palinka wrote: ↑2020-03-31 13:34Not sure if it's the latest, but it's still the greatest:
https://www.hmailserver.com/forum/viewt ... 66#p209546
Check incoming connections with AbuseIPDB
Re: Check incoming connections with AbuseIPDB
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
Multiple strCategories can be listed? I'm thinking 18/20 and 11/20 are often combined. The "tell" is a dynamic/pool PTR as helo.RvdH wrote: ↑2020-03-30 12:21Code: Select all
' strIP, A valid IPv4 or IPv6 address. (required) ' strCategories, comma separated string with integer values (required) ' few examples: ' 7 - Phishing ' 11 - Email Spam ' 14 - Port Scan ' 15 - Hacking ' 17 - Spoofing ' 18 - Brute-Force ' 20 - Exploited Host ' strCommment, Related information (optional: server logs, timestamps, etc.)
Re: Check incoming connections with AbuseIPDB
Yup, comma separated, eg: "18,20" or "11,20"
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
Awesome. Going to try it out later today.
Re: Check incoming connections with AbuseIPDB
Here... Plus some bonus materialRvdH wrote: ↑2020-03-31 12:46@fjansen04
Make sure you only call ReportToAbuseIPDB(ip address, etc, etc) for that IP address once in a 15 minute timespan, it is a limit by AbuseIPDB.
The 2nd line is apparently a report of the same ip address within this 15 minute timespan an therefor it gives the: Too Many Request error
Could be useful to combine it with SorenR's autoban function, at least autoban the IP for 15 minutes (I use a 1 day autoban)
@SorenR, where is the latest and greatest autoban function?
Code: Select all
'******************************************************************************************************************************
'********** AutoBan stuff **********
'******************************************************************************************************************************
Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
'
' sType can be one of the following;
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
With LockFile(TEMPDIR & "\autoban.lck")
On Error Resume Next
Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
If Err.Number = 9 Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & sIPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
AutoBan = True
Result.Value = 1
End If
On Error GoTo 0
.Close
End With
Set oApp = Nothing
End Function
Function LockFile(strPath)
Const Append = 8
Const Unicode = -1
Dim i
On Error Resume Next
With CreateObject("Scripting.FileSystemObject")
For i = 0 To 30
Err.Clear
Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
If (Not Err.Number = 70) Then Exit For
Wait(1)
Next
End With
If (Err.Number = 70) Then
EventLog.Write( "ERROR: EventHandlers.vbs" )
EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
Err.Clear
ElseIf (Err.Number <> 0) Then
EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
EventLog.Write( "Error : " & Err.Number )
EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
EventLog.Write( "Source : " & Err.Source )
EventLog.Write( "Description : " & Err.Description )
Err.Clear
End If
On Error GoTo 0
End Function
Function Wait(sec)
With CreateObject("WScript.Shell")
.Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
End With
End Function
'******************************************************************************************************************************
'********** IP is already banned? (for use via POPFetch or Incoming Relay) **********
'******************************************************************************************************************************
Function isIPBanned(oClient) : isIPBanned = False
Dim a, strIP, strLowerIP, strUpperIP, strRegEx
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
strIP = INET_NTOA(oClient.IPAddress)
For a = 0 To oApp.Settings.SecurityRanges.Count-1
If (oApp.Settings.SecurityRanges.Item(a).Priority = 20) Then
strLowerIP = INET_NTOA(oApp.Settings.SecurityRanges.Item(a).LowerIP)
strUpperIP = INET_NTOA(oApp.Settings.SecurityRanges.Item(a).UpperIP)
If (strUpperIP >= strIP) And (strIP >= strLowerIP) Then
isIPBanned = True
Set oApp = Nothing
Exit Function
End If
End If
Next
Set oApp = Nothing
End Function
Function INET_NTOA(strIP)
Dim a, i, N : N = 0
a = Split(strIP, ".")
For i = 0 To UBound(a)
N = N + CLng(a(i)) * (256 ^ (3 - i))
Next
INET_NTOA = N
End Function
'******************************************************************************************************************************
'********** CIDR stuff 51.15.0.0/15 **********
'******************************************************************************************************************************
Function CIDRBan(CIDR, sReason, iDuration, sType) : CIDRBan = False
'
' sType can be one of the following;
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
With LockFile(TEMPDIR & "\cidrban.lck")
On Error Resume Next
Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & CIDR)
If Err.Number = 9 Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & CIDR
.LowerIP = CIDR2IP(CIDR, False)
.UpperIP = CIDR2IP(CIDR, True)
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
CIDRBan = True
Result.Value = 1
End If
On Error GoTo 0
.Close
End With
Set oApp = Nothing
End Function
Function CIDR2IP(CIDR, high)
Const highs = "11111111111111111111111111111111"
Const lows = "00000000000000000000000000000000"
Dim byte0, byte1, byte2, byte3, mask, bytes, rangelow, rangehigh, iplow, iphigh
byte0 = Dec2Bin(Split(CIDR, ".")(0))
byte1 = Dec2Bin(Split(CIDR, ".")(1))
byte2 = Dec2Bin(Split(CIDR, ".")(2))
byte3 = Dec2Bin(Split(Split(CIDR, ".")(3), "/")(0))
mask = Split(Split(CIDR, ".")(3), "/")(1)
bytes = byte0 & byte1 & byte2 & byte3
rangelow = Left(bytes, mask) & Right(lows, 32 - mask)
rangehigh = Left(bytes, mask) & Right(highs, 32 - mask)
iplow = Bin2IP(Left(bytes, mask) & Right(lows, 32 - mask))
iphigh = Bin2IP(Left(bytes, mask) & Right(highs, 32 - mask))
If high Then
CIDR2IP = iphigh
Else
CIDR2IP = iplow
End If
End Function
'
' Expecting input like 00000000000000000000000000000000
'
Function Bin2IP(strbin)
Dim ip0, ip1, ip2, ip3
ip0 = Bin2Dec(Mid(strbin, 1, 8))
ip1 = Bin2Dec(Mid(strbin, 9, 8))
ip2 = Bin2Dec(Mid(strbin, 17, 8))
ip3 = Bin2Dec(Mid(strbin, 25, 8))
'combines all of the bytes into a single string
Bin2IP = ip0 & "." & ip1 & "." & ip2 & "." & ip3
End Function
'
' Expecting input like 00010101
'
Function Bin2Dec(strbin)
Dim length, dec, x, binval, temp
length = Len(strbin)
dec = 0
For x = 1 To length
binval = 2 ^ (length - x)
temp = Mid(strbin, x, 1)
If temp = "1" Then dec = dec + binval
Next
Bin2Dec = dec
End Function
'
' Expecting input 0 thru 255
'
Function Dec2Bin(dec)
Const maxpower = 7
Const length = 8
Dim bin, x, m
bin = ""
x = cLng(dec)
For m = maxpower To 0 Step -1
If x And (2 ^ m) Then
bin = bin + "1"
Else
bin = bin + "0"
End If
Next
Dec2Bin = bin
End Function
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Check incoming connections with AbuseIPDB
@RvdH
The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.
