23.921" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.921" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.921" "185.222.211.13" "RECEIVED: RCPT TO:<cheryl@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.937" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "RECEIVED: RCPT TO:<fernanda@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.952" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "RECEIVED: RCPT TO:<luis@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.968" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.968" "185.222.211.13" "RECEIVED: RCPT TO:<will@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "RECEIVED: RCPT TO:<carl@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.984" "AWStats::LogDeliveryFailure"
Re: Stop intruder
yes all 550 are rejections
SMTP + debug is OK to troubleshoot later
SMTP + debug is OK to troubleshoot later
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Can you tell me meaning of "RECEIVED: RCPT TO:<offers@a.co>", to the below?
"DEBUG" 3772 "2019-06-21 11:42:57.870" "AWStats::LogDeliveryFailure"
"SMTPD" 3772 41 "2019-06-21 11:42:57.870" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 41 "2019-06-21 11:42:57.870" "185.222.211.13" "RECEIVED: RCPT TO:<offers@a.co>"
Re: Stop intruder
Sure
Your SMTP Daemon (incoming SMTP connection) @ time '2019-06-21 11:42:57.870' received a instruction from IP '185.222.211.13'
The instruction as received was 'RCPT TO:<offers@a.co>'
This is saying that we would like to send our email to 'offers@a.co"
You server responds with SENT at the next line (next line down - not shown) that says '550 Unknown User'
This means your mail is rejected as we don't know have a mailbox by that name to receive your message
Your SMTP Daemon (incoming SMTP connection) @ time '2019-06-21 11:42:57.870' received a instruction from IP '185.222.211.13'
The instruction as received was 'RCPT TO:<offers@a.co>'
This is saying that we would like to send our email to 'offers@a.co"
You server responds with SENT at the next line (next line down - not shown) that says '550 Unknown User'
This means your mail is rejected as we don't know have a mailbox by that name to receive your message
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Thanks a lot!
It means IP 185.222.211.13 is repeatedly annoying my server, by giving "rubbish" commands, right?
It means IP 185.222.211.13 is repeatedly annoying my server, by giving "rubbish" commands, right?
Re: Stop intruder
yes
autoban, with a maximum number of bad commands being set would block those
run this and post the results >> viewtopic.php?f=20&t=30914
autoban, with a maximum number of bad commands being set would block those
run this and post the results >> viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Thanks a lot!
What is the purpose of the relevant party, who ridiculously are repeatedly running jobs for doing such "BAD" routines? Does it mean they're trying to steal any "potential" resources for doing their jobs?
What is the purpose of the relevant party, who ridiculously are repeatedly running jobs for doing such "BAD" routines? Does it mean they're trying to steal any "potential" resources for doing their jobs?
Re: Stop intruder
That's just what SPAMmers do.
Not quite as bad as those who actively try to hack systems, or bring down systems by over abuse (DOS attacks and DDOS attacks), but yes certainly still a huge waste of resources.
I reckon that I spend far more time fighting spam and blocking attacks than anything else admin related on my servers. There are some sophisticated attackers out there, and most of those are just looking for a server that they can exploit to send out SPAM, or to steal email credentials so that they can scam users.
I'm sure that there are some who beat my attempts at blocking them.
Not quite as bad as those who actively try to hack systems, or bring down systems by over abuse (DOS attacks and DDOS attacks), but yes certainly still a huge waste of resources.
I reckon that I spend far more time fighting spam and blocking attacks than anything else admin related on my servers. There are some sophisticated attackers out there, and most of those are just looking for a server that they can exploit to send out SPAM, or to steal email credentials so that they can scam users.
I'm sure that there are some who beat my attempts at blocking them.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Mattg,
Thanks a lot!
How would it be easy to totally block their try from "checking/validating (or attempting to steal)" against the server? Did you ever succeed in doing this?
Thanks a lot!
How would it be easy to totally block their try from "checking/validating (or attempting to steal)" against the server? Did you ever succeed in doing this?
Re: Stop intruder
no
I just keep fine tuning my systems
It is hard to allow genuine users through, but only block malicious users.
