"Authentication failed" Notification.

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

"Authentication failed" Notification.

Post by tohare » 2016-09-06 10:38

I would like an easy "Authentication failed" notification -- either whenever it fires or when the "max" amount is reached. We get an average of no less than ~10 per day (max out). 95+% are attempted break-ins. I want to be notified so I can quickly determine if it is legitimate or a break-in. Especially "who" is attempting to break in an what method (sometimes logs are flooded with connections). Tonight we had added > 50 IP's to either the outside firewall (assumed black listed countries) or the HMS IP restrictions (big 3 day weekend here so I assume they think we are lax and going for a major break-in).

Normally we go with a 3 strike rule and auto-ban them for an hour. If the IP is not a user we manually ban the IP for a week. If on the black list they are banned permanently.

We just want to know if it is a local user or an attempted break-in so we can react more quickly to try and improve security and help normal users.

A partial list of attempted break-ins banned for 1 week:
Clipboard01.jpg
Thanks,
Thomas

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: "Authentication failed" Notification.

Post by tohare » 2016-09-06 12:00

Oh yeah, also would like to "easily" customize the "Name" of the IP address list -- and if possible the services available (auto-deselect the email options for a "banned" IP/range).

As you can see from above we use "Temp-xxx.xxx.xxx.xxx" as the name. That gives us a quick look at what is listed as "banned" and how long. If we see a log that still contains numerous attempted connections (sometimes 100+) we look at the banned list and if a match we then go to the outside firewall and ban them from getting inside the local network. And of course we set the priority (we use 50 as it is "Temp" and only use 0-100) and HMS uses 20 which is too low for us.

We have flood protection but usually that never seems to fire so it appears it is just attempted logins that are dropped by HMS but the auto-retry.

Moral of the novel here is we would like more granular control over the logins (or attempted) so we can improve security by a big margin.
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: "Authentication failed" Notification.

Post by SorenR » 2016-09-06 14:38

tohare wrote:Oh yeah, also would like to "easily" customize the "Name" of the IP address list -- and if possible the services available (auto-deselect the email options for a "banned" IP/range).

As you can see from above we use "Temp-xxx.xxx.xxx.xxx" as the name. That gives us a quick look at what is listed as "banned" and how long. If we see a log that still contains numerous attempted connections (sometimes 100+) we look at the banned list and if a match we then go to the outside firewall and ban them from getting inside the local network. And of course we set the priority (we use 50 as it is "Temp" and only use 0-100) and HMS uses 20 which is too low for us.

We have flood protection but usually that never seems to fire so it appears it is just attempted logins that are dropped by HMS but the auto-retry.

Moral of the novel here is we would like more granular control over the logins (or attempted) so we can improve security by a big margin.
Once you ban an IP address you will NOT see the IP address in ANY log until the ban expire. The built-in Auto-Ban in HMS is not perfect and there are many cases I'd like to see it in action - and eventually I'll probably do something about it...

I get, from time to time, a ton of connects from various IP's and that's it, no more... Except perhaps 2-300 lines in my logs.
I have thought of writing some scriptlets using SQLite to capture date/time and IP address and if excessive connects occur in a short timespan, ban the IP...

I guess that is what you call flood protection ??

Anyways, I use 2 failed logons on the premise that username/password are configured in the client and should not change. Webmail is a complete other story, I had a plugin (Defense) for Roundcube but it has some issues with the latest 1.2.1 and you can't ban the IP address of the webmail server :roll:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: "Authentication failed" Notification.

Post by tohare » 2016-09-07 11:10

Kool! But explain what this is please ;-)