The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.
HMS 5.6.9-B2587.46 on Windows Server 2019
Re: Check incoming connections with AbuseIPDB
Even with autoban enabled i get the "Too Many Request"error from time to time, some try to hammer in
Code: Select all
8252 "2020-03-31 12:41:39.432" "INFO: ReportToAbuseIPDB: Unauthorized connection attempt from IP address 198.108.67.48 on port 465"
6876 "2020-03-31 12:41:39.463" "WARN: AbuseIPDB Error: Too Many Requests"
9052 "2020-03-31 12:41:40.415" "WARN: AbuseIPDB Error: Too Many Requests"
6248 "2020-03-31 12:41:41.382" "WARN: AbuseIPDB Error: Too Many Requests"
8264 "2020-03-31 12:41:41.382" "WARN: AbuseIPDB Error: Too Many Requests"
5864 "2020-03-31 12:41:41.523" "WARN: AbuseIPDB Error: Too Many Requests"
i only use abuseipdb check/report on the client ports (143, 465, 587, 993, 995) in combination with a GEO Check and Autoban
You can also turn off error logging in the ReportToAbuseIPDB function, only in that case you won't see any (other)errors as well
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
Yes, I'll leave port 25 out. Authentication is already disabled on 25.
HMS 5.6.9-B2587.46 on Windows Server 2019
Re: Check incoming connections with AbuseIPDB
I ran into that situation with my firewall ban project. Now every ban/reject goes like this:
1) call your disconnect.exe
2) autoban 1 hour
3) call firewall ban
What I found is that sometimes there are simultaneous connections caused by waiting for the first connection to be fully tested against whatever filters you have. By the time its done making its way through your filters, several other new connections from the same IP flood in and THOSE are not affected by the autoban you just called. Disconnect.exe wipes them all out and allows autoban to do its job. Autoban ONLY prevents the connection - once the connection is made, its too late for autoban to do anything.
Re: Check incoming connections with AbuseIPDB
Disconnect.exe is called from within my Autoban procedure, i am using an older version, the sub version and not the function (bool) version SorenR has created after
I don't see much value to do a firewall ban, simply ban them for a few hours or even a day, these are all automated (exploited)systems anyway, they simply keep coming back
With autoban expiring daily (mostly) i also keep reporting offending ip's to blocklist.de and now abuseipdb and by doing so helping others
The 'WARN: AbuseIPDB Error: Too Many Requests' message doesn't bother me that much, i know what it means
My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316
FYI: Reports for port 3389 are send using another program
I don't see much value to do a firewall ban, simply ban them for a few hours or even a day, these are all automated (exploited)systems anyway, they simply keep coming back
With autoban expiring daily (mostly) i also keep reporting offending ip's to blocklist.de and now abuseipdb and by doing so helping others
The 'WARN: AbuseIPDB Error: Too Many Requests' message doesn't bother me that much, i know what it means
My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316
FYI: Reports for port 3389 are send using another program
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
I'd be WAAAAYYY below that since I already banned a good portion of the spamming world. They don't get second chances with me.RvdH wrote: ↑2020-03-31 20:47My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316
Good idea! I already parse the firewall log as part of my firewall ban project, so adding this is a no-brainer. Thanks.FYI: Reports for port 3389 are send using another program
Re: Check incoming connections with AbuseIPDB
You misunderstood me, of course once you ban them for a longer time.... but what if you disable that firewall ban for a week or month, then you are back at normal ratespalinka wrote: ↑2020-03-31 21:26I'd be WAAAAYYY below that since I already banned a good portion of the spamming world. They don't get second chances with me.RvdH wrote: ↑2020-03-31 20:47My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316
Therefor i said, a firewall ban kinda useless/overkill (for me and my usage) and besides that i cannot report misbehaving IP's using firewall ban
I use this service: https://github.com/DigitalRuby/IPBan
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
That's for sure!
Actually not entirely. There's always new bot infections. One of the benefits of my project is the database that goes with it. Makes it easy to find patterns. I've noticed waves of spammers that I assume are new bot infections. Right now we're in a lull, which I'm assuming has to do with fewer corporate workstations being turned on while people are working at home.
You can check out the demo if you want: https://firewallban.dynu.net/
I'll check it out. But... I forgot I have port 3389 closed at the router firewall (access ony via VPN and even then only on a custom port ). So mail ports only for me. My crappy ISP supplied router doesn't support any kind of scripting.I use this service: https://github.com/DigitalRuby/IPBan
Re: Check incoming connections with AbuseIPDB
My data submitted to AbuseIPDB is gathered from 3 different systems, my home setup (only hmailserver, RDP is locked by firewall) our companies/work hmailserver instance (only hmailserver, RDP is locked by firewall) and a work development server (no hmailserver, only RDP to connect from home, or when doing client visits)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
The server I am testing this script on, is low usage so I'm not getting anywhere near the AbuseIPDB limits. Therefore I kept port 25 included after all.
This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.
This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.
HMS 5.6.9-B2587.46 on Windows Server 2019
Re: Check incoming connections with AbuseIPDB
Dude, for real?fjansen04 wrote: ↑2020-04-01 09:36The server I am testing this script on, is low usage so I'm not getting anywhere near the AbuseIPDB limits. Therefore I kept port 25 included after all.
This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.
When do you call ReportToAbuseIPDB? You only should call it when you are sure it is a misbehaving IP, therefor the best way is to combine it with some GEO check.... if a Chinese server try to authenticate against client (IMAP/POP3) ports i can tell for sure this is a infected/misbehaving system as we don't have Chinese clients
If you call it for every incoming connection even legit servers get reported, as you told it to do so!
Please post code snippet when you called ReportToAbuseIPDB to review
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
You're absolutely right.
I will reset everything according to your specs.
I will reset everything according to your specs.
HMS 5.6.9-B2587.46 on Windows Server 2019
Re: Check incoming connections with AbuseIPDB
Quick question: First, I assume this means no IP with confidence score < 40 returns TRUE. Correct?
Also, I have no experience with this yet. Is > 40 a good number to work with? Should it be closer to 100 for rejection?
Re: Check incoming connections with AbuseIPDB
By the way, I got it working with powershell.
Not sure what I plan to use it for yet. Bases are pretty much covered with your thing in hMailServer.
