Automatically Add Hackers to Firewall Block Rule

Discussion for developers using MailEnable.
akeilox
Posts: 6
Joined: Sun Feb 26, 2017 8:44 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by akeilox » Mon Sep 14, 2020 5:56 am

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

virmix
Posts: 53
Joined: Tue Nov 10, 2015 12:12 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by virmix » Thu Sep 17, 2020 12:38 pm

akeilox wrote:
Mon Sep 14, 2020 5:56 am
Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.
Sorry , the code is not a copy of original post , use an other old source code.
If you need any change I can change it for you.

The new version have new log information, like rule name and customer failed before fan.

See file .config for example the Group MySql:

That rule block ip if fail more of 2 login and block if one login fail and use username root or admin.

The new node was : Name,FailedBeforeBan,RegexUser

Code: Select all

 <Group>
	<Name>MySQL</Name>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
	<FailedBeforeBan>2</FailedBeforeBan>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MySQL']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                Access denied for user .*?'@'(?<ipaddress>.*?)'
              ]]>
            </Regex>
            <RegexUser>'root','admin'</RegexUser>
          </Expression>
        </Expressions>
      </Group>
If not use FailedBeforeBan into group, the software take the the default settings

Code: Select all

 <add key="FailedLoginAttemptsBeforeBan" value="4" />

akeilox
Posts: 6
Joined: Sun Feb 26, 2017 8:44 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by akeilox » Tue Nov 03, 2020 5:07 am

Thank you for the reply @virmix

I did modify a very old VB code to C# long time ago, and added Daily Email Summary at end of the day to keep an eye on
- List of IPs blocked today
- How many times each IP attempted to login

like 1.2.3.4 5 attempts

This would then give me an idea of attacks on the mailserver whether its targeted or pinging.

I did add the IPs to mailenable Deny tab file via the API and noticed most of the times it returns Success as added but does not add the IP, which I had to go back and add manually.

Not sure what got changed since then, but if you can add such a feature or share the script I can make these changes.

virmix
Posts: 53
Joined: Tue Nov 10, 2015 12:12 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by virmix » Fri Nov 20, 2020 10:26 am

Change the param 0 to 1 in config file
<add key="log" value="1"/>

See if folder LOGS exists. Inside you can see all IP Blocked and the rule (every day)
<add key="logsubfolder" value="LOGS"/>

It is possible you can se the IP bocked into firewall base you can check the right rule. For example the app create a separate rule for any service (SMTP, IMAP, POP, FTP) and others for Country IP and Possible BOT.


<add key="enableSMTP-Port" value="25,993,587"/>
<add key="enableIMAP-Port" value="143,993"/>
<add key="enablePOP-Port" value="110,995"/>
<add key="enableFTP-Port" value="21"/>
<add key="black_list_country" value="CN,KZ,IN,RU"/>


Use the app Firewall Manager to check easy every rule and get List of IP (click into colum NIP)
mea.png
mea.png (20.53 KiB) Viewed 8471 times
mea-l.png
mea-l.png (22.71 KiB) Viewed 8471 times

jrecho1
Posts: 2
Joined: Tue Dec 15, 2020 12:49 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by jrecho1 » Tue Dec 15, 2020 12:52 am

I downloaded IPBan and notice that is only added 1 IP in 2 weeks while in mailenalbe I see many IP blocked is there any way to have it add those to the windows firewall. Or does someone have a solution please

jrecho1
Posts: 2
Joined: Tue Dec 15, 2020 12:49 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by jrecho1 » Tue Dec 15, 2020 12:57 am

akeilox wrote:
Mon Aug 19, 2019 8:55 am
Hi Consulteware

I have just stumbled on your post, are you adding the IPs to the DENY tab file or to windows firewall?

Can you share a bit more on how application works, and will you be sharing the application with the community? I'm running Standard version, and interested to give it a spin.

My ultimate goal was to check the Ips against AbuseIpDb and add them to windows firewall if they were listed there before, like in https://www.hmailserver.com/forum/viewtopic.php?t=32739

But was not sure how to go about it. Your implementation looks good.

Consulteware wrote:
Fri Aug 16, 2019 6:00 pm
Is this what everybody needs?
Soon it Will be available the application to work with.
Can you send us the link to your new software please

adz
Posts: 18
Joined: Wed Jul 16, 2014 5:20 am

Re: Automatically Add Hackers to Firewall Block Rule

Post by adz » Thu Mar 04, 2021 3:37 am

For those with this problem, another option that might be worth investigating - https://itefix.net/win2ban or https://github.com/DigitalRuby/IPBan

I am yet to use/trial this and would appreciate any comments from those who know more than me. IPBan seems OK.

Update: IPBan is already configured for Mailenable SMTP logging - see ipban.config. Sorry about duplicate

Post Reply