"TCPIP" 7344 "2016-09-07 08:15:18.377" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"SMTPD" 7344 1092 "2016-09-07 08:15:18.377" "41.169.67.74" "SENT: 220 RedTile IT, Inc., Private EMail Server. Not For Public Use. All activity is monitored and logged."
"SMTPD" 6752 1092 "2016-09-07 08:15:18.689" "41.169.67.74" "RECEIVED: EHLO ylmf-pc"
"SMTPD" 6752 1092 "2016-09-07 08:15:18.689" "41.169.67.74" "SENT: 250-0.0.0.0[nl]250-SIZE 15360000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD" 7736 1092 "2016-09-07 08:15:19.001" "41.169.67.74" "RECEIVED: AUTH LOGIN"
"SMTPD" 7736 1092 "2016-09-07 08:15:19.001" "41.169.67.74" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 7344 1092 "2016-09-07 08:15:19.297" "41.169.67.74" "RECEIVED: dG9t"
"SMTPD" 7344 1092 "2016-09-07 08:15:19.297" "41.169.67.74" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 7640 1092 "2016-09-07 08:15:19.656" "41.169.67.74" "RECEIVED: ***"
"SMTPD" 7640 1092 "2016-09-07 08:15:19.656" "41.169.67.74" "SENT: 535 Authentication failed. Restarting authentication process."
"TCPIP" 7344 "2016-09-07 08:15:20.343" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"SMTPD" 7344 1093 "2016-09-07 08:15:20.343" "41.169.67.74" "SENT: 220 RedTile IT, Inc., Private EMail Server. Not For Public Use. All activity is monitored and logged."
"SMTPD" 7736 1093 "2016-09-07 08:15:20.639" "41.169.67.74" "RECEIVED: EHLO ylmf-pc"
"SMTPD" 7736 1093 "2016-09-07 08:15:20.639" "41.169.67.74" "SENT: 250-0.0.0.0[nl]250-SIZE 15360000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD" 7344 1093 "2016-09-07 08:15:20.967" "41.169.67.74" "RECEIVED: AUTH LOGIN"
"SMTPD" 7344 1093 "2016-09-07 08:15:20.967" "41.169.67.74" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 7640 1093 "2016-09-07 08:15:21.263" "41.169.67.74" "RECEIVED: dG9t"
"SMTPD" 7640 1093 "2016-09-07 08:15:21.263" "41.169.67.74" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 7344 1093 "2016-09-07 08:15:21.559" "41.169.67.74" "RECEIVED: ***"
"SMTPD" 7344 1093 "2016-09-07 08:15:21.559" "41.169.67.74" "SENT: 535 Authentication failed. Too many invalid logon attempts."
"TCPIP" 7344 "2016-09-07 08:15:22.792" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:23.416" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:24.040" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:24.648" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:25.257" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:25.881" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:26.505" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:27.144" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:30.795" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:31.419" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:32.058" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:32.667" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:33.275" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:33.883" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:34.507" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:35.100" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:35.709" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:36.333" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:36.972" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:37.643" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:39.390" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:39.999" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:40.654" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:42.276" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:42.916" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:43.540" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:44.133" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:44.725" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:45.365" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:45.958" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:46.551" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:47.175" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:47.783" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:48.469" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:49.109" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:49.873" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:50.529" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:54.132" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:54.725" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:55.318" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:55.911" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:56.800" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:57.408" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:58.063" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:58.750" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:59.389" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:15:59.998" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:00.622" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:01.199" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:01.792" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:02.400" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:03.009" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:03.648" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:04.257" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:04.849" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:05.458" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:06.051" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:06.643" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:07.221" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:07.813" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:08.453" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:12.057" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:12.634" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:13.242" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:13.835" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:14.428" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:15.036" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:15.613" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:16.206" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:16.815" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:17.392" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:18.125" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:18.749" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:19.373" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:19.966" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:20.590" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:21.198" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:21.807" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:22.384" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:22.977" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:23.569" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:24.178" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:24.786" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:25.379" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:25.972" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:26.799" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:27.469" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:28.171" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:28.795" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:29.404" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:30.012" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:30.589" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:31.198" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:31.806" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:32.415" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:33.007" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:33.616" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:34.209" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:34.801" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:35.457" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:36.049" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:36.673" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:37.266" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:37.859" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:38.795" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:39.419" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:40.043" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
"TCPIP" 7344 "2016-09-07 08:16:40.651" "TCP - 41.169.67.74 connected to 192.168.2.110:25."
Thanks,
Thomas

User avatar
jimimaseye
Moderator
Moderator
Posts: 8082
Joined: 2011-09-08 17:48

Re: "Authentication failed" Notification.

Post by jimimaseye » 2016-09-07 11:47

Yes they are tcp connections. They reach your HMS but HMS fails to respond to them due to them being on the autoban list. If you dont want those connections reaching HMS then you need to block them at firewall level. But even then, it doesnt stop the incoming connection from the source, it will just be blocked at the firewall instead of at HMS (and you wont see it unless you look at firewall logs if enabled). The benefit is, though, that it will not take up the sockets on the HMS server leaving your server free from the hassle of dealing with them within HMS.

Mainly, though, these connections usually drop within a few minutes (you notice its a flood-attack) and usually doesnt happen (or at worst is rare) or pose a problem.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: "Authentication failed" Notification.

Post by tohare » 2016-09-07 11:55

Jimmy,

Yes, I know, and I do ban them at the firewall when I see this in a log. I could not help myself. I saw this line above from Soren and smiled "Once you ban an IP address you will NOT see the IP address in ANY log until the ban expire" ;-) OK, I am bad, but I got a smile out of it... :roll:
Thanks,
Thomas

User avatar
jimimaseye
Moderator
Moderator
Posts: 8082
Joined: 2011-09-08 17:48

Re: "Authentication failed" Notification.

Post by jimimaseye » 2016-09-07 11:56

:mrgreen:

Of course, the simplest answer is turn off TCPIP logging. :D
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: "Authentication failed" Notification.

Post by tohare » 2016-09-07 11:59

And miss all the fun? No Way! :mrgreen:
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: "Authentication failed" Notification.

Post by SorenR » 2016-09-07 13:45

ylmf-pc is easy to deal with if you use my OnHelo...

