I am thinking that this should not be allowed

[DrmCa]

This spammer is essentially DDOSing my server. I only noticed because I tried to load this log file into a database and it failed due to the primary key violation. Good thing it did because otherwise I would not have known.

Code: Select all

"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38870"
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Creating session 38938"
"TCPIP"	7332	"2020-12-21 13:46:17.037"	"TCP - 216.118.251.2 connected to 192.168.1.3:110."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38937"

They managed to get another connection attempt within the same millisecond. If hMailServer knows to bounce them, it should not be instantaneous. There should be some cooling off period.

[SorenR]

This spammer is essentially DDOSing my server. I only noticed because I tried to load this log file into a database and it failed due to the primary key violation. Good thing it did because otherwise I would not have known.

Code: Select all

"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38870"
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Creating session 38938"
"TCPIP"	7332	"2020-12-21 13:46:17.037"	"TCP - 216.118.251.2 connected to 192.168.1.3:110."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38937"

They managed to get another connection attempt within the same millisecond. If hMailServer knows to bounce them, it should not be instantaneous. There should be some cooling off period.

Do some searching on the forum... I made an IDS scripting with a database and an external handler run by scheduler and Palinka wrapped his Firewall control around it. It's all there if you search

[RvdH]

This spammer is essentially DDOSing my server. I only noticed because I tried to load this log file into a database and it failed due to the primary key violation. Good thing it did because otherwise I would not have known.

Code: Select all

"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38870"
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Creating session 38938"
"TCPIP"	7332	"2020-12-21 13:46:17.037"	"TCP - 216.118.251.2 connected to 192.168.1.3:110."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38937"

They managed to get another connection attempt within the same millisecond. If hMailServer knows to bounce them, it should not be instantaneous. There should be some cooling off period.

Do some searching on the forum... I made an IDS scripting with a database and an external handler run by scheduler and Palinka wrapped his Firewall control around it. It's all there if you search

How does that help him with simultaneous connections like this?

@DrmCa
Force disconnect (all instances) of that IP after 1st ban
https://www.hmailserver.com/forum/viewt ... 67#p206167
https://www.hmailserver.com/forum/viewt ... 42#p206842

[SorenR]

IIRC one of the versions of IDS had my AutoBan "Disconnect" function that is using CPorts https://www.nirsoft.net/utils/cports.html to disconnect all connections fron one IP address in one go.

OTOH if using Palinka's edition the IP address is blocked in firewall... Should be pretty terminal for the bot

[RvdH]

OTOH if using Palinka's edition the IP address is blocked in firewall... Should be pretty terminal for the bot

Even then simultaneous connections are possible before they get banned on firewall level

@DrmCa

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution

[SorenR]

OTOH if using Palinka's edition the IP address is blocked in firewall... Should be pretty terminal for the bot

Even then simultaneous connections are possible before they get banned on firewall level

@DrmCa

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution

Well... On my server it's 3 strikes and you are out! I run a 180 minute moving window - any SMTP connect not sending an email count.

Actually, with all my "weird stuff" in Eventhandlers.vbs I have switched off the built in AutoBan. It was not flexible enough for my use.

My own AutoBan is now banning two servers simultaneously using a homebrew of a RESTful API and it works both ways between the two servers.

I have two Internet connections and this is a quick and dirty solution to be able to send and receiveon both without using an intermediate router - which I may end up installing anyways from a network perspective.

[jim.bus]

I don't know if this would work in this situation but my ASUS Router Firewall has a Denial Of Service (DOS) function built into the Router Firmware. If it would work then perhaps he should confirm if his Router has a similar DOS Function.

[SorenR]

Not sure Routers can do Layer 7 DDOS protection... Most common are Layer 3 and Layer 4 like TCP-SYN floods, UDP
floods, and ICMP attacks.

https://blog.radware.com/security/2016/ ... ive-apdos/

Actually, poking around the Interweb I came across this reply to a basic question about DDOS protection for SMTP ...
.

One of the difficulties in securing SMTP lies in the protocol itself, specifically the admonitions in RFC 5321 which give proscriptions on timing out a session. A faithful implementation provides no facility for timing a session out. Ideally one would want to ignore those recommendations, and set a session timeout for the mail session. This will prevent for example any attacks where long delays are used to send data character by character with large mail sizes. For example if you have a mail server with a 10MB mail size limit, it is fairly easy to write a script which delivers a fake mail to your server and writes a Lorem Ipsum message, one character at a time up to the 10MB limit, but delaying each character by 1 - 2 minutes. Theoretically without a session limit such a mail session could run around 10 million minutes. So now run a script that simply starts bots that do this from hundreds of places on the web, and pretty soon the bots will have all your connections tied up (assuming you have connection limits, or are using a connection pool).

Ideally, one would set up a timer from the time the DATA command was issued to the time that the "CRLF . CRLF" was issued. Something like 5 minutes or so for the whole data to transmit should be reasonable. And violate the RFC and simply drop the connection if it exceeds that timeout. Well behaved clients will never come close to that limit and even people using the command line terminal ought to be able to send data within that time frame presuming they know how to type.

A read-worthy document:
https://www.crysys.hu/publications/file ... R07cts.pdf

It turns out my server is reasonably safe. I do not allow sending or relaying mail without authentication. Authentication is limited to Danish realms via GEOIP. SMTP connections not resulting in emails are banned. Firewall ban would be preferred but server is W2K3 Server R2 and that firewall sux

So, I'll leave the Layer 3 and Layer 4 DDOS to the routers.

[SorenR]

Check out section 7...

https://resources.infosecinstitute.com/ ... ing-tools/

[jim.bus]

Not sure Routers can do Layer 7 DDOS protection... Most common are Layer 3 and Layer 4 like TCP-SYN floods, UDP
floods, and ICMP attacks.

To your point, my ASUS Router (RT-AC5300) specifies it protects for DoS not DDoS attacks.

[SorenR]

Not sure Routers can do Layer 7 DDOS protection... Most common are Layer 3 and Layer 4 like TCP-SYN floods, UDP
floods, and ICMP attacks.

To your point, my ASUS Router (RT-AC5300) specifies it protects for DoS not DDoS attacks.

DoS is Denial of Service, DDoS is Distributed Denial of Service AKA more than one mother f....

[palinka]

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution

Yep. Bad idea to use it on localhost.

(Ask me how I know. Nah, don't ask! )

[palinka]

Do some searching on the forum... I made an IDS scripting with a database and an external handler run by scheduler

Can attest! This IDS is both simple and brilliant.

[DrmCa]

The algorithm should be very simple: if the server determines that there is a rule that bans this IP, do not return right away and wait for X number of milliseconds instead. This would slow down their hacking rate many times.

[SorenR]

The algorithm should be very simple: if the server determines that there is a rule that bans this IP, do not return right away and wait for X number of milliseconds instead. This would slow down their hacking rate many times.

hMailServer 5.6.8 ... hMailServer.ini
[Settings]
BlockedIPHoldSeconds=10
; Number of seconds to wait before dropping the connection of an IP range banned IP
; Default is 0 or disabled if not defined

[SorenR]

Ideally, one would set up a timer from the time the DATA command was issued to the time that the "CRLF . CRLF" was issued. Something like 5 minutes or so for the whole data to transmit should be reasonable. And violate the RFC and simply drop the connection if it exceeds that timeout. Well behaved clients will never come close to that limit and even people using the command line terminal ought to be able to send data within that time frame presuming they know how to type.

Poking around the 5.6.8 sourcecode I found this in the [settings] section of the hmailserver.ini:

;SMTPCMinTimeout=90
; 30 seconds is default

;SMTPCMaxTimeout=600
; 600 seconds is default

My server got

SMTPCMaxTimeout=120

That's 2 minutes ...

[DrmCa]

I did not know that .INI file was a thing and only ever used the Amin UI.
I guess they are creating multiple simultaneous connections from the same IP then. Can this be blocked too?

[jimimaseye]

Ideally, one would set up a timer from the time the DATA command was issued to the time that the "CRLF . CRLF" was issued. Something like 5 minutes or so for the whole data to transmit should be reasonable. And violate the RFC and simply drop the connection if it exceeds that timeout. Well behaved clients will never come close to that limit and even people using the command line terminal ought to be able to send data within that time frame presuming they know how to type.

Poking around the 5.6.8 sourcecode I found this in the [settings] section of the hmailserver.ini:

;SMTPCMinTimeout=90
; 30 seconds is default

;SMTPCMaxTimeout=600
; 600 seconds is default

My server got

SMTPCMaxTimeout=120

That's 2 minutes ...

As listed here: https://www.hmailserver.com/forum/viewt ... 10&t=30900

[Entered by mobile. Excuse my spelling.]

[SorenR]

Even then simultaneous connections are possible before they get banned on firewall level

@DrmCa

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution

Well... On my server it's 3 strikes and you are out! I run a 180 minute moving window - any SMTP connect not sending an email count.

Actually, with all my "weird stuff" in Eventhandlers.vbs I have switched off the built in AutoBan. It was not flexible enough for my use.

Just remembered ... I modified my IDS to include ALL ports and ALL protocols ... SMTP not sending email x3 = BAN, POP3/IMAP not authenticating x3 = BAN.

Yeah I know ... Too much wine/glögg/moonshine

Yuletide begins at December 21'st and ends January 1'st and is in its simplicity an eating and drinking orxx... nah ... feast.

[jimimaseye]

*hic*

Yep.

*hic*

[palinka]

Just remembered ... I modified my IDS to include ALL ports and ALL protocols ... SMTP not sending email x3 = BAN, POP3/IMAP not authenticating x3 = BAN.

I noticed that its botnets that try guessing passwords and because I collect statistics on my firewall ban project, its a rare occasion indeed that a bot returns. These botnets are YUUUUGE.

[SorenR]

Just remembered ... I modified my IDS to include ALL ports and ALL protocols ... SMTP not sending email x3 = BAN, POP3/IMAP not authenticating x3 = BAN.

I noticed that its botnets that try guessing passwords and because I collect statistics on my firewall ban project, its a rare occasion indeed that a bot returns. These botnets are YUUUUGE.

Well, if a BOT tries to authenticate outside the Danish realm it is a guaranteed instant BAN on my system.

One of the reasons I modified "OnClientLogon" to show passwords was to trace BOT's based on the idea that IF the BOT is using a hacked password it would be the same every time... I am seeing a mix of BOT's pairing accounts with passwords and BOT's appearing to have a list a mile long.

I have found one or two accounts that had their password changed in the neck of time... https://haveibeenpwned.com/ is a useful source

They have a neat API https://haveibeenpwned.com/API/v3 that I just might find some use for as I do get to see every password on my system eventually
One use could be to let the account know when and if their password has become unsafe

[mattg]

One use could be to let the account know when and if their password has become unsafe

Google is doing this

In chrome, go to settings >> passwords and they will show you any username / password combos that are unsafe. I assume from the same list