Code: Select all
$IP = "77.40.2.198"
$URICheck = "https://api.abuseipdb.com/api/v2/check"
$URIReport = "https://api.abuseipdb.com/api/v2/report"
$Header = @{
'Key' = 'supersecretkey;
'Accept' = 'application/json';
}
$BodyCheck = @{
'ipAddress' = $IP;
'maxAgeInDays' = '90';
'verbose' = '';
}
$BodyReport = @{
'ip' = $IP;
'categories' = '18,20';
'comment' = '.mari-el.ru Spam Factory';
} | ConvertTo-JSON
<# check #>
$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8'
$AbuseIPDB.data.abuseConfidenceScore
<# report #>
$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8'
$AbuseIPDB.data.abuseConfidenceScore
Re: Check incoming connections with AbuseIPDB
Correctpalinka wrote: ↑2020-04-02 03:44RvdH wrote: ↑2020-03-22 13:31Quick question: First, I assume this means no IP with confidence score < 40 returns TRUE. Correct?Code: Select all
.SetMaxConfidenceScore(40)
Code: Select all
public bool BlockEndpoint(string ipAddress)
{
return GetConfidenceScore(ipAddress) >= _maxScore;
}
Me neither...but looks like 40 is a good starting point
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
Coolpalinka wrote: ↑2020-04-02 03:54By the way, I got it working with powershell.
Not sure what I plan to use it for yet. Bases are pretty much covered with your thing in hMailServer.Code: Select all
$IP = "77.40.2.198" $URICheck = "https://api.abuseipdb.com/api/v2/check" $URIReport = "https://api.abuseipdb.com/api/v2/report" $Header = @{ 'Key' = 'supersecretkey; 'Accept' = 'application/json'; } $BodyCheck = @{ 'ipAddress' = $IP; 'maxAgeInDays' = '90'; 'verbose' = ''; } $BodyReport = @{ 'ip' = $IP; 'categories' = '18,20'; 'comment' = '.mari-el.ru Spam Factory'; } | ConvertTo-JSON <# check #> $AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' $AbuseIPDB.data.abuseConfidenceScore <# report #> $AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' $AbuseIPDB.data.abuseConfidenceScore
I am now working on a AbuseIPDB-IIS-Module
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
Cleaned up the powershell.
GitHub: https://github.com/palinkas-jo-reggelt/ ... eck-Report
Code: Select all
<#
.SYNOPSIS
AbuseIPDBCheckOrReport.ps1: AbuseIPDB.com Check or Report IP
.DESCRIPTION
AbuseIPDBCheckOrReport.ps1: Powershell script to check or report IP at AbuseIPDB.com
.FUNCTIONALITY
1) Checks IP -> Returns status, abuseConfidenceScore
2) Reports IP -> Returns status, abuseConfidenceScore
.PARAMETER IP
Specifies the IP address to be checked or reported.
.PARAMETER Categories
Specifies the categories of reported IPs. !REQUIRED FOR REPORT IP! See https://www.abuseipdb.com/categories for full list.
.PARAMETER Comment
Specifies the comments to be included with reported IP. Parameter optional.
.NOTES
.EXAMPLE
Check IP:
$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210"
$CheckIP.Status
$CheckIP.Confidence
Report IP:
$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210" "11"
$CheckIP.Status
$CheckIP.Confidence
$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210" "11" "spammer"
$CheckIP.Status
$CheckIP.Confidence
Report IP with error:
$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "127.0.0.2" "11"
$CheckIP.Status
$CheckIP.Confidence
$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "127.0.0.2" "11" "spammer"
$CheckIP.Status
$CheckIP.Confidence
#>
Param(
[Parameter(Mandatory=$True)]
[ValidatePattern("((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))")]
[String]$IP,
[Parameter(Mandatory=$False)]
[AllowEmptyString()]
[String]$Categories,
[Parameter(Mandatory=$False)]
[AllowEmptyString()]
[String]$Comment
)
$Error.Clear()
<### USER VARIABLES ###>
$APIKey = "supersecretkey"
$Header = @{
'Key' = $APIKey;
}
If (([string]::IsNullOrEmpty($Categories)) -and ([string]::IsNullOrEmpty($Categories))){
$URICheck = "https://api.abuseipdb.com/api/v2/check"
$BodyCheck = @{
'ipAddress' = $IP;
'maxAgeInDays' = '90';
'verbose' = '';
}
Try {
$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8'
$StatusNum = "200"
$ConfidenceScore = $AbuseIPDB.data.abuseConfidenceScore
}
Catch {
$ErrorMessage = $_.Exception.Message
[regex]$RegexErrorNum = "\d{3}"
$StatusNum = ($RegexErrorNum.Matches($ErrorMessage)).Value
}
} Else {
$URIReport = "https://api.abuseipdb.com/api/v2/report"
$BodyReport = @{
'ip' = $IP;
'categories' = $Categories;
'comment' = $Comment;
} | ConvertTo-JSON
Try {
$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8'
$StatusNum = "200"
$ConfidenceScore = $AbuseIPDB.data.abuseConfidenceScore
}
Catch {
$ErrorMessage = $_.Exception.Message
[regex]$RegexErrorNum = "\d{3}"
$StatusNum = ($RegexErrorNum.Matches($ErrorMessage)).Value
}
}
$Response = @{
'Status' = $StatusNum;
'Confidence' = $ConfidenceScore;
}
Return $Response
GitHub: https://github.com/palinkas-jo-reggelt/ ... eck-Report
Re: Check incoming connections with AbuseIPDB
I've been doing AbuseIPDB checks for a while and it works great but I have a slight issue which relates to logging/diagnostics. When emails from someone aren't coming through it is very difficult to check if it is due to AbuseIPDB since the email domain is not tagged with the IP block.
I think it would be much better if the connection was "tagged" as abusive in OnClientConnect but allowed to continue the first time until the sending domain/email was identified so it could be added to the banned IP info. Thoughts on the best way to achieve this?
I think it would be much better if the connection was "tagged" as abusive in OnClientConnect but allowed to continue the first time until the sending domain/email was identified so it could be added to the banned IP info. Thoughts on the best way to achieve this?
Re: Check incoming connections with AbuseIPDB
Not sure what you are trying to accomplish, is it relevant at all and additionally is there any reason to monitor the address it sends To/From if it's coming thru a server tagged abuseipdb?
You always could shift the ListedInAbuseIPDB(strIP) check down the events handled, for example to OnSMTPData(oClient, oMessage) if you like to access the FromAddress header
Or even later, in Sub OnAcceptMessage(oClient, oMessage) if you like to access the From/To fields
Personally i would always combine this with a Autoban, to stop hammering/retrying
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Check incoming connections with AbuseIPDB
Clearly had a brainfart...of course I can just do the check there instead of splitting it up.
It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.
It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.
Re: Check incoming connections with AbuseIPDB
Maybe you should LOG everything in a way that's easily searchable.mikernet wrote: ↑2020-04-03 18:56Clearly had a brainfart...of course I can just do the check there instead of splitting it up.
It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.