Failed logon I block after 2 attempts (except webmail for obvious reasons), webmail IP address is higher priority than BAN...

The connect "storm" is the one I'm planning to deal with by using SQLite...

Other than that here are some of the stuff I do...

Code: Select all

   Sub OnClientConnect(oClient)
      If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub   ' Local LAN should not wait
      If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub   ' Backup-MX should not wait
      If (oClient.Port = 25) Then Wait(20)                            ' Make everyone else wait - BOTs usually give up waiting
   End Sub


   Sub OnHELO(oClient)
      If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
      If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub
      Dim oRegEx
      Set oRegEx = CreateObject("VBScript.RegExp")
      oRegEx.IgnoreCase = True
      oRegEx.Global = False

      oRegEx.Pattern = "^(User)$|^(ylmf-pc)$|^(Welcome-PC)$|^(THP-PC)$|^(Administrator)$|^(localhost\.localdomain)$|^(127\.0\.0\.1)$"
      If oRegEx.Test(oClient.HELO) Then Call AutoBan(oClient.IPAddress, oClient.HELO, 2, "d")

      Set oRegEx = Nothing
   End Sub


   Sub AutoBan(sIPAddress, sReason, iDuration, sType)

'      sType can be one of the following;
'
'      "yyyy" - Year
'         "q" - Quarter
'         "m" - Month
'         "y" - Day of year
'         "d" - Day
'         "w" - Weekday
'        "ww" - Week of year
'         "h" - Hour
'         "n" - Minute
'         "s" - Second

      Dim oApp
      Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate ("Administrator", sAdminPassword)
      With LockFile("c:\hmailserver\temp\autoban.lck")
         On Error Resume Next
         oApp.Settings.SecurityRanges.Refresh
         If oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing Then
            With oApp.Settings.SecurityRanges.Add
               .Name = "(" & sReason & ") " & IPAddress
               .LowerIP = sIPAddress
               .UpperIP = sIPAddress
               .Priority = 20
               .Expires = True
               .ExpiresTime = DateAdd(sType, iDuration, Now())
               .Save
            End With
         End If
         oApp.Settings.SecurityRanges.Refresh
         On Error Goto 0
         .Close
      End With
   End Sub


   ' In the event of concurrent connects from the same source, make them wait FIFO for completion.
   Function LockFile(strPath)
      Const Append = 8
      Const Unicode = -1
      With CreateObject("Scripting.FileSystemObject")
         Dim oFile, i
         For i = 0 To 30
            On Error Resume Next
            Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then
               Set LockFile = oFile
               On Error Goto 0
               Exit For
            End If
            On Error Goto 0
            Wait(1)
         Next
      End With
      Set oFile = Nothing
      If (Err.Number = 70) Then
         EventLog.Write("ERROR: EventHandlers.vbs")
         EventLog.Write("File " & strPath & " is locked and timeout was exceeded.")
         Err.Clear
      ElseIf (Err.Number <> 0) Then
         EventLog.Write("ERROR: EventHandlers.vbs : Function LockFile")
         EventLog.Write("Error       : " & Err.Number)
         EventLog.Write("Error (hex) : 0x" & Hex(Err.Number))
         EventLog.Write("Source      : " & Err.Source)
         EventLog.Write("Description : " & Err.Description)
         Err.Clear
      End If
   End Function


   'sleep.exe comes from Windows Server 2003 Toolkit
   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "sleep -m " & Int(sec * 1000), 0, True
      End With
   End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: "Authentication failed" Notification.

Post by SorenR » 2016-09-07 13:52

Er... If you use Roundcube this is the "thing" I use(d).. There are some new functionalities in 1.2.1 that sort of handles part of it; flooding, so I might just activate the plugin again.

https://github.com/stalks/roundcube-defense
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

tohare
Normal user
Normal user
Posts: 180
Joined: 2014-12-07 13:35
Location: Florida!

Re: "Authentication failed" Notification.

Post by tohare » 2016-09-07 14:25

Love the massive amount of code for that one PIA user. Then again I have seen that user in the log more times than I care to admit. Seems that user name generates more spam then any other.
Thanks,
Thomas

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: "Authentication failed" Notification.

Post by SorenR » 2016-09-07 14:33

tohare wrote:Love the massive amount of code for that one PIA user. Then again I have seen that user in the log more times than I care to admit. Seems that user name generates more spam then any other.
Well, you could do a manual BAN FOR LIFE (or somtime around 2025) on the single IP address. :mrgreen:

I generally make rules for automation as I don't really bother gazing at the logs all day 8)

I go through the sytem SPAM folder via webmail every day to catch FP's but that's generally it... Unless I get a brain fart and dissect last months logfiles..
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 20007
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Authentication failed" Notification.

Post by mattg » 2016-09-07 14:58

There was an idea here to add a windows firewall block for an errant IP address.
>> viewtopic.php?f=9&t=23496&p=141931#p141931

Unsure if it eventuated
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply