Blocking IP's

[jimwatt]

Is it possible to programatically add IP's to the list of IP's on the autoban list which hmailserver maintains of excessive logins?

Although I drop bad IP's at on the OnEHLO event in VBscript that does not stop them coming and last week I had 8000+ attempts one day basically mailbombing my server.

It seems any response from the server encourages it to continue.

[johang]

Is it possible to programatically add IP's to the list of IP's on the autoban list which hmailserver maintains of excessive logins?

Although I drop bad IP's at on the OnEHLO event in VBscript that does not stop them coming and last week I had 8000+ attempts one day basically mailbombing my server.

It seems any response from the server encourages it to continue.

take a look at this:
https://hmailserver.com/forum/viewtopic.php?f=9&t=34082

[jimwatt]

Interesting but not what I want to do.

The attraction of the hMailserver IP blocking is that it auto expires.

[palinka]

Is it possible to programatically add IP's to the list of IP's on the autoban list

Try this.

Code: Select all

Private Const hMSPASSWORD = "supersecretpassword"

Function LockFile(strPath)
	Const Append = 8
	Const Unicode = -1
	Dim i
	On Error Resume Next
	With CreateObject("Scripting.FileSystemObject")
		For i = 0 To 30
			Err.Clear
			Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
			If (Not Err.Number = 70) Then Exit For
			Wait(1)
		Next
	End With
	If (Err.Number = 70) Then
		EventLog.Write( "ERROR: EventHandlers.vbs" )
		EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
		Err.Clear
	ElseIf (Err.Number <> 0) Then
		EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
		EventLog.Write( "Error       : " & Err.Number )
		EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
		EventLog.Write( "Source      : " & Err.Source )
		EventLog.Write( "Description : " & Err.Description )
		Err.Clear
	End If
	On Error Goto 0
End Function

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
	'
	'   sType can be one of the following;
	'   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
	'
	Dim oApp : Set oApp = CreateObject("hMailServer.Application")
	Call oApp.Authenticate("Administrator", hMSPASSWORD)
	With LockFile(TEMPDIR & "\autoban.lck")
		On Error Resume Next
		Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
		If Err.Number = 9 Then
			With oApp.Settings.SecurityRanges.Add
				.Name = "(" & sReason & ") " & sIPAddress
				.LowerIP = sIPAddress
				.UpperIP = sIPAddress
				.Priority = 20
				.Expires = True
				.ExpiresTime = DateAdd(sType, iDuration, Now())
				.Save
			End With
			AutoBan = True
		End If
		On Error Goto 0
		.Close
	End With
	Set oApp = Nothing
End Function

Sub WhateverYourReasoning(oMessage, oClient, whateverElse)
	'
	' Your criteria for autobanning
	'
	Call AutoBan(oClient.IPAddress, "Your reason for autobanning - " & oClient.IPAddress, 1, "h")
End Sub

edit - Yes, in the example above I'm only banning for one hour. That's my default autoban expiration.

[SorenR]

We have different approaches to the matter

SQL statement is compatible with MySQL and MariaDB.

Code: Select all

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    Dim iUniqueID, strSQL, strDate, SQLDate, oDB : Set oDB = oApp.Database
    strDate = DateAdd(sType, iDuration, Now())
    strSQL = "INSERT INTO hm_securityranges (rangepriorityid, rangelowerip1, rangeupperip1, rangeoptions, rangename, rangeexpires, rangeexpirestime)" & _
             " VALUES (20, INET_ATON('" & sIPAddress & "'), INET_ATON('" & sIPAddress & "'), 0, '(" & sReason & ") " & sIPAddress & "', 1, STR_TO_DATE('" & strDate & "', '%d-%m-%Y %H:%i:%s'))" & _
             " ON DUPLICATE KEY UPDATE rangeexpirestime = STR_TO_DATE('" & strDate & "', '%d-%m-%Y %H:%i:%s');"
    iUniqueID = oDB.ExecuteSQLWithReturn(strSQL)
    If iUniqueID > 0 Then AutoBan = True
    oApp.Settings.SecurityRanges.Refresh
    Set oApp = Nothing
    If Result.Value < 1 Then Result.Value = 1
End Function

This an example of how I use it... (includes additional undocumented function calls )

Code: Select all

If AutoBan(oClient.IPAddress, "GEO Blocked " & strGeo & " " & strPort, 48, "h") Then EventLog.Write( LPad("GEO Blocked", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(oClient.Port, 3, " ") & vbTab & strGeo )

[palinka]

We have different approaches to the matter

Not really. I just haven't upgraded to autoban 2.0.

[SorenR]

We have different approaches to the matter

Not really. I just haven't upgraded to autoban 2.0.