Some things that I do
- not allow PORT 25 AUTH at all
- Force all connections to ONLY use only TLSv1.2 when the connection is secured
- Force all connections that AUTH to be secure
- drop and ban all IMAP and POP3 connections that don't originate in Australia (my server is in Australia)
- ban all high spam score IPs
- ban all IPs that 'look' like they are scamming / hacking / trying stuff
and more
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Mattg,
Thanks a lot!
How to force all connections to ONLY use TLSv1.2 when the connection is secured?
Thanks a lot!
How to force all connections to ONLY use TLSv1.2 when the connection is secured?
Re: Stop intruder
SpamAssassin is like our children, you have teach it what is good and what is bad. If you only teach it what is good you'll end up with a Bayesian database like our current generation pf young people - completely unable to deal with "bad", who gets offended by anyone and anything, converts civil disobediance to hashtags and shitstorms and who believe pretty much anything that is written on the Internet to be true.
PS. You being an American. Were you aware that statistically all "Great Presidents" in the USA started a war?
Perhaps you should listen to your wife and get out before you are drafted. Despite what you hear in the news, "Socialist" Europe is a pretty solid place to live. We all drive Audi, Mercedes and BMW and use Huawei phones as they are superior.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination)
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool.
7) ^^ still off topic
Re: Stop intruder
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Re: Stop intruder
Can I just say on behalf of myself and my generation (60+) of Danish IT geeks and Motorheads (US version ), you made a short and to the point observation. What's to be offended about that?palinka wrote: ↑2019-06-22 14:30I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
- jimimaseye
- Moderator
- Posts: 10060
- Joined: 2011-09-08 17:48
Re: Stop intruder
Trippy!!
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: Stop intruder
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
In an effort to stop some backscatter, I accept all spam, without rejection.
If the spamscore is high, I ban the IP and delete the message
If the spamscore is medium (in the range where it might be SPAM or might be HAM from a poorly managed server), I send it to a spam@ account for review
I have seen SPAM score up to 199 on my system
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Good day Mattg,
How to ban one IP from "approaching" our server?
How to ban one IP from "approaching" our server?
Re: Stop intruder
Re: Stop intruder
Or ban at the edge of your network with a firewall appliance or in your modem / router
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
On below URL
http://hmailserver.com/forum/viewtopic.php?f=9&t=34082
it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
http://hmailserver.com/forum/viewtopic.php?f=9&t=34082
it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
Re: Stop intruder
Yes. But i couldn't say how much work that would be. For the basic stuff - meaning the powershell script and EventHandlers.vbs - it would be pretty easy, but there are so many database calls in the webadmin that it could be a lot of work to untangle. Or maybe it works right out of the box. I literally have no idea. I only know that i can't and won't be doing it.PeterChan wrote: ↑2019-06-24 12:09On below URL
http://hmailserver.com/forum/viewtopic.php?f=9&t=34082
it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
Re: Stop intruder
Hi,
I want to know what it does do, per below log details?
I want to know what it does do, per below log details?
"DEBUG" 3820 "2019-06-27 09:07:47.898" "Creating session 397"
"TCPIP" 3820 "2019-06-27 09:07:47.906" "TCP - 3.94.116.70 connected to 113.255.213.124:25."
"DEBUG" 3820 "2019-06-27 09:07:47.914" "TCP connection started for session 396"
"SMTPD" 3820 396 "2019-06-27 09:07:47.917" "3.94.116.70" "SENT: 220 WIN-APIUFD1NJEU ESMTP"
"SMTPD" 3784 396 "2019-06-27 09:07:48.212" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3784 396 "2019-06-27 09:07:48.215" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3800 396 "2019-06-27 09:07:48.478" "3.94.116.70" "RECEIVED: STARTTLS"
"SMTPD" 3800 396 "2019-06-27 09:07:48.482" "3.94.116.70" "SENT: 220 Ready to start TLS"
"DEBUG" 3784 "2019-06-27 09:07:48.487" "Performing SSL/TLS handshake for session 396. Verify certificate: False"
"TCPIP" 3820 "2019-06-27 09:07:49.030" "TCPConnection - TLS/SSL handshake completed. Session Id: 396, Remote IP: 3.94.116.70, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 3820 396 "2019-06-27 09:07:49.371" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3820 396 "2019-06-27 09:07:49.375" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"DEBUG" 3784 "2019-06-27 09:07:59.629" "The read operation failed. Bytes transferred: 0 Remote IP: 3.94.116.70, Session: 396, Code: 335544539, Message: short read"
"DEBUG" 3784 "2019-06-27 09:07:59.634" "Ending session 396"
Re: Stop intruder
That looks to me like a system that checks your Security, and not sends mail
The OTHER server seems to have dropped the connection
And the name of the other server makes me think it is scanning ssl certificates
The OTHER server seems to have dropped the connection
And the name of the other server makes me think it is scanning ssl certificates
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
My thoughts too. I had a similar visit by shodan.io ... Interesting search engine
https://www.shodan.io/search?query=hmailserver
https://www.shodan.io/search?query=hmailserver
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
WOW
We asked Martin to take the name hmailserver out of the SMTP greeting some 10 years back I reckon.