Re: Check incoming connections with AbuseIPDB
That's kind of the point. Can't log the email/domain if you cut off the connection before you get that info...
Re: Check incoming connections with AbuseIPDB
IP is better than nothing if there's a reason associated with it.
You could also increase the confidence score closer to 100 to be sure its not rejecting false positives.
Re: Check incoming connections with AbuseIPDB
I already have the IP. What I was posting about was also getting the domain. As indicated above, we've already solved that issue so I'm not really sure where this is going.
Re: Check incoming connections with AbuseIPDB
Re: Check incoming connections with AbuseIPDB
Yes, I'm using RvdH's version of the script, and it is quite effective.
HMS 5.6.9-B2587.46 on Windows Server 2019
Re: Check incoming connections with AbuseIPDB
Well... Not an update of Po-in's script but just to show how it works. The v2 API is quite different both in web calling and how to interpret the JSON data. Also, it won't work pre Windows Server 2008 due to TLS1.0/SSL3.0 is not supported anymore.
Code: Select all
Option Explicit
Include("C:\hMailServer\Events\VbsJson.vbs")
Function Include(sInstFile)
Dim f, s, fso
Set fso = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
If fso.FileExists(sInstFile) Then
Set f = fso.OpenTextFile(sInstFile)
s = f.ReadAll
f.Close
ExecuteGlobal s
End If
On Error GoTo 0
Set f = Nothing
Set fso = Nothing
End Function
Function oAbuseIPDB(strIP, ByRef ReturnCode)
Dim oXML, json
Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056
Const APIKEY = "v2 ApiKey"
Const DAYS = 90
Set json = New VbsJson
' On Error Resume Next
Set oXML = CreateObject("Msxml2.ServerXMLHTTP.6.0")
oXML.open "GET", "https://api.abuseipdb.com/api/v2/check?ipAddress=" & strIP & "&maxAgeInDays=" & DAYS & "&verbose", False
oXML.setOption(2) = SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
oXML.setRequestHeader "Key", ApiKey
oXML.setRequestHeader "Accept", "application/json"
oXML.send
Set oAbuseIPDB = json.Decode(oXML.responsetext)
ReturnCode = oXML.Status
' On Error Goto 0
If (ReturnCode <> 200 ) Then WScript.Echo( "<error> api.ipgeolocation.io lookup failed, error code: " & ReturnCode & " on IP address " & strIP )
End Function
Dim oAbuseIP, oData, oReport, Category, ReturnCode
Set oAbuseIP = oAbuseIPDB("118.25.6.39", ReturnCode)
Set oData = oAbuseIP("data")
WScript.Echo "****"
WScript.Echo "IP address " & oData("ipAddress")
WScript.Echo "totalReports " & oData("totalReports")
WScript.Echo "abuseConfidenceScore " & oData("abuseConfidenceScore")
WScript.Echo "lastReportedAt " & oData("lastReportedAt")
WScript.Echo
For Each oReport In oData("reports")
WScript.Echo "reportedAt " & oReport("reportedAt")
For Each Category In oReport("categories")
WScript.Echo "categories " & Category
Next
WScript.Echo
Next
WScript.Echo "****"
WScript.Quit 0
Code: Select all
{
"data": {
"ipAddress": "118.25.6.39",
"isPublic": true,
"ipVersion": 4,
"isWhitelisted": false,
"abuseConfidenceScore": 100,
"countryCode": "CN",
"countryName": "China",
"usageType": "Data Center/Web Hosting/Transit",
"isp": "Tencent Cloud Computing (Beijing) Co. Ltd",
"domain": "tencent.com",
"hostnames": [],
"totalReports": 1,
"numDistinctUsers": 1,
"lastReportedAt": "2018-12-20T20:55:14+00:00",
"reports": [
{
"reportedAt": "2018-12-20T20:55:14+00:00",
"comment": "Dec 20 20:55:14 srv206 sshd[13937]: Invalid user oracle from 118.25.6.39",
"categories": [
18,
22
],
"reporterId": 1,
"reporterCountryCode": "US",
"reporterCountryName": "United States"
}
]
}
}
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Check incoming connections with AbuseIPDB
Cool json, bro.
Re: Check incoming connections with AbuseIPDB
Hey, I was just trying this out, got this message returned:
Any update to the original VBScript? I used the 2nd VBScript in this thread.{"detail":"The APIv1 check endpoint has sunset. Please migrate to the APIv2 version of this endpoint. You will need a new API key.","links":{"related":"https:\/\/docs.abuseipdb.com\/#check-endpoint"},"status":404}
Re: Check incoming connections with AbuseIPDB
Did you read the whole thread?scottkeen wrote: ↑2021-03-16 22:00Hey, I was just trying this out, got this message returned:
Any update to the original VBScript? I used the 2nd VBScript in this thread.{"detail":"The APIv1 check endpoint has sunset. Please migrate to the APIv2 version of this endpoint. You will need a new API key.","links":{"related":"https:\/\/docs.abuseipdb.com\/#check-endpoint"},"status":404}
-
- New user
- Posts: 1
- Joined: 2022-01-19 05:26
Re: Check incoming connections with AbuseIPDB
I'm trying to make this work but it appears that I am not able to send the api key in the header. Can anyone check what might be wrong in my code:
This is the output from print that I get:
Code: Select all
Sub AbuseIPDB()
'Declare variables
Dim response As WinHttpRequest
Dim api As String
api = (insert api key here)
Set response = New WinHttpRequest
'Define URL Components
base_url = "https://api.abuseipdb.com/api/v2/check/"
param_ip_val = Sheet4.Range("A2").Value
api_url = base_url & param_ip_val
response.Open "get", api_url
response.SetRequestHeader "Key", api
response.SetRequestHeader "Accept", "Application/Json"
response.Send
'Print the status code in case something went wrong
Debug.Print "The Request was " + CStr(response.Status)
'print raw response for checking
Debug.Print response.ResponseText
'Define a few object variables
Dim JsonResponse As Object
Dim data As Dictionary
'Parse the response
Set JsonResponse = JsonConverter.ParseJson(response.ResponseText)
'(Only for dynamic number of rows)First handle the results section of our response
'(Only for dynamic number of rows)For Each result In JsonResponse("results")
'Grab the Abuse Score
Debug.Print data("abuseConfidenceScore")
'Grab the countryCode
Debug.Print data("countryCode")
'Grab the isp
Debug.Print data("isp")
'Grab the domain
Debug.Print data("domain")
'Grab the totalReports
Debug.Print data("totalReports")
End Sub
Code: Select all
The Request was 200
AbuseIPDB APIv2 Server.