If you are using IPV6 (INET6_ATON/INET6_NTOA) you will need to change the SQL statement. As it is now it is IPV4 only.

[mattg]

Is it possible to programatically add IP's to the list of IP's on the autoban list which hmailserver maintains of excessive logins?

Although I drop bad IP's at on the OnEHLO event in VBscript that does not stop them coming and last week I had 8000+ attempts one day basically mailbombing my server.

It seems any response from the server encourages it to continue.

This is my current method.
This gets called multiple times through my eventhandlers.vbs, and it can also get called stand alone.

I think it works on IPv6 addresses, but I'm not certain.

I have around 1000 banned IP addresses at any one point in time, mostly for a week at a time

Code: Select all

Sub AutobanIP(IPAddress, NumberOfDays, ReasonForBan)
	'custom event
	'uses functions: 
	'uses globals: g_sAdminPassword

	EventLog.Write("Autoban IP Address started for IP = " & IPAddress & " For " & NumberofDays & " days for reason " & Reasonforban)
	Dim oApp
	Set oApp = CreateObject("hMailServer.Application")

' 		Give this script permission to access all
' 		hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)

	Dim i
	On Error Resume next
	For i = 0 To oApp.Settings.SecurityRanges.Count -1
		If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then Exit sub
	Next
	If (Err.Number <> 0) Then
			EventLog.Write("ERROR: EventHandlers.vbs : Function AutoBanIP")
			EventLog.Write("Error       : " & Err.Number)
			EventLog.Write("Source      : " & Err.Source)
			EventLog.Write("Description : " & Err.Description)
			Err.Clear
	End If
	On Error Goto 0
	EventLog.Write("Autoban IP range being set for IP Address " & IPAddress)

	oApp.Settings.SecurityRanges.Refresh
	With oApp.Settings.SecurityRanges.Add()
		.lowerip = ipaddress
		.upperip = ipaddress
		.priority = 20
		.allowdeliveryfromlocaltolocal = False
		.allowdeliveryfromlocaltoremote = False
		.allowdeliveryfromremotetolocal = False
		.allowdeliveryfromremotetoremote = False
		.allowimapconnections = False
		.allowsmtpconnections = False
		.allowpop3connections = False
		.expires = True
		.ExpiresTime = DateAdd("d", NumberOfDays, Now())
		.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress & "[" & CreateGUID & "]"
		On Error Resume Next
		.save
		If (Err.Number = 0) Then
			EventLog.Write("Autoban IP range saved for IP Address " & IPAddress)
		Else
			EventLog.Write("ERROR: EventHandlers.vbs : Function AutoBanIP - Saving")
			EventLog.Write("Error       : " & Err.Number)
			EventLog.Write("Source      : " & Err.Source)
			EventLog.Write("Description : " & Err.Description)
			Err.Clear
		End If
		On Error Goto 0
	End With
End Sub

[jimwatt]

Thanks thats the sort of thing I was looking for;

I need to think about concurrency in processing as the attempts were coming in at 12/second

Although I hold the last bad IP and reject if the same my system log had 4000 entries like this and it kept on going.

SMTPD – 111 – 147.78.103.140 ?

2023-05-15 07:21:45.400
SENT: 220 myserver ESMTP
2023-05-15 07:21:45.448
RECEIVED: HELO win-clj1b0gq6jp.domain
2023-05-15 07:21:47.600
SENT: 554 Rejected due to listed as spam source, see: http://www.sorbs.net

SMTPD – 112 – 147.78.103.140 ?

2023-05-15 07:21:46.495
SENT: 220 myserver ESMTP
2023-05-15 07:21:46.543
RECEIVED: EHLO win-clj1b0gq6jp.domain
2023-05-15 07:21:47.669
SENT: 554 Rejected

SMTPD – 113 – 147.78.103.140 ?

2023-05-15 07:21:47.593
SENT: 220 myserver ESMTP
2023-05-15 07:21:47.641
RECEIVED: EHLO win-clj1b0gq6jp.domain
2023-05-15 07:21:47.712
SENT: 554 Rejected

Manually firewalling the IP range seems to have solved the problem for the moment.

[SorenR]

Thanks thats the sort of thing I was looking for;

I need to think about concurrency in processing as the attempts were coming in at 12/second

That's why I went from API to DB injection. Don't get me wrong, I did build session locking into my first "Function AutoBan()" using the API but updating the database is just so much safer.

To add to the story, I have two servers and if one server bans an IP address ... so does the other via a simple REST (representational state transfer) API using HTTP (IIS) and PHP.

[RvdH]

We have different approaches to the matter

Not really. I just haven't upgraded to autoban 2.0.