Anyone still showing that is on a really old version
Seems like a security risk to me, but seeing the number of recent results it's clear that hmailserver just keeps working
We asked Martin to take the name hmailserver out of the SMTP greeting some 10 years back I reckon.
Anyone still showing that is on a really old version
Seems like a security risk to me, but seeing the number of recent results it's clear that hmailserver just keeps working
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Takes a lickin' and keeps on tickin'..
Sheesh... hmailserver is probably the most stable software written for windows EVER.
Sheesh... hmailserver is probably the most stable software written for windows EVER.
Re: Stop intruder
Well... This is one way to stop the intruder... The Russian IL-20M (COOT-A) "just cruising around"
Danish F-16 is besides being a member of the strategic air defense also a member of the national air defense show group. Thus it is showing it's true colours
Picture is dated October 1'st 2019 and is from the outer limits of the Danish airspace. The F-16 is pretty but dangerous - the stingers are live and the message is clear; "Go home or go down in flames!"
Danish F-16 is besides being a member of the strategic air defense also a member of the national air defense show group. Thus it is showing it's true colours
Picture is dated October 1'st 2019 and is from the outer limits of the Danish airspace. The F-16 is pretty but dangerous - the stingers are live and the message is clear; "Go home or go down in flames!"
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
I've been seeing the types of attacks PeterChan is getting to.
The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute
The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.
Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute
The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.
Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
If you think you understand quantum mechanics, you don't understand quantum mechanics.
Re: Stop intruder
Hey, I kinda thought you must be located somewhere near my Time Zone as your Time Stamps on your Forum Postings were all somewhat near my own Local Time. So my guess was right you were US.palinka wrote: ↑2019-06-22 14:231) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination)
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool.
7) ^^ still off topic
When I found junkemailfilter.com for MX Backup Email Service, I was a bit surprised they were located about 30-45 minute drive from me not to mention ASUS US Corporate Office is located in the same vicinity to. When I needed to have warranty work done on my ASUS Router, instead of sending it to the support center in I believe it was Jefferson Indiana, I had hear one of the Support people refer to the Engineer at ASUS by his first name. So I called up their office here asked for him by his first name and told them he worked with the Routers and they put me right through to him and he said they readily accepted the stuff from us Locals there so I took it there and got faster service with less hassles.
By the way I'm always telling people that hMailServer is my best application as it never crashes and I've been using it for around 8 years.
If you think you understand quantum mechanics, you don't understand quantum mechanics.
Re: Stop intruder
Oh it crashes. You just have to find a way to force it.
Re: Stop intruder
I know a way to make it fail but I don't think it crashes. You can make it not work by Restoring your Backed up settings and not restarting hMailServer first but I don't think it crashes. I figure you can make it crash but I never do anything sophisticated enough that would make it crash which I figure I would probably have to do some Custom Scripts to make it crash and the only thing I have done is to modify the Backup Script to to put my Password into it so not much chance of crashing hMailServer.
If you think you understand quantum mechanics, you don't understand quantum mechanics.
Re: Stop intruder
Somewere burried in these forums you can find my IDS script code ... 3 connects without actually sending mail will put the IP address on my blocklist - No mercyjim.bus wrote: ↑2019-10-04 13:49I've been seeing the types of attacks PeterChan is getting to.
The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute
The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.
Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
1- IPaddress is registered in database during OnClientConnect (SMTP ports only). Counter is incremented if exists.
2- IPAddress is unregistered in database during OnAcceptMessage.