Re: Check incoming connections with AbuseIPDB
Have a look at this post: viewtopic.php?p=219343#p219343jcastillo725 wrote: ↑2022-01-19 05:36I'm trying to make this work but it appears that I am not able to send the api key in the header. Can anyone check what might be wrong in my code:
This is the output from print that I get:Code: Select all
Sub AbuseIPDB() 'Declare variables Dim response As WinHttpRequest Dim api As String api = (insert api key here) Set response = New WinHttpRequest 'Define URL Components base_url = "https://api.abuseipdb.com/api/v2/check/" param_ip_val = Sheet4.Range("A2").Value api_url = base_url & param_ip_val response.Open "get", api_url response.SetRequestHeader "Key", api response.SetRequestHeader "Accept", "Application/Json" response.Send 'Print the status code in case something went wrong Debug.Print "The Request was " + CStr(response.Status) 'print raw response for checking Debug.Print response.ResponseText 'Define a few object variables Dim JsonResponse As Object Dim data As Dictionary 'Parse the response Set JsonResponse = JsonConverter.ParseJson(response.ResponseText) '(Only for dynamic number of rows)First handle the results section of our response '(Only for dynamic number of rows)For Each result In JsonResponse("results") 'Grab the Abuse Score Debug.Print data("abuseConfidenceScore") 'Grab the countryCode Debug.Print data("countryCode") 'Grab the isp Debug.Print data("isp") 'Grab the domain Debug.Print data("domain") 'Grab the totalReports Debug.Print data("totalReports") End Sub
Code: Select all
The Request was 200 AbuseIPDB APIv2 Server.
- kimboslice
- Normal user
- Posts: 38
- Joined: 2022-02-05 16:38
Re: Check incoming connections with AbuseIPDB
Which config should be used from this thread to check against AbuseIPDB? I appended this to the bottom of my eventhandler.vbs, nothing seems to be written to log however, a little confused on how this is supposed to work, I've re-read the thread 3 times... please advise
Function ListedInAbuseIPDB(strIP) : ListedInAbuseIPDB = false
With CreateObject("AbuseIPDBComponent.AbuseIPDBRestClient")
.SetApiKey("MYAPIKEY")
.SetMaxConfidenceScore(40)
.SetMaxAgeInDays(30)
On Error Resume Next
ListedInAbuseIPDB = .BlockEndpoint(strIP)
If (ListedInAbuseIPDB) then
EventLog.Write("AbuseIPDB Score:" & .GetConfidenceScore(strIP))
End If
If Err.Number <> 0 Then
EventLog.Write("AbuseIPDB Error: " & Err.Description)
End If
On Error Goto 0
End With
End Function
Re: Check incoming connections with AbuseIPDB
It is pretty much summed up here: https://www.hmailserver.com/forum/viewt ... 78#p219178
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- kimboslice
- Normal user
- Posts: 38
- Joined: 2022-02-05 16:38
Re: Check incoming connections with AbuseIPDB
I'm at a loss on what to actually do with those scripts, the second one looks like something that belongs in EventHandlers but the first I dont understand what I am to do with?RvdH wrote: ↑2022-03-13 11:23It is pretty much summed up here: https://www.hmailserver.com/forum/viewt ... 78#p219178
Re: Check incoming connections with AbuseIPDB
They both go in eventhandlers: One is the function that checks abuseipdb, the other is the event trigger. Have you tried it yet?kimboslice wrote: ↑2022-04-20 07:09I'm at a loss on what to actually do with those scripts, the second one looks like something that belongs in EventHandlers but the first I dont understand what I am to do with?RvdH wrote: ↑2022-03-13 11:23It is pretty much summed up here: https://www.hmailserver.com/forum/viewt ... 78#p219178
- kimboslice
- Normal user
- Posts: 38
- Joined: 2022-02-05 16:38
Re: Check incoming connections with AbuseIPDB
Of course I've tried, otherwise I wouldn't be asking for help... nothing is ever written to log... where exactly is the Function intended to go?
I have an API key and ive installed the component aswell... not seeing anything written to log
Edit, scratch that, renewed API key and its working now, odd
Re: Check incoming connections with AbuseIPDB
I played a little with this over the holidays (running 5.7).
First test. Just add bans to HMailServer.
- Two drawbacks. IP ranges created after the admin GUI will appear under IP ranges but cannot be opened until you restart the admin GUI
- At about 1500 rules MySQL consumed an entire CPU core and HMailServer took 60% of the next. Deleted the rules and down to sub 1% for both of them. Most likely something with my installation.
Second attempt. 2 Hour bans in HMailserver and longer bans using Windows Firewall.
Created a poweshell script that reads all bans from Hmailserver and creates block rules for them. Decided to be wild and crazy and created one rule per banned IP. The script runs once an Hour. With a one week blocktime I got about 3K block rules. The script also removes rules older than one week.
- Same issue about the rules in the GUI. Runs at sub 1% CPU.
Third attempt. Ban them in the Firewall direct from OnClientConnect.
Wrote a VBScript function to block the IP, Modified the Powershell script so that it only does cleanup.
If you do not run HmailServer as admin the account needs to be a member of Network Configuration Users to be allowed to add FW rules.
- Runs at sub 1% CPU.
The sub I use
I ban that ip for any protocol, any profile and any port.
The trick I'm using is the timestamp in the description. It allows for my Powershell script to decide which rules that should be deleted
First test. Just add bans to HMailServer.
- Two drawbacks. IP ranges created after the admin GUI will appear under IP ranges but cannot be opened until you restart the admin GUI
- At about 1500 rules MySQL consumed an entire CPU core and HMailServer took 60% of the next. Deleted the rules and down to sub 1% for both of them. Most likely something with my installation.
Second attempt. 2 Hour bans in HMailserver and longer bans using Windows Firewall.
Created a poweshell script that reads all bans from Hmailserver and creates block rules for them. Decided to be wild and crazy and created one rule per banned IP. The script runs once an Hour. With a one week blocktime I got about 3K block rules. The script also removes rules older than one week.
- Same issue about the rules in the GUI. Runs at sub 1% CPU.
Third attempt. Ban them in the Firewall direct from OnClientConnect.
Wrote a VBScript function to block the IP, Modified the Powershell script so that it only does cleanup.
If you do not run HmailServer as admin the account needs to be a member of Network Configuration Users to be allowed to add FW rules.
- Runs at sub 1% CPU.
The sub I use
Code: Select all
Sub BanIP(ipaddress)
EventLog.Write "Adding Firewall rule for " & ipaddress
' Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
' Get the Rules object
Dim RulesObject
Set RulesObject = fwPolicy2.Rules
'Create a Rule Object.
Dim NewRule
Set NewRule = CreateObject("HNetCfg.FWRule")
NewRule.Name = ipaddress
NewRule.Description = "Created:" & now
NewRule.RemoteAddresses=ipaddress
NewRule.Direction = 1 ' 1 for in, 2 for out
NewRule.Enabled = TRUE
NewRule.Grouping = "MailBlacklist"
NewRule.Action = 0 '0 for block, 1 for allow
'Add a new rule
On Error Resume Next
RulesObject.Add NewRule
if(Err.Number = 0) Then
EventLog.Write "Added Firewall rule for " &ipaddress
else
EventLog.Write"Error : " & Err.Number
EventLog.Write"ERROR: EventHandlers.vbs : Function banip""Source : " & Err.Source
EventLog.Write"ERROR: EventHandlers.vbs : Function Autoban""Description : " & Err.Description
Err.Clear
End If
On Error Goto 0
End Sub
The trick I'm using is the timestamp in the description. It allows for my Powershell script to decide which rules that should be deleted
Code: Select all
$ExpireMinutes=10080 # one week
# Delete Expired rules
$fwRules=Get-NetFirewallRule -DisplayGroup MailBlacklist
foreach($fwRule in $fwRules){
if((New-TimeSpan ($fwRule.Description.Substring(8))).TotalMinutes -gt $ExpireMinutes){
write-host "removing" $fwrule.name
Remove-NetFirewallRule -Name $fwRule.Name
}
}
Re: Check incoming connections with AbuseIPDB
Be careful with that. When you start to approach 10k firewall rules, windows starts acting crazy. I know because I had a similar project. I solved that by grouping rules containing 400 IPs each. You will get a chance to find out one day when you get swarmed by bots.
Re: Check incoming connections with AbuseIPDB
I didn't look at this last night. Very nice! I didn't know this existed. This could definitely be useful.mats wrote: ↑2023-01-07 17:53Code: Select all
' Create the FwPolicy2 object. Dim fwPolicy2 Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
Re: Check incoming connections with AbuseIPDB
I just implemented this code. Thanks.
One thing I do to take it just a step further is utilize RvdH's disconnect.exe and autoban for 1 hour - could be 5 minutes - just something there to prevent new connections while the firewall rule is being created.
One thing I do to take it just a step further is utilize RvdH's disconnect.exe and autoban for 1 hour - could be 5 minutes - just something there to prevent new connections while the firewall rule is being created.
Re: Check incoming connections with AbuseIPDB
Can you please test what is fastest for you. Creating autobanspalinka wrote: ↑2023-01-08 11:53I just implemented this code. Thanks.
One thing I do to take it just a step further is utilize RvdH's disconnect.exe and autoban for 1 hour - could be 5 minutes - just something there to prevent new connections while the firewall rule is being created.
Code: Select all
a=timer
autobanip "10.0.0.255",2,"test"
autobanip "10.0.0.254",2,"test"
autobanip "10.0.0.253",2,"test"
autobanip "10.0.0.252",2,"test"
autobanip "10.0.0.251",2,"test"
autobanip "10.0.0.250",2,"test"
autobanip "10.0.0.249",2,"test"
autobanip "10.0.0.248",2,"test"
autobanip "10.0.0.247",2,"test"
autobanip "10.0.0.246",2,"test"
wscript.echo timer-a
Sub AutobanIP(IPAddress, NumberOfDays, ReasonForBan)
wscript.echo "about to ban: " & IPAddress & " for: " & NumberOfDays & " Hours. Reason: " & ReasonForBan
Dim oApp
Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate("Administrator","YourSecretPassword")
Dim i
For i = 0 To oApp.Settings.SecurityRanges.Count -1
If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then Exit sub
Next
oApp.Settings.SecurityRanges.Refresh
With oApp.Settings.SecurityRanges.Add()
.lowerip = ipaddress
.upperip = ipaddress
.priority = 101
.allowdeliveryfromlocaltolocal = False
.allowdeliveryfromlocaltoremote = False
.allowdeliveryfromremotetolocal = False
.allowdeliveryfromremotetoremote = False
.allowimapconnections = False
.allowsmtpconnections = False
.allowpop3connections = False
.expires = True
.ExpiresTime = DateAdd("h", NumberOfDays, Now())
.name = ReasonForBan & " - banned for " & NumberOfDays & " hours - " & ipaddress
On Error Resume Next
.save
If (Err.Number = 0) Then
wscript.echo "Autoban IP range saved for IP Address " & IPAddress & " with Reason-" & reasonforban
ElseIf (Err.Number <> 0) Then
wscript.echo"Error : " & Err.Number
wscript.echo"ERROR: EventHandlers.vbs : Function Autoban""Source : " & Err.Source
wscript.echo"ERROR: EventHandlers.vbs : Function Autoban""Description : " & Err.Description
Err.Clear
End If
On Error Goto 0
End With
End Sub
Code: Select all
option explicit
dim a,b
A=timer
banip "10.0.0.255"
banip "10.0.0.254"
banip "10.0.0.253"
banip "10.0.0.252"
banip "10.0.0.251"
banip "10.0.0.250"
banip "10.0.0.249"
banip "10.0.0.248"
banip "10.0.0.247"
banip "10.0.0.246"
wscript.echo timer -a
Sub BanIP(ipaddress)
' EventLog.Write "Adding Firewall rule for " & ipadress
' Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
' Get the Rules object
Dim RulesObject
Set RulesObject = fwPolicy2.Rules
'Create a Rule Object.
Dim NewRule
Set NewRule = CreateObject("HNetCfg.FWRule")
NewRule.Name = ipaddress
NewRule.Description = "Created:" & now
NewRule.RemoteAddresses=ipaddress
NewRule.Direction = 1 ' 1 for in, 2 for out
NewRule.Enabled = TRUE
NewRule.Grouping = "MailBlacklist"
NewRule.Action = 0 '0 for block, 1 for allow
'Add a new rule
On Error Resume Next
RulesObject.Add NewRule
if(Err.Number = 0) Then
wscript.echo "Added Firewall rule for " &ipaddress
else
wscript.echo"Error : " & Err.Number
wscript.echo"ERROR: EventHandlers.vbs : Function banip""Source : " & Err.Source
wscript.echo"ERROR: EventHandlers.vbs : Function Autoban""Description : " & Err.Description
Err.Clear
End If
' On Error Goto 0
End Sub
I also use disconnect to get rid of simultaneous connections
Re: Check incoming connections with AbuseIPDB
I'm used to netsh which actually does take a second or more. I've never used your method before today. I don't need to test it. I'll take your word for it.
Still, disconnect.exe is useful. It kills the connection immediately.
Re: Check incoming connections with AbuseIPDB
Re: Check incoming connections with AbuseIPDB
It's been running for about 10 days now.
Seems stable and effective. I have about 33% less fw rules today, IE the number of attacks has gone down
Seems stable and effective. I have about 33% less fw rules today, IE the number of attacks has gone down
Re: Check incoming connections with AbuseIPDB
I used to have a firewall ban project. I collected a LOT of statistics by reading the firewall logs as part of the script. What I learned was that 60% of IPs are part of huge bot nets that never ever returned (almost 2 years of statistics/firewall banning). Of the rest only a very small percentage were "problem children". That thing grew into an overly complex thing that I eventually abandoned in favor of simply autobanning any "bad" IPs for one hour only.
