Check incoming connections with AbuseIPDB

This section contains scripts that hMailServer has contributed with. hMailServer 5 is needed to use these.
User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-03-31 13:56

palinka wrote:
2020-03-31 13:34
RvdH wrote:
2020-03-31 12:46
@SorenR, where is the latest and greatest autoban function?
Not sure if it's the latest, but it's still the greatest:

https://www.hmailserver.com/forum/viewt ... 66#p209546

👍
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-03-31 14:11

RvdH wrote:
2020-03-30 12:21

Code: Select all

' strIP, A valid IPv4 or IPv6 address. (required)
' strCategories, comma separated string with integer values (required)
' few examples:
'  7	-	Phishing
' 11	-	Email Spam
' 14	-	Port Scan
' 15	-	Hacking
' 17	-	Spoofing
' 18	-	Brute-Force
' 20	-	Exploited Host
' strCommment, Related information (optional: server logs, timestamps, etc.)
Multiple strCategories can be listed? I'm thinking 18/20 and 11/20 are often combined. The "tell" is a dynamic/pool PTR as helo.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-03-31 14:15

palinka wrote:
2020-03-31 14:11
Multiple strCategories can be listed? I'm thinking 18/20 and 11/20 are often combined. The "tell" is a dynamic/pool PTR as helo.
Yup, comma separated, eg: "18,20" or "11,20"
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-03-31 14:17

Awesome. Going to try it out later today.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Check incoming connections with AbuseIPDB

Post by SorenR » 2020-03-31 14:37

RvdH wrote:
2020-03-31 12:46
@fjansen04
Make sure you only call ReportToAbuseIPDB(ip address, etc, etc) for that IP address once in a 15 minute timespan, it is a limit by AbuseIPDB.
The 2nd line is apparently a report of the same ip address within this 15 minute timespan an therefor it gives the: Too Many Request error

Could be useful to combine it with SorenR's autoban function, at least autoban the IP for 15 minutes (I use a 1 day autoban)
@SorenR, where is the latest and greatest autoban function?
Here... Plus some bonus material :mrgreen:

Code: Select all

'******************************************************************************************************************************
'********** AutoBan stuff                                                                                            **********
'******************************************************************************************************************************

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    With LockFile(TEMPDIR & "\autoban.lck")
        On Error Resume Next
        Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
        If Err.Number = 9 Then
            With oApp.Settings.SecurityRanges.Add
                .Name = "(" & sReason & ") " & sIPAddress
                .LowerIP = sIPAddress
                .UpperIP = sIPAddress
                .Priority = 20
                .Expires = True
                .ExpiresTime = DateAdd(sType, iDuration, Now())
                .Save
            End With
            AutoBan = True
            Result.Value = 1
        End If
        On Error GoTo 0
        .Close
    End With
    Set oApp = Nothing
End Function

Function LockFile(strPath)
    Const Append = 8
    Const Unicode = -1
    Dim i
    On Error Resume Next
    With CreateObject("Scripting.FileSystemObject")
        For i = 0 To 30
            Err.Clear
            Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then Exit For
            Wait(1)
        Next
    End With
    If (Err.Number = 70) Then
        EventLog.Write( "ERROR: EventHandlers.vbs" )
        EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
        Err.Clear
    ElseIf (Err.Number <> 0) Then
        EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
        EventLog.Write( "Error       : " & Err.Number )
        EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
        EventLog.Write( "Source      : " & Err.Source )
        EventLog.Write( "Description : " & Err.Description )
        Err.Clear
    End If
    On Error GoTo 0
End Function

Function Wait(sec)
    With CreateObject("WScript.Shell")
        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
    End With
End Function

'******************************************************************************************************************************
'********** IP is already banned? (for use via POPFetch or Incoming Relay)                                           **********
'******************************************************************************************************************************

Function isIPBanned(oClient) : isIPBanned = False
    Dim a, strIP, strLowerIP, strUpperIP, strRegEx
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    strIP = INET_NTOA(oClient.IPAddress)
    For a = 0 To oApp.Settings.SecurityRanges.Count-1
        If (oApp.Settings.SecurityRanges.Item(a).Priority = 20) Then
            strLowerIP = INET_NTOA(oApp.Settings.SecurityRanges.Item(a).LowerIP)
            strUpperIP = INET_NTOA(oApp.Settings.SecurityRanges.Item(a).UpperIP)
            If (strUpperIP >= strIP) And (strIP >= strLowerIP) Then
                isIPBanned = True
                Set oApp = Nothing
                Exit Function
            End If
        End If
    Next
    Set oApp = Nothing
End Function

Function INET_NTOA(strIP)
    Dim a, i, N : N = 0
    a = Split(strIP, ".")
    For i = 0 To UBound(a)
        N = N + CLng(a(i)) * (256 ^ (3 - i))
    Next
    INET_NTOA = N
End Function

'******************************************************************************************************************************
'********** CIDR stuff 51.15.0.0/15                                                                                  **********
'******************************************************************************************************************************

Function CIDRBan(CIDR, sReason, iDuration, sType) : CIDRBan = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    With LockFile(TEMPDIR & "\cidrban.lck")
        On Error Resume Next
        Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & CIDR)
        If Err.Number = 9 Then
            With oApp.Settings.SecurityRanges.Add
                .Name = "(" & sReason & ") " & CIDR
                .LowerIP = CIDR2IP(CIDR, False)
                .UpperIP = CIDR2IP(CIDR, True)
                .Priority = 20
                .Expires = True
                .ExpiresTime = DateAdd(sType, iDuration, Now())
                .Save
            End With
            CIDRBan = True
            Result.Value = 1
        End If
        On Error GoTo 0
        .Close
    End With
    Set oApp = Nothing
End Function

Function CIDR2IP(CIDR, high)
    Const highs = "11111111111111111111111111111111"
    Const lows  = "00000000000000000000000000000000"
    Dim byte0, byte1, byte2, byte3, mask, bytes, rangelow, rangehigh, iplow, iphigh
    byte0 = Dec2Bin(Split(CIDR, ".")(0))
    byte1 = Dec2Bin(Split(CIDR, ".")(1))
    byte2 = Dec2Bin(Split(CIDR, ".")(2))
    byte3 = Dec2Bin(Split(Split(CIDR, ".")(3), "/")(0))
    mask = Split(Split(CIDR, ".")(3), "/")(1)
    bytes = byte0 & byte1 & byte2 & byte3
    rangelow = Left(bytes, mask) & Right(lows, 32 - mask)
    rangehigh = Left(bytes, mask) & Right(highs, 32 - mask)
    iplow = Bin2IP(Left(bytes, mask) & Right(lows, 32 - mask))
    iphigh = Bin2IP(Left(bytes, mask) & Right(highs, 32 - mask))
    If high Then
        CIDR2IP = iphigh
    Else
        CIDR2IP = iplow
    End If
End Function

'
'   Expecting input like 00000000000000000000000000000000
'
Function Bin2IP(strbin)
    Dim ip0, ip1, ip2, ip3
    ip0 = Bin2Dec(Mid(strbin, 1, 8))
    ip1 = Bin2Dec(Mid(strbin, 9, 8))
    ip2 = Bin2Dec(Mid(strbin, 17, 8))
    ip3 = Bin2Dec(Mid(strbin, 25, 8))
    'combines all of the bytes into a single string
    Bin2IP = ip0 & "." & ip1 & "." & ip2 & "." & ip3
End Function