3- External "handler" scan database every minute for high counters and add IPaddress to blocklist.
Does not affect performance of hMailServer, will only use CPU cycles.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
You allow 2 unencumbered? I would call that extremely merciful. Your ancestors would never have allowed 2 attempts. In fact, after the first, they would have found the offending server, burned the entire village down and stolen their cattle. You are a peaceful man.
Also, I agree that loading up autoban entries has no effect on performance - except for one thing: viewing IP ranges takes several seconds to load with a few thousand entries. Worse on phpadmin since they're presented in a single list without paging.
Come to think of it, merging your IDS into my firewall ban sounds like a really good idea. I will do that this weekend.
Re: Stop intruder
When things go wild here I have maybe 150 entries in my autoban list, more than that and you deffo need to sweet talk your firewall.palinka wrote: ↑2019-10-04 15:14You allow 2 unencumbered? I would call that extremely merciful. Your ancestors would never have allowed 2 attempts. In fact, after the first, they would have found the offending server, burned the entire village down and stolen their cattle. You are a peaceful man.
Also, I agree that loading up autoban entries has no effect on performance - except for one thing: viewing IP ranges takes several seconds to load with a few thousand entries. Worse on phpadmin since they're presented in a single list without paging.
Come to think of it, merging your IDS into my firewall ban sounds like a really good idea. I will do that this weekend.
I also use the 20 sec delay during SMTP conversations I sometimes see connections break but that's due to senders misconfiguration and having a short temper 2'nd time (for some reason) it usually works OR they go direct for my Backup-MX ...
Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...
Eventhandlers.vbs
Code: Select all
'******************************************************************************************************************************
'********** hMailServer IDS Client Code (MySQL) **********
'******************************************************************************************************************************
'
' Global Constants
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "VeRySeCrEtPaSsWoRd"
Private Const idsTable = "hm_ids"
Private Const idsHits = 2
Private Const idsMinutes = 180
'
' hm_ids CREATE TABLE hm_ids (
' idsid int(11) NOT NULL AUTO_INCREMENT,
' timestamp datetime DEFAULT NULL,
' ipaddress varchar(192) NOT NULL,
' port int(11) DEFAULT NULL,
' hits int(11) DEFAULT NULL,
' PRIMARY KEY (idsid),
' UNIQUE KEY idsid (idsid),
' UNIQUE KEY ipaddress (ipaddress)
' ) ENGINE=InnoDB DEFAULT CHARSET=latin1
'
Function idsAddIP(sIPAddress, iPort)
Dim strSQL, oDB : Set oDB = GetDatabaseObject
strSQL = "INSERT INTO " & idsTable & " (timestamp,ipaddress,port,hits) VALUES (NOW(),'" & sIPAddress & "'," & iPort & ",1) ON DUPLICATE KEY UPDATE hits=(hits+1),timestamp=NOW();"
Call oDB.ExecuteSQL(strSQL)
Set oDB = Nothing
End Function
Function idsDelIP(sIPAddress)
Dim strSQL, oDB : Set oDB = GetDatabaseObject
strSQL = "DELETE FROM " & idsTable & " WHERE ipaddress = '" & sIPAddress & "';"
Call oDB.ExecuteSQL(strSQL)
Set oDB = Nothing
End Function
Function GetDatabaseObject()
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
Set GetDatabaseObject = oApp.Database
Set oApp = Nothing
End Function
'******************************************************************************************************************************
'********** hMailServer Triggers **********
'******************************************************************************************************************************
Sub OnClientConnect(oClient)
'
' Check all SMTP traffic
'
If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub
Sub OnAcceptMessage(oClient, oMessage)
'
' Cleanup IDS registry
'
Call idsDelIP(oClient.IPAddress)
End Sub
Code: Select all
Option Explicit
'******************************************************************************************************************************
'********** Settings **********
'******************************************************************************************************************************
'
' COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "MySeCrEtPaSsWoRd"
'
' Misc. settings
'
Private Const TEMPDIR = "C:\hMailServer\Temp"
'
' MySQL
'
Private Const DBNAME = "hmailserver"
Private Const DBUID = "script"
Private Const DBPW = "NotTellingYou!"
Private Const idsTable = "hm_ids"
Private Const idsHits = 3
Private Const idsMinutes = 180
Dim idsDBDrv : idsDBDrv = "DRIVER={MySQL ODBC 5.3 Unicode Driver};Database="&DBNAME&";Uid="&DBUID&";Pwd="&DBPW&";FOUND_ROWS=1;"
'
' DRIVER={MySQL ODBC 5.3 Unicode Driver};Server=localhost;Port=3306;Database=%idsdb%;Uid=%idsuid%;Pwd=%idspwd%;Option=3;
'
' hm_ids CREATE TABLE hm_ids (
' idsid int(11) NOT NULL AUTO_INCREMENT,
' timestamp datetime DEFAULT NULL,
' ipaddress varchar(192) NOT NULL,
' port int(11) DEFAULT NULL,
' hits int(11) DEFAULT NULL,
' PRIMARY KEY (idsid),
' UNIQUE KEY idsid (idsid),
' UNIQUE KEY ipaddress (ipaddress)
' ) ENGINE=InnoDB DEFAULT CHARSET=latin1
'
'******************************************************************************************************************************
'********** Functions **********
'******************************************************************************************************************************
Function Wait(sec)
With CreateObject("WScript.Shell")
.Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
End With
End Function
Function LockFile(strPath)
Const Append = 8
Const Unicode = -1
Dim i
On Error Resume Next
With CreateObject("Scripting.FileSystemObject")
For i = 0 To 30
Err.Clear
Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
If (Not Err.Number = 70) Then Exit For
Wait(1)
Next
End With
If (Err.Number = 70) Then
EventLog.Write( "ERROR: EventHandlers.vbs" )
EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
Err.Clear
ElseIf (Err.Number <> 0) Then
EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
EventLog.Write( "Error : " & Err.Number )
EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
EventLog.Write( "Source : " & Err.Source )
EventLog.Write( "Description : " & Err.Description )
Err.Clear
End If
On Error Goto 0
End Function
Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
'
' sType can be one of the following;
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
With LockFile(TEMPDIR & "\autoban.lck")
On Error Resume Next
Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
If Err.Number = 9 Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & sIPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
AutoBan = True
End If
On Error Goto 0
.Close
End With
Set oApp = Nothing
End Function
'******************************************************************************************************************************
'********** CODE **********
'******************************************************************************************************************************
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
Dim EventLog : Set EventLog = CreateObject("hMailServer.EventLog")
Dim oRecord, oConn : Set oConn = CreateObject("ADODB.Connection")
oConn.Open idsDBDrv
If oConn.State <> 1 Then
EventLog.Write( "Handler - ERROR: Could not connect to database" )
WScript.Quit 1
End If
Set oRecord = oConn.Execute("SELECT * FROM " & idsTable & " WHERE hits > " & idsHits & " AND DATE_SUB(NOW(), INTERVAL " & idsMinutes & " MINUTE) < timestamp;")
Do Until oRecord.EOF
If AutoBan(oRecord("ipaddress"), "IDS", 7, "d") Then _
oConn.Execute "DELETE FROM " & idsTable & " WHERE ipaddress = '" & oRecord("ipaddress") & "';"
oRecord.MoveNext
Loop
oConn.Execute "DELETE FROM " & idsTable & " WHERE DATE_ADD(timestamp, INTERVAL 12 HOUR) < NOW();"
oConn.Close
Set oRecord = Nothing
Set EventLogX = Nothing
'******************************************************************************************************************************
'********** END **********
'******************************************************************************************************************************
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
Cool. Yea, I have a powershell script in the firewall ban for autoexpiry, among other things.
Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.
Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.
Re: Stop intruder
ipaddress is UNIQUE KEY so therefore:palinka wrote: ↑2019-10-04 17:55Cool. Yea, I have a powershell script in the firewall ban for autoexpiry, among other things.
Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.
INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)
is similar to:
If found(ipaddress) then
hits=hits+1
else
create record(ipaddress)
hits = 1
end if
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the same structure. Then, on count(ids_ipaddress) > 3, ban to firewall instead of autoban.
Re: Stop intruder
You can have more than one unique key on the same table... Why would you have duplicate IPaddresses?palinka wrote: ↑2019-10-04 21:52Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the same structure. Then, on count(ids_ipaddress) > 3, ban to firewall instead of autoban.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
Because I want to see/count IPs that have been added/removed from the firewall. For example, its possible to be listed, removed, listed again, rebanned, and permanently marked safe from future rebans. Certainly this is useful for false positives. If I get a FP, I want to know why.
Re: Stop intruder
Spammers/hackers do not stay on the same IPaddress for too long so over time you'll be "playing" with maillinglists.
History data is only usefull for legitimate services
History data is only usefull for legitimate services
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
Actually it's been working out pretty well. I parse the firewall log to see who comes back and how many times. About half of them come back. Some just a few times, some hundreds of times. The end result, of course, is not an end of spam, but a steady decrease in the number of spammers making connections. Once in a while i see a small spike as more bots come online. Here you can see what the firewall is actually blocking. It's not a small amount for my tiny mail service.
Re: Stop intruder
Here's one that is maybe more explanative. Total number of firewall drops per day on smtp ports. The trend line shows 3,189 per day as of now. It's a bit skewed by one "spammer" that turned out to be ethersoft in Japan pinging me 100k times over the course of a couple days because i had a ddns setup with their openvpn software that i abandoned. You can see the days that was happening in the large spikes. But the rest are bona fide spammers. A spammer blocked is a spammer without a chance to spam and my logs are pretty quiet thanks in large part to this.
Re: Stop intruder
Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github.
One question - what is the column "port" for? It records "0" into the db.
Code: Select all
If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
Re: Stop intruder
I used it for GEO blocking on select ports but eventually removed the code from Handler.vbs - never got around to remove the column from DB.palinka wrote: ↑2019-10-05 16:54Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github.
One question - what is the column "port" for? It records "0" into the db.
I left it there, but I don't see what use there is for it.Code: Select all
If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
OK, cool. I got rid of it and ID as well. No real need for it when you have:
Code: Select all
ON DUPLICATE KEY UPDATE hits=(hits+1)
Re: Stop intruder
You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php
Re: Stop intruder
Did you keep the 180 minute window ?palinka wrote: ↑2019-10-07 12:58You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php
Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that will send a probe every 2 days.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Stop intruder
Nah, they're banned for life. Unless I see that is a false positive. There's no need to autoban - these guys go straight to the firewall (>3 hits).SorenR wrote: ↑2019-10-07 13:18Did you keep the 180 minute window ?palinka wrote: ↑2019-10-07 12:58You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php
Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that will send a probe every 2 days.
FPs are pretty rare and usually have a good reason. I noticed that starting a few days ago, fakebook brought new mail servers online and the HELO contained the entire IP. WTF? Don't they know that's begging to get tripped up in dynamic IP filters? And that's what happened, so i had to release them from the firewall and prevent them from getting listed again. Bad fakebook! Bad!
Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!
I've had some debate here about how wise it might be to permanently firewall ban spammers. The truth is that 99.99% are bots living on infected corporate workstations and those IPs wil never ever become legitimate mail servers. Legit mail servers will never be firewall banned - except rare FPs - even if they occasionally send spam.
And by the way, there is 0 performance hit for having 10k (so far) firewall rules.
It's all good, baby!
Re: Stop intruder
Except they are usually connecting from dynamic IPs, which may later end being used by a genuine sender
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
Good point, but none of my filters go that deep. I'm only checking servers, so if an ip ends up in the doghouse, and later they clean the bot infection, they're still 99.99% chance not going to be a mail server and therefore not be affected by my firewall ban. They'll be relaying mail through a mail server, not sending directly to me.
And i don't believe they're connecting from dynamic IPs. That virtually ended when ISPs started blocking port 25 outgoing. I believe (could be wrong - wouldn't be the first time) that most bots are on corporate networks that have not blocked port 25. There seem to be plenty of non maintenance maintainers out there.
Re: Stop intruder
Or perhaps using TOR
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Stop intruder
How come I keep hearing how ISPs block outgoing Port 25? I've been on two major ISPs in the 8 or more years I've been using hMailServer and neither one of them blocked Port 25 to me though one kept documenting they may do it but I never ran into it. Granted I now use a Static IP Address from my ISP but that has been only for about a year now.
Is this maybe a bit isolated to Europe and Australia, etc? I'm just curious.
Is this maybe a bit isolated to Europe and Australia, etc? I'm just curious.
If you think you understand quantum mechanics, you don't understand quantum mechanics.