But, being nostalgic I implemented your script for a couple of days. I had a couple of false positives and then deleted the whole thing.
It is stable. Nice coding, for sure. I will find a use for that vbs firewall banning. Much simpler than the netsh powershell I was using in my project. I just haven't decided how to select the "problem children" yet. Right now I'm working on a new logging project that should be helpful in determining who is a problem child and who isn't.
Re: Check incoming connections with AbuseIPDB
I find it strange myself.
At the worst point I had 3230 FW rules in my MailBlacklist group
Today it's down to 1654
By the way. How to count the rules
At the worst point I had 3230 FW rules in my MailBlacklist group
Today it's down to 1654
By the way. How to count the rules
Code: Select all
(Get-NetFirewallRule -DisplayGroup MailBlacklist).count
Re: Check incoming connections with AbuseIPDB
If you want to get an idea of the kind of statistics I was recording while my firewall ban project was active, have a look here (demo - feel free to press buttons and click links): https://firewallban.dynu.net/mats wrote: ↑2023-01-17 20:11I find it strange myself.
At the worst point I had 3230 FW rules in my MailBlacklist group
Today it's down to 1654
By the way. How to count the rulesCode: Select all
(Get-NetFirewallRule -DisplayGroup MailBlacklist).count
"Hits" are IPs that were firewall banned for some reason.
"Blocks" are those IPs that were banned - scraped from the firewall log - in order to count successive tries. This was able to tell me the number of IPs that never returned, returned once, twice, 10,000 times, etc. I found that to be very useful information.
Unfortunately, like I said, it became too cumbersome to maintain. The bugs added up as I continued to add features.
Re: Check incoming connections with AbuseIPDB
Code: Select all
hMailServer Firewall Ban Project
Block Count
Count repeat drops from firewall log
Run : 1/17/2023 1:59 PM
1,280 : Number of days data in database
53,503 : Total number of IPs banned
32,049 : 59.90 % : Number of banned IPs that never returned
No. of banned IPs Percent Returns Returned at least
21,454 40.10% 1 day
12,551 23.46% 2 days
9,322 17.42% 3 days
7,504 14.03% 4 days
6,328 11.83% 5 days
5,327 9.96% 6 days
4,413 8.25% 7 days
3,701 6.92% 8 days
3,112 5.82% 9 days
2,682 5.01% 10 days
2,374 4.44% 11 days
2,078 3.88% 12 days
1,852 3.46% 13 days
1,626 3.04% 14 days
1,454 2.72% 15 days
1,284 2.40% 16 days
1,148 2.15% 17 days
1,042 1.95% 18 days
942 1.76% 19 days
859 1.61% 20 days
783 1.46% 21 days
725 1.36% 22 days
670 1.25% 23 days
620 1.16% 24 days
557 1.04% 25 days
524 0.98% 26 days
488 0.91% 27 days
459 0.86% 28 days
429 0.80% 29 days
397 0.74% 30 days
376 0.70% 31 days
356 0.67% 32 days
335 0.63% 33 days
326 0.61% 34 days
309 0.58% 35 days
284 0.53% 36 days
273 0.51% 37 days
258 0.48% 38 days
243 0.45% 39 days
227 0.42% 40 days
209 0.39% 41 days
199 0.37% 42 days
192 0.36% 43 days
182 0.34% 44 days
176 0.33% 45 days
171 0.32% 46 days
164 0.31% 47 days
154 0.29% 48 days
147 0.27% 49 days
144 0.27% 50 days
140 0.26% 51 days
133 0.25% 52 days
128 0.24% 53 days
124 0.23% 54 days
119 0.22% 55 days
116 0.22% 56 days
113 0.21% 57 days
112 0.21% 58 days
112 0.21% 59 days
110 0.21% 60 days
110 0.21% 61 days
109 0.20% 62 days
106 0.20% 63 days
103 0.19% 64 days
102 0.19% 65 days
100 0.19% 66 days
99 0.19% 67 days
96 0.18% 68 days
94 0.18% 69 days
92 0.17% 70 days
90 0.17% 71 days
89 0.17% 72 days
87 0.16% 73 days
85 0.16% 74 days
83 0.16% 75 days
80 0.15% 76 days
80 0.15% 77 days
78 0.15% 78 days
78 0.15% 79 days
76 0.14% 80 days
76 0.14% 81 days
75 0.14% 82 days
72 0.13% 83 days
72 0.13% 84 days
72 0.13% 85 days
71 0.13% 86 days
71 0.13% 87 days
69 0.13% 88 days
68 0.13% 89 days
67 0.13% 90 days
67 0.13% 91 days
65 0.12% 92 days
65 0.12% 93 days
63 0.12% 94 days
59 0.11% 95 days
56 0.10% 96 days
53 0.10% 97 days
50 0.09% 98 days
48 0.09% 99 days
45 0.08% 100 days
41 0.08% 101 days
38 0.07% 102 days
33 0.06% 103 days
28 0.05% 104 days
23 0.04% 105 days
21 0.04% 106 days
19 0.04% 107 days
18 0.03% 108 days
18 0.03% 109 days
17 0.03% 110 days
16 0.03% 111 days
16 0.03% 112 days
16 0.03% 113 days
16 0.03% 114 days
16 0.03% 115 days
16 0.03% 116 days
16 0.03% 117 days
15 0.03% 118 days
15 0.03% 119 days
15 0.03% 120 days
15 0.03% 121 days
15 0.03% 122 days
15 0.03% 123 days
15 0.03% 124 days
15 0.03% 125 days
15 0.03% 126 days
15 0.03% 127 days
15 0.03% 128 days
15 0.03% 129 days
15 0.03% 130 days
15 0.03% 131 days
15 0.03% 132 days
15 0.03% 133 days
15 0.03% 134 days
15 0.03% 135 days
14 0.03% 136 days
14 0.03% 137 days
14 0.03% 138 days
14 0.03% 139 days
14 0.03% 140 days
14 0.03% 141 days
14 0.03% 142 days
14 0.03% 143 days
14 0.03% 144 days
14 0.03% 145 days
13 0.02% 146 days
13 0.02% 147 days
13 0.02% 148 days
12 0.02% 149 days
11 0.02% 150 days
11 0.02% 151 days
10 0.02% 152 days
10 0.02% 153 days
10 0.02% 154 days
10 0.02% 155 days
10 0.02% 156 days
10 0.02% 157 days
10 0.02% 158 days
10 0.02% 159 days
10 0.02% 160 days
10 0.02% 161 days
10 0.02% 162 days
10 0.02% 163 days
10 0.02% 164 days
10 0.02% 165 days
8 0.01% 166 days
8 0.01% 167 days
8 0.01% 168 days
8 0.01% 169 days
8 0.01% 170 days
8 0.01% 171 days
8 0.01% 172 days
8 0.01% 173 days
8 0.01% 174 days
8 0.01% 175 days
8 0.01% 176 days
8 0.01% 177 days
8 0.01% 178 days
7 0.01% 179 days
7 0.01% 180 days
7 0.01% 181 days
7 0.01% 182 days
