Automatically Add Hackers to Firewall Block Rule

[akeilox]

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

[virmix]

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

Sorry , the code is not a copy of original post , use an other old source code.
If you need any change I can change it for you.

The new version have new log information, like rule name and customer failed before fan.

See file .config for example the Group MySql:

That rule block ip if fail more of 2 login and block if one login fail and use username root or admin.

The new node was : Name,FailedBeforeBan,RegexUser

Code: Select all

 <Group>
	<Name>MySQL</Name>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
	<FailedBeforeBan>2</FailedBeforeBan>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MySQL']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                Access denied for user .*?'@'(?<ipaddress>.*?)'
              ]]>
            </Regex>
            <RegexUser>'root','admin'</RegexUser>
          </Expression>
        </Expressions>
      </Group>

If not use FailedBeforeBan into group, the software take the the default settings

Code: Select all

 <add key="FailedLoginAttemptsBeforeBan" value="4" />

[akeilox]

Thank you for the reply @virmix

I did modify a very old VB code to C# long time ago, and added Daily Email Summary at end of the day to keep an eye on
- List of IPs blocked today
- How many times each IP attempted to login

like 1.2.3.4 5 attempts

This would then give me an idea of attacks on the mailserver whether its targeted or pinging.

I did add the IPs to mailenable Deny tab file via the API and noticed most of the times it returns Success as added but does not add the IP, which I had to go back and add manually.

Not sure what got changed since then, but if you can add such a feature or share the script I can make these changes.

[virmix]

Change the param 0 to 1 in config file
<add key="log" value="1"/>

See if folder LOGS exists. Inside you can see all IP Blocked and the rule (every day)
<add key="logsubfolder" value="LOGS"/>

It is possible you can se the IP bocked into firewall base you can check the right rule. For example the app create a separate rule for any service (SMTP, IMAP, POP, FTP) and others for Country IP and Possible BOT.


<add key="enableSMTP-Port" value="25,993,587"/>
<add key="enableIMAP-Port" value="143,993"/>
<add key="enablePOP-Port" value="110,995"/>
<add key="enableFTP-Port" value="21"/>
<add key="black_list_country" value="CN,KZ,IN,RU"/>


Use the app Firewall Manager to check easy every rule and get List of IP (click into colum NIP)

mea.png (20.53 KiB) Viewed 4514 times

mea-l.png (22.71 KiB) Viewed 4514 times

[jrecho1]

Hi Consulteware

I have just stumbled on your post, are you adding the IPs to the DENY tab file or to windows firewall?

Can you share a bit more on how application works, and will you be sharing the application with the community? I'm running Standard version, and interested to give it a spin.

My ultimate goal was to check the Ips against AbuseIpDb and add them to windows firewall if they were listed there before, like in https://www.hmailserver.com/forum/viewtopic.php?t=32739

But was not sure how to go about it. Your implementation looks good.

Is this what everybody needs?
Soon it Will be available the application to work with.

Can you send us the link to your new software please