Automatically Add Hackers to Firewall Block Rule

Discussion for developers using MailEnable.
akeilox
Posts: 5
Joined: Sun Feb 26, 2017 8:44 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by akeilox » Mon Sep 14, 2020 5:56 am

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

virmix
Posts: 50
Joined: Tue Nov 10, 2015 12:12 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by virmix » Thu Sep 17, 2020 12:38 pm

akeilox wrote:
Mon Sep 14, 2020 5:56 am
Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.
Sorry , the code is not a copy of original post , use an other old source code.
If you need any change I can change it for you.

The new version have new log information, like rule name and customer failed before fan.

See file .config for example the Group MySql:

That rule block ip if fail more of 2 login and block if one login fail and use username root or admin.

The new node was : Name,FailedBeforeBan,RegexUser

Code: Select all

 <Group>
	<Name>MySQL</Name>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
	<FailedBeforeBan>2</FailedBeforeBan>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MySQL']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                Access denied for user .*?'@'(?<ipaddress>.*?)'
              ]]>
            </Regex>
            <RegexUser>'root','admin'</RegexUser>
          </Expression>
        </Expressions>
      </Group>
If not use FailedBeforeBan into group, the software take the the default settings

Code: Select all

 <add key="FailedLoginAttemptsBeforeBan" value="4" />

Post Reply