7 0.01% 183 days
7 0.01% 184 days
7 0.01% 185 days
7 0.01% 186 days
7 0.01% 187 days
7 0.01% 188 days
7 0.01% 189 days
7 0.01% 190 days
6 0.01% 191 days
6 0.01% 192 days
6 0.01% 193 days
6 0.01% 194 days
6 0.01% 195 days
6 0.01% 196 days
6 0.01% 197 days
6 0.01% 198 days
6 0.01% 199 days
6 0.01% 200 days
6 0.01% 201 days
6 0.01% 202 days
6 0.01% 203 days
6 0.01% 204 days
6 0.01% 205 days
6 0.01% 206 days
6 0.01% 207 days
6 0.01% 208 days
6 0.01% 209 days
6 0.01% 210 days
6 0.01% 211 days
5 0.01% 212 days
5 0.01% 213 days
4 0.01% 214 days
4 0.01% 215 days
2 0.00% 216 days
2 0.00% 217 days
2 0.00% 218 days
2 0.00% 219 days
2 0.00% 220 days
2 0.00% 221 days
2 0.00% 222 days
2 0.00% 223 days
2 0.00% 224 days
2 0.00% 225 days
2 0.00% 226 days
2 0.00% 227 days
2 0.00% 228 days
2 0.00% 229 days
1 0.00% 230 days
1 0.00% 231 days
1 0.00% 232 days
1 0.00% 233 days
1 0.00% 234 days
1 0.00% 235 days
1 0.00% 236 days
Re: UPDATE: Check incoming connections with AbuseIPDB
Not working anymore, the changed layout and used javascript in page, switching to API versionPo-In wrote: ↑2018-05-24 13:46Here's one that doesn't need registration (even though I think you should register anyway and show some support to AbuseIPDB).
The function 'CheckAbuseIPDBConfidence' returns the 'Confidence of Abuse' percentage for the given IP address, as calculated by AbuseIPDB.
It parses the page data until it finds the section that represents the value. This will work as long as AbuseIPDB doesn't change the design
As shown below, I refuse connections from IP addresses that score higher than 40%, which works pretty well for me.
About 75% of the connecting IP addresses score 40 or above, so it helps a lot.
Code: Select all
Sub OnClientConnect(oClient) 'Variables ClientIp = oClient.IpAddress 'Connecting remote IP address WhiteList = "#127.0.0.1#a.b.c.d#1.2.3.4#" 'Variable array for whitelisted IP addresses to exclude, localhost, maybe your servers IP address, your WebClient IP address whatever Percentage = "0" 'Default value 'Check if connecting client isn't whitelisted If Instr(WhiteList, "#" & ClientIp & "#") = 0 Then Percentage = CheckAbuseIPDBConfidence(ClientIP) 'Process reported percentage If Percentage > 40 then Result.Value = 1 EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " rejected: Confidence of Abuse: " & Percentage & "%.") ElseIf Percentage > 10 then Result.Value = 0 EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " warning: Confidence of Abuse: " & Percentage & "%.") ElseIf Percentage > 0 then Result.Value = 0 EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " notification: Confidence of Abuse: " & Percentage & "%.") End If End If End Sub Public Function CheckAbuseIPDBConfidence(IPAddress) CheckAbuseIPDBConfidence = "0" Set objXMLHTTP = CreateObject("msxml2.xmlhttp.6.0") objXMLHTTP.Open "GET", "https://www.abuseipdb.com/check/" & IPAddress, False objXMLHTTP.Send "" ResponseText = objXMLHTTP.responseText ResponseArray = Split(ResponseText, VbLf) For Each ResponseLine in ResponseArray If Left(ResponseLine, 6) = "<span>" And Right(ResponseLine, 8) = "%</span>" Then CheckAbuseIPDBConfidence = Mid(ResponseLine,7, Len(ResponseLine)-14) Exit For End If Next Set objXMLHTTP = Nothing End Function
Re: Check incoming connections with AbuseIPDB
Someone asked for a V2 script function
Code: Select all
Public Function CheckAbuseIPDBConfidence(IPAddress)
CheckAbuseIPDBConfidence = "0"
Set objXMLHTTP = CreateObject("msxml2.xmlhttp.6.0")
objXMLHTTP.Open "GET", "https://api.abuseipdb.com/api/v2/check?ipAddress="&ipAddress&"&maxAgeInDays=90&verbose", False
objXMLHTTP.setRequestHeader "Accept","application/json"
objXMLHTTP.setRequestHeader "Key","Your key here"
objXMLHTTP.Send ""
ResponseText = objXMLHTTP.responseText
if instr(responseText,"abuseConfidenceScore") then
CheckAbuseIPDBConfidence=mid(responseText,instr(responseText,"abuseConfidenceScore")+22)
CheckAbuseIPDBConfidence=left(CheckAbuseIPDBConfidence,instr(CheckAbuseIPDBConfidence,",")-1)
end if
Set objXMLHTTP = Nothing
End Function
Re: Check incoming connections with AbuseIPDB
Made a simple reporting script that reports the IP:s that has been banned in Hmailserver
It checks the autobans in Hmailserver (priority 100) and reports them to abuseipdb (thanks for the rest call Palinka). Finally it sets the priority to 99 (to avoid dubble reporting). It will not report a repeat abuser again until the next time they get autobanned. Could be run once an hour as a sheduled task
It checks the autobans in Hmailserver (priority 100) and reports them to abuseipdb (thanks for the rest call Palinka). Finally it sets the priority to 99 (to avoid dubble reporting). It will not report a repeat abuser again until the next time they get autobanned. Could be run once an hour as a sheduled task
Code: Select all
$objhmail=New-Object -ComObject "hMailServer.Application"
$objhmail.Authenticate("username","Password")
$blacklist=$objhmail.Settings.SecurityRanges
$Header = @{
"Key" = "API-key"
"Accept" = "application/json"
}
for($I=0;$I -lt $blacklist.Count;$i++){
if($blacklist.Item($I).priority -eq 100){
$BodyReport = @{
"ip" = $blacklist.Item($I).lowerip
"comment" = "Mail login attempts"
"categories" = "18"
} | ConvertTo-JSON
$AbuseIPDB = Invoke-RestMethod -Method POST "https://api.abuseipdb.com/api/v2/report" -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8'
$blacklist.Item($I).priority = 99
$blacklist.Item($I).save()
}
}