'
'   Expecting input like 00010101
'
Function Bin2Dec(strbin)
    Dim length, dec, x, binval, temp
    length = Len(strbin)
    dec = 0
    For x = 1 To length
        binval = 2 ^ (length - x)
        temp = Mid(strbin, x, 1)
        If temp = "1" Then dec = dec + binval
    Next
    Bin2Dec = dec
End Function

'
'   Expecting input 0 thru 255
'
Function Dec2Bin(dec)
    Const maxpower = 7
    Const length = 8
    Dim bin, x, m
    bin = ""
    x = cLng(dec)
    For m = maxpower To 0 Step -1
        If x And (2 ^ m) Then
            bin = bin + "1"
        Else
            bin = bin + "0"
        End If
    Next
    Dec2Bin = bin
End Function
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
fjansen04
Normal user
Normal user
Posts: 50
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by fjansen04 » 2020-03-31 16:25

@RvdH

The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.
HMS 5.6.9-B2587.46 on Windows Server 2019

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-03-31 16:34

fjansen04 wrote:
2020-03-31 16:25
@RvdH

The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.
Even with autoban enabled i get the "Too Many Request"error from time to time, some try to hammer in :)

Code: Select all

8252	"2020-03-31 12:41:39.432"	"INFO: ReportToAbuseIPDB: Unauthorized connection attempt from IP address 198.108.67.48 on port 465"
6876	"2020-03-31 12:41:39.463"	"WARN: AbuseIPDB Error: Too Many Requests"
9052	"2020-03-31 12:41:40.415"	"WARN: AbuseIPDB Error: Too Many Requests"
6248	"2020-03-31 12:41:41.382"	"WARN: AbuseIPDB Error: Too Many Requests"
8264	"2020-03-31 12:41:41.382"	"WARN: AbuseIPDB Error: Too Many Requests"
5864	"2020-03-31 12:41:41.523"	"WARN: AbuseIPDB Error: Too Many Requests"
I don't use abuseipdb check/report on port 25 you better can rely om spamhaus for those
i only use abuseipdb check/report on the client ports (143, 465, 587, 993, 995) in combination with a GEO Check and Autoban

You can also turn off error logging in the ReportToAbuseIPDB function, only in that case you won't see any (other)errors as well
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
fjansen04
Normal user
Normal user
Posts: 50
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by fjansen04 » 2020-03-31 17:41

Yes, I'll leave port 25 out. Authentication is already disabled on 25.
HMS 5.6.9-B2587.46 on Windows Server 2019

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-03-31 19:32

RvdH wrote:
2020-03-31 16:34
fjansen04 wrote:
2020-03-31 16:25
@RvdH

The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.
Even with autoban enabled i get the "Too Many Request"error from time to time, some try to hammer in :)
I ran into that situation with my firewall ban project. Now every ban/reject goes like this:
1) call your disconnect.exe
2) autoban 1 hour
3) call firewall ban

What I found is that sometimes there are simultaneous connections caused by waiting for the first connection to be fully tested against whatever filters you have. By the time its done making its way through your filters, several other new connections from the same IP flood in and THOSE are not affected by the autoban you just called. Disconnect.exe wipes them all out and allows autoban to do its job. Autoban ONLY prevents the connection - once the connection is made, its too late for autoban to do anything.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-03-31 20:47

Disconnect.exe is called from within my Autoban procedure, i am using an older version, the sub version and not the function (bool) version SorenR has created after
I don't see much value to do a firewall ban, simply ban them for a few hours or even a day, these are all automated (exploited)systems anyway, they simply keep coming back
With autoban expiring daily (mostly) i also keep reporting offending ip's to blocklist.de and now abuseipdb and by doing so helping others :mrgreen:

The 'WARN: AbuseIPDB Error: Too Many Requests' message doesn't bother me that much, i know what it means ;)

My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316

FYI: Reports for port 3389 are send using another program
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-03-31 21:26

RvdH wrote:
2020-03-31 20:47
My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316
I'd be WAAAAYYY below that since I already banned a good portion of the spamming world. They don't get second chances with me. :mrgreen:
FYI: Reports for port 3389 are send using another program
Good idea! I already parse the firewall log as part of my firewall ban project, so adding this is a no-brainer. Thanks.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-03-31 21:42

palinka wrote:
2020-03-31 21:26
RvdH wrote:
2020-03-31 20:47
My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316
I'd be WAAAAYYY below that since I already banned a good portion of the spamming world. They don't get second chances with me. :mrgreen:
You misunderstood me, of course once you ban them for a longer time.... but what if you disable that firewall ban for a week or month, then you are back at normal rates
Therefor i said, a firewall ban kinda useless/overkill (for me and my usage) and besides that i cannot report misbehaving IP's using firewall ban
palinka wrote:
2020-03-31 21:26
FYI: Reports for port 3389 are send using another program
Good idea! I already parse the firewall log as part of my firewall ban project, so adding this is a no-brainer. Thanks.
I use this service: https://github.com/DigitalRuby/IPBan
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-01 00:42

RvdH wrote:
2020-03-31 21:42
and besides that i cannot report misbehaving IP's using firewall ban
That's for sure! :mrgreen:

Actually not entirely. There's always new bot infections. One of the benefits of my project is the database that goes with it. Makes it easy to find patterns. I've noticed waves of spammers that I assume are new bot infections. Right now we're in a lull, which I'm assuming has to do with fewer corporate workstations being turned on while people are working at home.

You can check out the demo if you want: https://firewallban.dynu.net/
I'll check it out. But... I forgot I have port 3389 closed at the router firewall (access ony via VPN and even then only on a custom port :D ). So mail ports only for me. My crappy ISP supplied router doesn't support any kind of scripting.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-04-01 08:01

My data submitted to AbuseIPDB is gathered from 3 different systems, my home setup (only hmailserver, RDP is locked by firewall) our companies/work hmailserver instance (only hmailserver, RDP is locked by firewall) and a work development server (no hmailserver, only RDP to connect from home, or when doing client visits)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
fjansen04
Normal user
Normal user
Posts: 50
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by fjansen04 » 2020-04-01 09:36

The server I am testing this script on, is low usage so I'm not getting anywhere near the AbuseIPDB limits. Therefore I kept port 25 included after all.

This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.
HMS 5.6.9-B2587.46 on Windows Server 2019

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-04-01 12:54

fjansen04 wrote:
2020-04-01 09:36
The server I am testing this script on, is low usage so I'm not getting anywhere near the AbuseIPDB limits. Therefore I kept port 25 included after all.

This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.
Dude, for real?
When do you call ReportToAbuseIPDB? You only should call it when you are sure it is a misbehaving IP, therefor the best way is to combine it with some GEO check.... if a Chinese server try to authenticate against client (IMAP/POP3) ports i can tell for sure this is a infected/misbehaving system as we don't have Chinese clients

If you call it for every incoming connection even legit servers get reported, as you told it to do so!
Please post code snippet when you called ReportToAbuseIPDB to review
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
fjansen04
Normal user
Normal user
Posts: 50
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by fjansen04 » 2020-04-01 18:05

You're absolutely right.
I will reset everything according to your specs.
HMS 5.6.9-B2587.46 on Windows Server 2019

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-02 03:44

RvdH wrote:
2020-03-22 13:31

Code: Select all

		.SetMaxConfidenceScore(40)
Quick question: First, I assume this means no IP with confidence score < 40 returns TRUE. Correct?

Also, I have no experience with this yet. Is > 40 a good number to work with? Should it be closer to 100 for rejection?

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-02 03:54

By the way, I got it working with powershell.

Code: Select all

$IP = "77.40.2.198"

$URICheck = "https://api.abuseipdb.com/api/v2/check"
$URIReport = "https://api.abuseipdb.com/api/v2/report"

$Header = @{
	'Key' = 'supersecretkey;
	'Accept' = 'application/json';
}

$BodyCheck = @{
	'ipAddress' = $IP;
	'maxAgeInDays' = '90';
	'verbose' = '';
}

$BodyReport = @{
	'ip' = $IP;
	'categories' = '18,20';
	'comment' = '.mari-el.ru Spam Factory';
} | ConvertTo-JSON 

<# check #>
$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore

<# report #>
$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore
Not sure what I plan to use it for yet. Bases are pretty much covered with your thing in hMailServer.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-04-02 09:57

palinka wrote:
2020-04-02 03:44
RvdH wrote:
2020-03-22 13:31

Code: Select all

		.SetMaxConfidenceScore(40)
Quick question: First, I assume this means no IP with confidence score < 40 returns TRUE. Correct?
Correct

Code: Select all

        public bool BlockEndpoint(string ipAddress)
        {
            return GetConfidenceScore(ipAddress) >= _maxScore;
        }
palinka wrote:
2020-04-02 03:44
Also, I have no experience with this yet. Is > 40 a good number to work with? Should it be closer to 100 for rejection?
Me neither...but looks like 40 is a good starting point
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-04-02 10:00

palinka wrote:
2020-04-02 03:54
By the way, I got it working with powershell.

Code: Select all

$IP = "77.40.2.198"

$URICheck = "https://api.abuseipdb.com/api/v2/check"
$URIReport = "https://api.abuseipdb.com/api/v2/report"

$Header = @{
	'Key' = 'supersecretkey;
	'Accept' = 'application/json';
}

$BodyCheck = @{
	'ipAddress' = $IP;
	'maxAgeInDays' = '90';
	'verbose' = '';
}

$BodyReport = @{
	'ip' = $IP;
	'categories' = '18,20';
	'comment' = '.mari-el.ru Spam Factory';
} | ConvertTo-JSON 

<# check #>
$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore

<# report #>
$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore
Not sure what I plan to use it for yet. Bases are pretty much covered with your thing in hMailServer.
Cool 8)

I am now working on a AbuseIPDB-IIS-Module :mrgreen:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-02 18:07

Cleaned up the powershell.

Code: Select all

<#

.SYNOPSIS
	AbuseIPDBCheckOrReport.ps1: AbuseIPDB.com Check or Report IP

.DESCRIPTION
	AbuseIPDBCheckOrReport.ps1: Powershell script to check or report IP at AbuseIPDB.com

.FUNCTIONALITY
	1) Checks IP -> Returns status, abuseConfidenceScore
	2) Reports IP -> Returns status, abuseConfidenceScore

.PARAMETER IP
	Specifies the IP address to be checked or reported.
	
.PARAMETER Categories
	Specifies the categories of reported IPs. !REQUIRED FOR REPORT IP! See https://www.abuseipdb.com/categories for full list.

.PARAMETER Comment
	Specifies the comments to be included with reported IP. Parameter optional.
	
.NOTES


.EXAMPLE
	Check IP:
		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210"
		$CheckIP.Status
		$CheckIP.Confidence

	Report IP:
		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210" "11"
		$CheckIP.Status
		$CheckIP.Confidence

		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210" "11" "spammer"
		$CheckIP.Status
		$CheckIP.Confidence

	Report IP with error:
		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "127.0.0.2" "11"
		$CheckIP.Status
		$CheckIP.Confidence

		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "127.0.0.2" "11" "spammer"
		$CheckIP.Status
		$CheckIP.Confidence

#>

Param(
	[Parameter(Mandatory=$True)]
	[ValidatePattern("((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))")]
	[String]$IP,

	[Parameter(Mandatory=$False)]
	[AllowEmptyString()]
	[String]$Categories,

	[Parameter(Mandatory=$False)]
	[AllowEmptyString()]
	[String]$Comment
)

$Error.Clear()

<###   USER VARIABLES   ###>
$APIKey = "supersecretkey"

$Header = @{
	'Key' = $APIKey;
}

If (([string]::IsNullOrEmpty($Categories)) -and ([string]::IsNullOrEmpty($Categories))){

	$URICheck = "https://api.abuseipdb.com/api/v2/check"
	$BodyCheck = @{
		'ipAddress' = $IP;
		'maxAgeInDays' = '90';
		'verbose' = '';
	}
	Try {
		$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' 
		$StatusNum = "200"
		$ConfidenceScore = $AbuseIPDB.data.abuseConfidenceScore
	}
	Catch {
		$ErrorMessage = $_.Exception.Message
		[regex]$RegexErrorNum = "\d{3}"
		$StatusNum = ($RegexErrorNum.Matches($ErrorMessage)).Value	
	}

} Else {

	$URIReport = "https://api.abuseipdb.com/api/v2/report"
	$BodyReport = @{
		'ip' = $IP;
		'categories' = $Categories;
		'comment' = $Comment;
	} | ConvertTo-JSON 

	Try {
		$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' 
		$StatusNum = "200"
		$ConfidenceScore = $AbuseIPDB.data.abuseConfidenceScore
	}
	Catch {
		$ErrorMessage = $_.Exception.Message
		[regex]$RegexErrorNum = "\d{3}"
		$StatusNum = ($RegexErrorNum.Matches($ErrorMessage)).Value	
	}
}

$Response = @{
	'Status' = $StatusNum;
	'Confidence' = $ConfidenceScore;
}
Return $Response

GitHub: https://github.com/palinkas-jo-reggelt/ ... eck-Report

mikernet
Normal user
Normal user
Posts: 64
Joined: 2018-09-04 22:22

Re: Check incoming connections with AbuseIPDB

Post by mikernet » 2020-04-03 17:46

I've been doing AbuseIPDB checks for a while and it works great but I have a slight issue which relates to logging/diagnostics. When emails from someone aren't coming through it is very difficult to check if it is due to AbuseIPDB since the email domain is not tagged with the IP block.

I think it would be much better if the connection was "tagged" as abusive in OnClientConnect but allowed to continue the first time until the sending domain/email was identified so it could be added to the banned IP info. Thoughts on the best way to achieve this?

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2020-04-03 18:52

:?:

Not sure what you are trying to accomplish, is it relevant at all and additionally is there any reason to monitor the address it sends To/From if it's coming thru a server tagged abuseipdb?

You always could shift the ListedInAbuseIPDB(strIP) check down the events handled, for example to OnSMTPData(oClient, oMessage) if you like to access the FromAddress header
Or even later, in Sub OnAcceptMessage(oClient, oMessage) if you like to access the From/To fields

Personally i would always combine this with a Autoban, to stop hammering/retrying
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

mikernet
Normal user
Normal user
Posts: 64
Joined: 2018-09-04 22:22

Re: Check incoming connections with AbuseIPDB

Post by mikernet » 2020-04-03 18:56

Clearly had a brainfart...of course I can just do the check there instead of splitting it up.

