Automatically Add Hackers to Firewall Block Rule

Discussion for developers using MailEnable.
akeilox
Posts: 6
Joined: Sun Feb 26, 2017 8:44 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by akeilox » Mon Sep 14, 2020 5:56 am

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

virmix
Posts: 53
Joined: Tue Nov 10, 2015 12:12 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by virmix » Thu Sep 17, 2020 12:38 pm

akeilox wrote:
Mon Sep 14, 2020 5:56 am
Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.
Sorry , the code is not a copy of original post , use an other old source code.
If you need any change I can change it for you.

The new version have new log information, like rule name and customer failed before fan.

See file .config for example the Group MySql:

That rule block ip if fail more of 2 login and block if one login fail and use username root or admin.

The new node was : Name,FailedBeforeBan,RegexUser

Code: Select all

 <Group>
	<Name>MySQL</Name>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
	<FailedBeforeBan>2</FailedBeforeBan>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MySQL']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                Access denied for user .*?'@'(?<ipaddress>.*?)'
              ]]>
            </Regex>
            <RegexUser>'root','admin'</RegexUser>
          </Expression>
        </Expressions>
      </Group>
If not use FailedBeforeBan into group, the software take the the default settings

Code: Select all

 <add key="FailedLoginAttemptsBeforeBan" value="4" />

akeilox
Posts: 6
Joined: Sun Feb 26, 2017 8:44 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by akeilox » Tue Nov 03, 2020 5:07 am

Thank you for the reply @virmix

I did modify a very old VB code to C# long time ago, and added Daily Email Summary at end of the day to keep an eye on
- List of IPs blocked today
- How many times each IP attempted to login

like 1.2.3.4 5 attempts

This would then give me an idea of attacks on the mailserver whether its targeted or pinging.

I did add the IPs to mailenable Deny tab file via the API and noticed most of the times it returns Success as added but does not add the IP, which I had to go back and add manually.

Not sure what got changed since then, but if you can add such a feature or share the script I can make these changes.

virmix
Posts: 53
Joined: Tue Nov 10, 2015 12:12 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by virmix » Fri Nov 20, 2020 10:26 am

Change the param 0 to 1 in config file
<add key="log" value="1"/>

See if folder LOGS exists. Inside you can see all IP Blocked and the rule (every day)
<add key="logsubfolder" value="LOGS"/>

It is possible you can se the IP bocked into firewall base you can check the right rule. For example the app create a separate rule for any service (SMTP, IMAP, POP, FTP) and others for Country IP and Possible BOT.


<add key="enableSMTP-Port" value="25,993,587"/>
<add key="enableIMAP-Port" value="143,993"/>
<add key="enablePOP-Port" value="110,995"/>
<add key="enableFTP-Port" value="21"/>
<add key="black_list_country" value="CN,KZ,IN,RU"/>


Use the app Firewall Manager to check easy every rule and get List of IP (click into colum NIP)
mea.png
mea.png (20.53 KiB) Viewed 464 times
mea-l.png
mea-l.png (22.71 KiB) Viewed 464 times

Post Reply