It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-03 21:23

mikernet wrote:
2020-04-03 18:56
Clearly had a brainfart...of course I can just do the check there instead of splitting it up.

It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.
Maybe you should LOG everything in a way that's easily searchable.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-03 22:51

RvdH wrote:
2020-04-02 10:00
I am now working on a AbuseIPDB-IIS-Module :mrgreen:
I just finished a powershell instance for apache. It tails the access log and checks against abuseipdb.com for bad hombres. I'll throw it up on GitHub after I clean it up.

mikernet
Normal user
Normal user
Posts: 64
Joined: 2018-09-04 22:22

Re: Check incoming connections with AbuseIPDB

Post by mikernet » 2020-04-03 23:54

palinka wrote:
2020-04-03 21:23
Maybe you should LOG everything in a way that's easily searchable.
That's kind of the point. Can't log the email/domain if you cut off the connection before you get that info...

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-04 02:51

mikernet wrote:
2020-04-03 23:54
palinka wrote:
2020-04-03 21:23
Maybe you should LOG everything in a way that's easily searchable.
That's kind of the point. Can't log the email/domain if you cut off the connection before you get that info...
IP is better than nothing if there's a reason associated with it.

You could also increase the confidence score closer to 100 to be sure its not rejecting false positives.

mikernet
Normal user
Normal user
Posts: 64
Joined: 2018-09-04 22:22

Re: Check incoming connections with AbuseIPDB

Post by mikernet » 2020-04-04 02:55

I already have the IP. What I was posting about was also getting the domain. As indicated above, we've already solved that issue so I'm not really sure where this is going.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-04-04 03:18

mikernet wrote:
2020-04-04 02:55
I already have the IP. What I was posting about was also getting the domain. As indicated above, we've already solved that issue so I'm not really sure where this is going.
Check out the demo for my logging project and you'll see.

https://firewallban.dynu.net/accrej/

User avatar
fjansen04
Normal user
Normal user
Posts: 50
Joined: 2008-08-30 15:49
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by fjansen04 » 2020-09-19 09:23

Yes, I'm using RvdH's version of the script, and it is quite effective.
HMS 5.6.9-B2587.46 on Windows Server 2019

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Check incoming connections with AbuseIPDB

Post by SorenR » 2020-09-21 13:31

fjansen04 wrote:
2019-12-29 18:01
Could somebody please update the original script by Po-in to the new AbuseIPdb API v2?

Thanks!
Well... Not an update of Po-in's script but just to show how it works. The v2 API is quite different both in web calling and how to interpret the JSON data. Also, it won't work pre Windows Server 2008 due to TLS1.0/SSL3.0 is not supported anymore.

Code: Select all

Option Explicit

Include("C:\hMailServer\Events\VbsJson.vbs")


Function Include(sInstFile)
    Dim f, s, fso
    Set fso = CreateObject("Scripting.FileSystemObject")
    On Error Resume Next
    If fso.FileExists(sInstFile) Then
        Set f = fso.OpenTextFile(sInstFile)
        s = f.ReadAll
        f.Close
        ExecuteGlobal s
    End If
    On Error GoTo 0
    Set f = Nothing
    Set fso = Nothing
End Function


Function oAbuseIPDB(strIP, ByRef ReturnCode)
    Dim oXML, json
    Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056
    Const APIKEY = "v2 ApiKey"
    Const DAYS = 90
    Set json = New VbsJson
    ' On Error Resume Next
    Set oXML = CreateObject("Msxml2.ServerXMLHTTP.6.0")
    oXML.open "GET", "https://api.abuseipdb.com/api/v2/check?ipAddress=" & strIP & "&maxAgeInDays=" & DAYS & "&verbose", False
    oXML.setOption(2) = SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
    oXML.setRequestHeader "Key", ApiKey
    oXML.setRequestHeader "Accept", "application/json"
    oXML.send
    Set oAbuseIPDB = json.Decode(oXML.responsetext)
    ReturnCode = oXML.Status
    ' On Error Goto 0
    If (ReturnCode <> 200 ) Then WScript.Echo( "<error> api.ipgeolocation.io lookup failed, error code: " & ReturnCode & " on IP address " & strIP )
End Function


Dim oAbuseIP, oData, oReport, Category, ReturnCode

Set oAbuseIP = oAbuseIPDB("118.25.6.39", ReturnCode)
Set oData = oAbuseIP("data")

WScript.Echo "****"
WScript.Echo "IP address           " & oData("ipAddress")
WScript.Echo "totalReports         " & oData("totalReports")
WScript.Echo "abuseConfidenceScore " & oData("abuseConfidenceScore")
WScript.Echo "lastReportedAt       " & oData("lastReportedAt")
WScript.Echo

For Each oReport In oData("reports")
    WScript.Echo "reportedAt " & oReport("reportedAt")
    For Each Category In oReport("categories")
        WScript.Echo "categories " & Category
    Next
    WScript.Echo
Next

WScript.Echo "****"

WScript.Quit 0
This is the layout of the JSON data...

Code: Select all

  {
    "data": {
      "ipAddress": "118.25.6.39",
      "isPublic": true,
      "ipVersion": 4,
      "isWhitelisted": false,
      "abuseConfidenceScore": 100,
      "countryCode": "CN",
      "countryName": "China",
      "usageType": "Data Center/Web Hosting/Transit",
      "isp": "Tencent Cloud Computing (Beijing) Co. Ltd",
      "domain": "tencent.com",
      "hostnames": [],
      "totalReports": 1,
      "numDistinctUsers": 1,
      "lastReportedAt": "2018-12-20T20:55:14+00:00",
      "reports": [
        {
          "reportedAt": "2018-12-20T20:55:14+00:00",
          "comment": "Dec 20 20:55:14 srv206 sshd[13937]: Invalid user oracle from 118.25.6.39",
          "categories": [
            18,
            22
          ],
          "reporterId": 1,
          "reporterCountryCode": "US",
          "reporterCountryName": "United States"
        }
      ]
    }
  }
  
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2020-09-22 15:47

Cool json, bro. :mrgreen:

scottkeen
Normal user
Normal user
Posts: 35
Joined: 2016-10-28 23:10

Re: Check incoming connections with AbuseIPDB

Post by scottkeen » 2021-03-16 22:00

Hey, I was just trying this out, got this message returned:
{"detail":"The APIv1 check endpoint has sunset. Please migrate to the APIv2 version of this endpoint. You will need a new API key.","links":{"related":"https:\/\/docs.abuseipdb.com\/#check-endpoint"},"status":404}
Any update to the original VBScript? I used the 2nd VBScript in this thread.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2021-03-17 13:18

scottkeen wrote:
2021-03-16 22:00
Hey, I was just trying this out, got this message returned:
{"detail":"The APIv1 check endpoint has sunset. Please migrate to the APIv2 version of this endpoint. You will need a new API key.","links":{"related":"https:\/\/docs.abuseipdb.com\/#check-endpoint"},"status":404}
Any update to the original VBScript? I used the 2nd VBScript in this thread.
Did you read the whole thread?

jcastillo725
New user
New user
Posts: 1
Joined: 2022-01-19 05:26

Re: Check incoming connections with AbuseIPDB

Post by jcastillo725 » 2022-01-19 05:36

I'm trying to make this work but it appears that I am not able to send the api key in the header. Can anyone check what might be wrong in my code:

Code: Select all

Sub AbuseIPDB()

'Declare variables
Dim response As WinHttpRequest
Dim api As String

api = (insert api key here)

Set response = New WinHttpRequest

    'Define URL Components
    base_url = "https://api.abuseipdb.com/api/v2/check/"
    param_ip_val = Sheet4.Range("A2").Value

    api_url = base_url & param_ip_val

    response.Open "get", api_url
    
    response.SetRequestHeader "Key", api
    response.SetRequestHeader "Accept", "Application/Json"
    
    response.Send
    
    'Print the status code in case something went wrong
    Debug.Print "The Request was " + CStr(response.Status)
    
    'print raw response for checking
    Debug.Print response.ResponseText
    
    'Define a few object variables
    Dim JsonResponse As Object
    Dim data As Dictionary
    
    'Parse the response
    Set JsonResponse = JsonConverter.ParseJson(response.ResponseText)

    
    '(Only for dynamic number of rows)First handle the results section of our response
    '(Only for dynamic number of rows)For Each result In JsonResponse("results")
               
        'Grab the Abuse Score
        Debug.Print data("abuseConfidenceScore")
        
        'Grab the countryCode
        Debug.Print data("countryCode")
        
        'Grab the isp
        Debug.Print data("isp")
        
        'Grab the domain
        Debug.Print data("domain")
        
        'Grab the totalReports
        Debug.Print data("totalReports")
    
    
End Sub
This is the output from print that I get:

Code: Select all

The Request was 200
AbuseIPDB APIv2 Server.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2022-01-19 13:07

jcastillo725 wrote:
2022-01-19 05:36
I'm trying to make this work but it appears that I am not able to send the api key in the header. Can anyone check what might be wrong in my code:

Code: Select all

Sub AbuseIPDB()

'Declare variables
Dim response As WinHttpRequest
Dim api As String

api = (insert api key here)

Set response = New WinHttpRequest

    'Define URL Components
    base_url = "https://api.abuseipdb.com/api/v2/check/"
    param_ip_val = Sheet4.Range("A2").Value

    api_url = base_url & param_ip_val

    response.Open "get", api_url
    
    response.SetRequestHeader "Key", api
    response.SetRequestHeader "Accept", "Application/Json"
    
    response.Send
    
    'Print the status code in case something went wrong
    Debug.Print "The Request was " + CStr(response.Status)
    
    'print raw response for checking
    Debug.Print response.ResponseText
    
    'Define a few object variables
    Dim JsonResponse As Object
    Dim data As Dictionary
    
    'Parse the response
    Set JsonResponse = JsonConverter.ParseJson(response.ResponseText)

    
    '(Only for dynamic number of rows)First handle the results section of our response
    '(Only for dynamic number of rows)For Each result In JsonResponse("results")
               
        'Grab the Abuse Score
        Debug.Print data("abuseConfidenceScore")
        
        'Grab the countryCode
        Debug.Print data("countryCode")
        
        'Grab the isp
        Debug.Print data("isp")
        
        'Grab the domain
        Debug.Print data("domain")
        
        'Grab the totalReports
        Debug.Print data("totalReports")
    
    
End Sub
This is the output from print that I get:

Code: Select all

The Request was 200
AbuseIPDB APIv2 Server.
Have a look at this post: viewtopic.php?p=219343#p219343

User avatar
kimboslice
Normal user
Normal user
Posts: 38
Joined: 2022-02-05 16:38

Re: Check incoming connections with AbuseIPDB

Post by kimboslice » 2022-03-13 08:38

Which config should be used from this thread to check against AbuseIPDB? I appended this to the bottom of my eventhandler.vbs, nothing seems to be written to log however, a little confused on how this is supposed to work, I've re-read the thread 3 times... please advise
Function ListedInAbuseIPDB(strIP) : ListedInAbuseIPDB = false
With CreateObject("AbuseIPDBComponent.AbuseIPDBRestClient")
.SetApiKey("MYAPIKEY")
.SetMaxConfidenceScore(40)
.SetMaxAgeInDays(30)
On Error Resume Next
ListedInAbuseIPDB = .BlockEndpoint(strIP)
If (ListedInAbuseIPDB) then
EventLog.Write("AbuseIPDB Score:" & .GetConfidenceScore(strIP))
End If
If Err.Number <> 0 Then
EventLog.Write("AbuseIPDB Error: " & Err.Description)
End If
On Error Goto 0
End With
End Function

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Check incoming connections with AbuseIPDB

Post by RvdH » 2022-03-13 11:23

CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
kimboslice
Normal user
Normal user
Posts: 38
Joined: 2022-02-05 16:38

Re: Check incoming connections with AbuseIPDB

Post by kimboslice » 2022-04-20 07:09

RvdH wrote:
2022-03-13 11:23
It is pretty much summed up here: https://www.hmailserver.com/forum/viewt ... 78#p219178
I'm at a loss on what to actually do with those scripts, the second one looks like something that belongs in EventHandlers but the first I dont understand what I am to do with?

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2022-04-20 12:58

kimboslice wrote:
2022-04-20 07:09
RvdH wrote:
2022-03-13 11:23
It is pretty much summed up here: https://www.hmailserver.com/forum/viewt ... 78#p219178
I'm at a loss on what to actually do with those scripts, the second one looks like something that belongs in EventHandlers but the first I dont understand what I am to do with?
They both go in eventhandlers: One is the function that checks abuseipdb, the other is the event trigger. Have you tried it yet?

User avatar
kimboslice
Normal user
Normal user
Posts: 38
Joined: 2022-02-05 16:38

Re: Check incoming connections with AbuseIPDB

Post by kimboslice » 2022-04-21 04:30

palinka wrote:
2022-04-20 12:58
They both go in eventhandlers: One is the function that checks abuseipdb, the other is the event trigger. Have you tried it yet?
Of course I've tried, otherwise I wouldn't be asking for help... nothing is ever written to log... where exactly is the Function intended to go?

I have an API key and ive installed the component aswell... not seeing anything written to log

Edit, scratch that, renewed API key and its working now, odd

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-01-07 17:53

I played a little with this over the holidays (running 5.7).

First test. Just add bans to HMailServer.
- Two drawbacks. IP ranges created after the admin GUI will appear under IP ranges but cannot be opened until you restart the admin GUI
- At about 1500 rules MySQL consumed an entire CPU core and HMailServer took 60% of the next. Deleted the rules and down to sub 1% for both of them. Most likely something with my installation.

Second attempt. 2 Hour bans in HMailserver and longer bans using Windows Firewall.
Created a poweshell script that reads all bans from Hmailserver and creates block rules for them. Decided to be wild and crazy and created one rule per banned IP. The script runs once an Hour. With a one week blocktime I got about 3K block rules. The script also removes rules older than one week.
- Same issue about the rules in the GUI. Runs at sub 1% CPU.

Third attempt. Ban them in the Firewall direct from OnClientConnect.
Wrote a VBScript function to block the IP, Modified the Powershell script so that it only does cleanup.
If you do not run HmailServer as admin the account needs to be a member of Network Configuration Users to be allowed to add FW rules.
- Runs at sub 1% CPU.

The sub I use

Code: Select all

Sub BanIP(ipaddress)

  EventLog.Write "Adding Firewall rule for " & ipaddress
  ' Create the FwPolicy2 object.
  Dim fwPolicy2
  Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")

  ' Get the Rules object
  Dim RulesObject
  Set RulesObject = fwPolicy2.Rules

  'Create a Rule Object.
  Dim NewRule
  Set NewRule = CreateObject("HNetCfg.FWRule")

  NewRule.Name = ipaddress
  NewRule.Description = "Created:" & now
  NewRule.RemoteAddresses=ipaddress
  NewRule.Direction = 1 ' 1 for in, 2 for out
  NewRule.Enabled = TRUE  
  NewRule.Grouping = "MailBlacklist"
  NewRule.Action = 0 '0 for block, 1 for allow
        
  'Add a new rule
  On Error Resume Next
  RulesObject.Add NewRule
  if(Err.Number = 0) Then
	EventLog.Write "Added Firewall rule for " &ipaddress
  else
	EventLog.Write"Error       : " & Err.Number
	EventLog.Write"ERROR: EventHandlers.vbs : Function banip""Source      : " & Err.Source
	EventLog.Write"ERROR: EventHandlers.vbs : Function Autoban""Description : " & Err.Description
	Err.Clear
  End If
  On Error Goto 0
End Sub
I ban that ip for any protocol, any profile and any port.
The trick I'm using is the timestamp in the description. It allows for my Powershell script to decide which rules that should be deleted

Code: Select all

$ExpireMinutes=10080 # one week

# Delete Expired rules
$fwRules=Get-NetFirewallRule -DisplayGroup MailBlacklist
foreach($fwRule in $fwRules){
  if((New-TimeSpan ($fwRule.Description.Substring(8))).TotalMinutes -gt $ExpireMinutes){
    write-host "removing" $fwrule.name 
    Remove-NetFirewallRule -Name $fwRule.Name
  }
}


palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-08 00:02

mats wrote:
2023-01-07 17:53
Decided to be wild and crazy and created one rule per banned IP. The script runs once an Hour. With a one week blocktime I got about 3K block rules.
Be careful with that. When you start to approach 10k firewall rules, windows starts acting crazy. I know because I had a similar project. I solved that by grouping rules containing 400 IPs each. You will get a chance to find out one day when you get swarmed by bots.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-08 11:15

mats wrote:
2023-01-07 17:53

Code: Select all

  ' Create the FwPolicy2 object.
  Dim fwPolicy2
  Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
I didn't look at this last night. Very nice! I didn't know this existed. This could definitely be useful.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-08 11:53

I just implemented this code. Thanks.

One thing I do to take it just a step further is utilize RvdH's disconnect.exe and autoban for 1 hour - could be 5 minutes - just something there to prevent new connections while the firewall rule is being created.

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-01-08 16:44

palinka wrote:
2023-01-08 11:53
I just implemented this code. Thanks.

One thing I do to take it just a step further is utilize RvdH's disconnect.exe and autoban for 1 hour - could be 5 minutes - just something there to prevent new connections while the firewall rule is being created.
Can you please test what is fastest for you. Creating autobans

Code: Select all

a=timer
autobanip "10.0.0.255",2,"test"
autobanip "10.0.0.254",2,"test"
autobanip "10.0.0.253",2,"test"
autobanip "10.0.0.252",2,"test"
autobanip "10.0.0.251",2,"test"
autobanip "10.0.0.250",2,"test"
autobanip "10.0.0.249",2,"test"
autobanip "10.0.0.248",2,"test"
autobanip "10.0.0.247",2,"test"
autobanip "10.0.0.246",2,"test"
wscript.echo timer-a
Sub AutobanIP(IPAddress, NumberOfDays, ReasonForBan)
	
	wscript.echo "about to ban: " & IPAddress & " for: " & NumberOfDays & " Hours. Reason: " & ReasonForBan 
	Dim oApp
	Set oApp = CreateObject("hMailServer.Application")
	Call oApp.Authenticate("Administrator","YourSecretPassword")

	Dim i
	For i = 0 To oApp.Settings.SecurityRanges.Count -1
		If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then Exit sub
	Next

	oApp.Settings.SecurityRanges.Refresh
	With oApp.Settings.SecurityRanges.Add()
		.lowerip = ipaddress
		.upperip = ipaddress
		.priority = 101
		.allowdeliveryfromlocaltolocal = False
		.allowdeliveryfromlocaltoremote = False
		.allowdeliveryfromremotetolocal = False
		.allowdeliveryfromremotetoremote = False
		.allowimapconnections = False
		.allowsmtpconnections = False
		.allowpop3connections = False
		.expires = True
		.ExpiresTime = DateAdd("h", NumberOfDays, Now())
		.name = ReasonForBan & " - banned for " & NumberOfDays & " hours - " & ipaddress
		On Error Resume Next
		.save
		If (Err.Number = 0) Then
			wscript.echo "Autoban IP range saved for IP Address " & IPAddress & " with Reason-" & reasonforban
		ElseIf (Err.Number <> 0) Then
			
			wscript.echo"Error       : " & Err.Number
			wscript.echo"ERROR: EventHandlers.vbs : Function Autoban""Source      : " & Err.Source
			wscript.echo"ERROR: EventHandlers.vbs : Function Autoban""Description : " & Err.Description
			Err.Clear
		End If
		On Error Goto 0
	End With
	End Sub

Or add firewall rules?

Code: Select all

option explicit
dim a,b
A=timer
banip "10.0.0.255"
banip "10.0.0.254"
banip "10.0.0.253"
banip "10.0.0.252"
banip "10.0.0.251"
banip "10.0.0.250"
banip "10.0.0.249"
banip "10.0.0.248"
banip "10.0.0.247"
banip "10.0.0.246"

wscript.echo timer -a

Sub BanIP(ipaddress)

 ' EventLog.Write "Adding Firewall rule for " & ipadress
  ' Create the FwPolicy2 object.
  Dim fwPolicy2
  Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")

  ' Get the Rules object
  Dim RulesObject
  Set RulesObject = fwPolicy2.Rules

  'Create a Rule Object.
  Dim NewRule
  Set NewRule = CreateObject("HNetCfg.FWRule")

  NewRule.Name = ipaddress
  NewRule.Description = "Created:" & now
  NewRule.RemoteAddresses=ipaddress
  NewRule.Direction = 1 ' 1 for in, 2 for out
  NewRule.Enabled = TRUE  
  NewRule.Grouping = "MailBlacklist"
  NewRule.Action = 0 '0 for block, 1 for allow
        
  'Add a new rule
  On Error Resume Next
  RulesObject.Add NewRule
  if(Err.Number = 0) Then
	wscript.echo "Added Firewall rule for " &ipaddress
  else
	wscript.echo"Error       : " & Err.Number
	wscript.echo"ERROR: EventHandlers.vbs : Function banip""Source      : " & Err.Source
	wscript.echo"ERROR: EventHandlers.vbs : Function Autoban""Description : " & Err.Description
	Err.Clear
  End If
 ' On Error Goto 0
End Sub

For me FW rules are faster.
I also use disconnect to get rid of simultaneous connections

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-08 17:16

mats wrote:
2023-01-08 16:44
For me FW rules are faster.
I also use disconnect to get rid of simultaneous connections
I'm used to netsh which actually does take a second or more. I've never used your method before today. I don't need to test it. I'll take your word for it. :D

Still, disconnect.exe is useful. It kills the connection immediately.

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-01-09 00:02

palinka wrote:
2023-01-08 17:16
mats wrote:
2023-01-08 16:44
For me FW rules are faster.
I also use disconnect to get rid of simultaneous connections
I'm used to netsh which actually does take a second or more. I've never used your method before today. I don't need to test it. I'll take your word for it. :D
I'm just curious if it's repeatable or if it's my database that is slow ;)

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-01-16 22:40

It's been running for about 10 days now.
Seems stable and effective. I have about 33% less fw rules today, IE the number of attacks has gone down

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-16 23:40

mats wrote:
2023-01-16 22:40
It's been running for about 10 days now.
Seems stable and effective. I have about 33% less fw rules today, IE the number of attacks has gone down
I used to have a firewall ban project. I collected a LOT of statistics by reading the firewall logs as part of the script. What I learned was that 60% of IPs are part of huge bot nets that never ever returned (almost 2 years of statistics/firewall banning). Of the rest only a very small percentage were "problem children". That thing grew into an overly complex thing that I eventually abandoned in favor of simply autobanning any "bad" IPs for one hour only.

But, being nostalgic :D I implemented your script for a couple of days. I had a couple of false positives and then deleted the whole thing.

It is stable. Nice coding, for sure. I will find a use for that vbs firewall banning. Much simpler than the netsh powershell I was using in my project. I just haven't decided how to select the "problem children" yet. Right now I'm working on a new logging project that should be helpful in determining who is a problem child and who isn't.

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-01-17 20:11

I find it strange myself.

At the worst point I had 3230 FW rules in my MailBlacklist group
Today it's down to 1654

By the way. How to count the rules

Code: Select all

(Get-NetFirewallRule -DisplayGroup MailBlacklist).count

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-17 21:05

mats wrote:
2023-01-17 20:11
I find it strange myself.

At the worst point I had 3230 FW rules in my MailBlacklist group
Today it's down to 1654

By the way. How to count the rules

Code: Select all

(Get-NetFirewallRule -DisplayGroup MailBlacklist).count
If you want to get an idea of the kind of statistics I was recording while my firewall ban project was active, have a look here (demo - feel free to press buttons and click links): https://firewallban.dynu.net/

"Hits" are IPs that were firewall banned for some reason.

"Blocks" are those IPs that were banned - scraped from the firewall log - in order to count successive tries. This was able to tell me the number of IPs that never returned, returned once, twice, 10,000 times, etc. I found that to be very useful information.

Unfortunately, like I said, it became too cumbersome to maintain. The bugs added up as I continued to add features. :D

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Check incoming connections with AbuseIPDB

Post by palinka » 2023-01-17 23:46

Code: Select all

hMailServer Firewall Ban Project
Block Count
Count repeat drops from firewall log

Run : 1/17/2023 1:59 PM

1,280 : Number of days data in database

53,503 : Total number of IPs banned

32,049 : 59.90 % : Number of banned IPs that never returned

No. of banned IPs Percent Returns Returned at least

21,454	40.10%	1 day
12,551	23.46%	2 days
9,322	17.42%	3 days
7,504	14.03%	4 days
6,328	11.83%	5 days
5,327	9.96%	6 days
4,413	8.25%	7 days
3,701	6.92%	8 days
3,112	5.82%	9 days
2,682	5.01%	10 days
2,374	4.44%	11 days
2,078	3.88%	12 days
1,852	3.46%	13 days
1,626	3.04%	14 days
1,454	2.72%	15 days
1,284	2.40%	16 days
1,148	2.15%	17 days
1,042	1.95%	18 days
942	1.76%	19 days
859	1.61%	20 days
783	1.46%	21 days
725	1.36%	22 days
670	1.25%	23 days
620	1.16%	24 days
557	1.04%	25 days
524	0.98%	26 days
488	0.91%	27 days
459	0.86%	28 days
429	0.80%	29 days
397	0.74%	30 days
376	0.70%	31 days
356	0.67%	32 days
335	0.63%	33 days
326	0.61%	34 days
309	0.58%	35 days
284	0.53%	36 days
273	0.51%	37 days
258	0.48%	38 days
243	0.45%	39 days
227	0.42%	40 days
209	0.39%	41 days
199	0.37%	42 days
192	0.36%	43 days
182	0.34%	44 days
176	0.33%	45 days
171	0.32%	46 days
164	0.31%	47 days
154	0.29%	48 days
147	0.27%	49 days
144	0.27%	50 days
140	0.26%	51 days
133	0.25%	52 days
128	0.24%	53 days
124	0.23%	54 days
119	0.22%	55 days
116	0.22%	56 days
113	0.21%	57 days
112	0.21%	58 days
112	0.21%	59 days
110	0.21%	60 days
110	0.21%	61 days
109	0.20%	62 days
106	0.20%	63 days
103	0.19%	64 days
102	0.19%	65 days
100	0.19%	66 days
99	0.19%	67 days
96	0.18%	68 days
94	0.18%	69 days
92	0.17%	70 days
90	0.17%	71 days
89	0.17%	72 days
87	0.16%	73 days
85	0.16%	74 days
83	0.16%	75 days
80	0.15%	76 days
80	0.15%	77 days
78	0.15%	78 days
78	0.15%	79 days
76	0.14%	80 days
76	0.14%	81 days
75	0.14%	82 days
72	0.13%	83 days
72	0.13%	84 days
72	0.13%	85 days
71	0.13%	86 days
71	0.13%	87 days
69	0.13%	88 days
68	0.13%	89 days
67	0.13%	90 days
67	0.13%	91 days
65	0.12%	92 days
65	0.12%	93 days
63	0.12%	94 days
59	0.11%	95 days
56	0.10%	96 days
53	0.10%	97 days
50	0.09%	98 days
48	0.09%	99 days
45	0.08%	100 days
41	0.08%	101 days
38	0.07%	102 days
33	0.06%	103 days
28	0.05%	104 days
23	0.04%	105 days
21	0.04%	106 days
19	0.04%	107 days
18	0.03%	108 days
18	0.03%	109 days
17	0.03%	110 days
16	0.03%	111 days
16	0.03%	112 days
16	0.03%	113 days
16	0.03%	114 days
16	0.03%	115 days
16	0.03%	116 days
16	0.03%	117 days
15	0.03%	118 days
15	0.03%	119 days
15	0.03%	120 days
15	0.03%	121 days
15	0.03%	122 days
15	0.03%	123 days
15	0.03%	124 days
15	0.03%	125 days
15	0.03%	126 days
15	0.03%	127 days
15	0.03%	128 days
15	0.03%	129 days
15	0.03%	130 days
15	0.03%	131 days
15	0.03%	132 days
15	0.03%	133 days
15	0.03%	134 days
15	0.03%	135 days
14	0.03%	136 days
14	0.03%	137 days
14	0.03%	138 days
14	0.03%	139 days
14	0.03%	140 days
14	0.03%	141 days
14	0.03%	142 days
14	0.03%	143 days
14	0.03%	144 days
14	0.03%	145 days
13	0.02%	146 days
13	0.02%	147 days
13	0.02%	148 days
12	0.02%	149 days
11	0.02%	150 days
11	0.02%	151 days
10	0.02%	152 days
10	0.02%	153 days
10	0.02%	154 days
10	0.02%	155 days
10	0.02%	156 days
10	0.02%	157 days
10	0.02%	158 days
10	0.02%	159 days
10	0.02%	160 days
10	0.02%	161 days
10	0.02%	162 days
10	0.02%	163 days
10	0.02%	164 days
10	0.02%	165 days
8	0.01%	166 days
8	0.01%	167 days
8	0.01%	168 days
8	0.01%	169 days
8	0.01%	170 days
8	0.01%	171 days
8	0.01%	172 days
8	0.01%	173 days
8	0.01%	174 days
8	0.01%	175 days
8	0.01%	176 days
8	0.01%	177 days
8	0.01%	178 days
7	0.01%	179 days
7	0.01%	180 days
7	0.01%	181 days
7	0.01%	182 days
7	0.01%	183 days
7	0.01%	184 days
7	0.01%	185 days
7	0.01%	186 days
7	0.01%	187 days
7	0.01%	188 days
7	0.01%	189 days
7	0.01%	190 days
6	0.01%	191 days
6	0.01%	192 days
6	0.01%	193 days
6	0.01%	194 days
6	0.01%	195 days
6	0.01%	196 days
6	0.01%	197 days
6	0.01%	198 days
6	0.01%	199 days
6	0.01%	200 days
6	0.01%	201 days
6	0.01%	202 days
6	0.01%	203 days
6	0.01%	204 days
6	0.01%	205 days
6	0.01%	206 days
6	0.01%	207 days
6	0.01%	208 days
6	0.01%	209 days
6	0.01%	210 days
6	0.01%	211 days
5	0.01%	212 days
5	0.01%	213 days
4	0.01%	214 days
4	0.01%	215 days
2	0.00%	216 days
2	0.00%	217 days
2	0.00%	218 days
2	0.00%	219 days
2	0.00%	220 days
2	0.00%	221 days
2	0.00%	222 days
2	0.00%	223 days
2	0.00%	224 days
2	0.00%	225 days
2	0.00%	226 days
2	0.00%	227 days
2	0.00%	228 days
2	0.00%	229 days
1	0.00%	230 days
1	0.00%	231 days
1	0.00%	232 days
1	0.00%	233 days
1	0.00%	234 days
1	0.00%	235 days
1	0.00%	236 days

jamaisx
New user
New user
Posts: 8
Joined: 2013-12-31 10:41

Re: UPDATE: Check incoming connections with AbuseIPDB

Post by jamaisx » 2023-06-09 10:18

Po-In wrote:
2018-05-24 13:46
Here's one that doesn't need registration (even though I think you should register anyway and show some support to AbuseIPDB).

The function 'CheckAbuseIPDBConfidence' returns the 'Confidence of Abuse' percentage for the given IP address, as calculated by AbuseIPDB.
It parses the page data until it finds the section that represents the value. This will work as long as AbuseIPDB doesn't change the design :)

As shown below, I refuse connections from IP addresses that score higher than 40%, which works pretty well for me.
About 75% of the connecting IP addresses score 40 or above, so it helps a lot.

Code: Select all

Sub OnClientConnect(oClient)
'Variables
	ClientIp				= oClient.IpAddress			'Connecting remote IP address
	WhiteList				= "#127.0.0.1#a.b.c.d#1.2.3.4#"		'Variable array for whitelisted IP addresses to exclude, localhost, maybe your servers IP address, your WebClient IP address whatever
	Percentage 				= "0"					'Default value

'Check if connecting client isn't whitelisted
	If Instr(WhiteList, "#" & ClientIp & "#") = 0 Then
		Percentage			= CheckAbuseIPDBConfidence(ClientIP)

'Process reported percentage		
		If Percentage > 40 then
			Result.Value 		= 1
			EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " rejected: Confidence of Abuse: " & Percentage & "%.")
		ElseIf Percentage > 10 then
			Result.Value 		= 0
			EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " warning: Confidence of Abuse: " & Percentage & "%.")
		ElseIf Percentage > 0 then
			Result.Value 		= 0
			EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " notification: Confidence of Abuse: " & Percentage & "%.")
		End If
	End If
End Sub

Public Function CheckAbuseIPDBConfidence(IPAddress)
	CheckAbuseIPDBConfidence		= "0"
	Set objXMLHTTP				= CreateObject("msxml2.xmlhttp.6.0")
		objXMLHTTP.Open "GET", "https://www.abuseipdb.com/check/" & IPAddress, False
		objXMLHTTP.Send ""
		ResponseText			= objXMLHTTP.responseText
		ResponseArray			= Split(ResponseText, VbLf)
		For Each ResponseLine in ResponseArray
			If Left(ResponseLine, 6) = "<span>" And Right(ResponseLine, 8) = "%</span>" Then
				CheckAbuseIPDBConfidence 	= Mid(ResponseLine,7, Len(ResponseLine)-14)
				Exit For
			End If
		Next	
	Set objXMLHTTP 				= Nothing
End Function	

Not working anymore, the changed layout and used javascript in page, switching to API version

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-10-20 17:47

Someone asked for a V2 script function

Code: Select all

Public Function CheckAbuseIPDBConfidence(IPAddress)
  CheckAbuseIPDBConfidence		= "0"
  Set objXMLHTTP				= CreateObject("msxml2.xmlhttp.6.0")
  objXMLHTTP.Open "GET", "https://api.abuseipdb.com/api/v2/check?ipAddress="&ipAddress&"&maxAgeInDays=90&verbose", False
  objXMLHTTP.setRequestHeader "Accept","application/json"
  objXMLHTTP.setRequestHeader "Key","Your key here"
  objXMLHTTP.Send ""
  ResponseText			= objXMLHTTP.responseText
 
  if instr(responseText,"abuseConfidenceScore") then 
    CheckAbuseIPDBConfidence=mid(responseText,instr(responseText,"abuseConfidenceScore")+22)
    CheckAbuseIPDBConfidence=left(CheckAbuseIPDBConfidence,instr(CheckAbuseIPDBConfidence,",")-1)
  end if
 	
  Set objXMLHTTP 				= Nothing
End Function	

mats
Normal user
Normal user
Posts: 46
Joined: 2018-05-06 20:58

Re: Check incoming connections with AbuseIPDB

Post by mats » 2023-10-24 23:24

Made a simple reporting script that reports the IP:s that has been banned in Hmailserver

It checks the autobans in Hmailserver (priority 100) and reports them to abuseipdb (thanks for the rest call Palinka). Finally it sets the priority to 99 (to avoid dubble reporting). It will not report a repeat abuser again until the next time they get autobanned. Could be run once an hour as a sheduled task

Code: Select all

$objhmail=New-Object -ComObject "hMailServer.Application"
$objhmail.Authenticate("username","Password")
$blacklist=$objhmail.Settings.SecurityRanges

$Header = @{
	"Key" = "API-key"
	"Accept" = "application/json"
}

for($I=0;$I -lt $blacklist.Count;$i++){
  if($blacklist.Item($I).priority -eq 100){
    $BodyReport = @{
	"ip" = $blacklist.Item($I).lowerip
	"comment" = "Mail login attempts"
    "categories" = "18"
} | ConvertTo-JSON 

    $AbuseIPDB = Invoke-RestMethod -Method POST "https://api.abuseipdb.com/api/v2/report" -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8'
    $blacklist.Item($I).priority = 99
    $blacklist.Item($I).save()
    }
}

Post Reply