If you are using IPV6 (INET6_ATON/INET6_NTOA) you will need to change the SQL statement. As it is now it is IPV4 only.

Afraid that doesn't work for IPv6, as the values are stored differently as (big)int values in rangelowerip1, rangelowerip2 and rangeupperip1, rangeupperip2 in database, not completely sure how that is calculated
IPv4 doesn't use rangelowerip2 and rangeupperip2

IPv6 is a 128-bit number which is too big to stuff into a single BIGINT type, it seems hmailserver splits up a v6 address at the 64-bit boundary, stuff the two halves into dual BIGINT columns.

For example the IPv6 equivalent for localhost is Lower IP ::1 to Upper IP ::1, in hms database stored as:

rangelowerip1 0
rangelowerip2 1
rangeupperip1 0
rangeupperip2 1

The internet range is Lower IP :: to Upper IP ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

rangelowerip1 0
rangelowerip2 0
rangeupperip1 -1
rangeupperip2 -1

[jimwatt]

In the line

.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress & "[" & CreateGUID & "]"

What does the CreateGUID do? It produces a blank on my server

[jimimaseye]

In the line

.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress & "[" & CreateGUID & "]"

What does the CreateGUID do? It produces a blank on my server

I suspect it should be doing as it implies but maybe mattg has missed a bit of code out of his posting. You can read about the function here: https://www.hmailserver.com/documentati ... _utilities

[Entered by mobile. Excuse my spelling.]

[SorenR]

I have used it here...

Code: Select all

    If oMessage.HeaderValue("Message-Id") = "" Then
        With CreateObject("hMailServer.Utilities")
            oMessage.HeaderValue("Message-Id") = "<" & Mid(.GenerateGUID, 2, 36) & "@" & Split(oMessage.FromAddress,"@")(1) & ">"
        End With
        oMessage.Save
    End If

Perhaps your version is based on a function/sub in the script?

[mattg]

In the line

.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress & "[" & CreateGUID & "]"

What does the CreateGUID do? It produces a blank on my server

It adds a random unique string to the end of the IP range name, to stop errors where multiple ranges for the same IP were trying to be written at once

[jimimaseye]

In the line

.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress & "[" & CreateGUID & "]"

What does the CreateGUID do? It produces a blank on my server

It adds a random unique string to the end of the IP range name, to stop errors where multiple ranges for the same IP were trying to be written at once

I think he is saying that it is a function that is not working (nothing is produced). Likely because its a function you have created called 'CreateGUID' but haven't included it in your snippet of code.

[Entered by mobile. Excuse my spelling.]

[mattg]

Oh, you mean like this

Code: Select all

Function CreateGUID
  Dim TypeLib
  Set TypeLib = CreateObject("Scriptlet.TypeLib")
  CreateGUID = Mid(TypeLib.Guid, 2, 36)
End Function

I can't even remember stealing that code, and I didn't record where I stole it from...

[lonance]

Hey guys,
I've been getting hammered by Chinese IP addresses... mostly trying to find an actual username on the server.
So I get a LOT of these in the logs.
"SENT: 550 Unknown user"
How can I autoban these IP addresses in HmailServer after several attempts that return that error?
I've started putting them in the firewall to block at FW. But that's getting tiresome.
Does the Beta Version have that capability builtin to the IP autoban or will I need to do some scripting?

[palinka]

Hey guys,
I've been getting hammered by Chinese IP addresses... mostly trying to find an actual username on the server.
So I get a LOT of these in the logs.
"SENT: 550 Unknown user"
How can I autoban these IP addresses in HmailServer after several attempts that return that error?
I've started putting them in the firewall to block at FW. But that's getting tiresome.
Does the Beta Version have that capability builtin to the IP autoban or will I need to do some scripting?

Built in autoban should work fine.

https://www.hmailserver.com/documentati ... ce_autoban

Or you could try this script: https://hmailserver.com/forum/viewtopic ... 20&t=38573

[lonance]

Unfortunately, autoban doesn't come into play here since its not trying passcodes. It's sending a RCPT TO - to random usernames@domain.com trying to find a real user.

I'll check out the script you reference and see if that may help.

thanks.

[palinka]

Unfortunately, autoban doesn't come into play here since its not trying passcodes. It's sending a RCPT TO - to random usernames@domain.com trying to find a real user.

I'll check out the script you reference and see if that may help.

thanks.

I see. Yes, the script works well. But it will only work when its an IP that actually returns. Many bot nets are so big that you'll never see the same IP twice. If these connections are all coming from the same group of servers (repeated connections), then it should work very well for you.

[lonance]

Unfortunately, autoban doesn't come into play here since its not trying passcodes. It's sending a RCPT TO - to random usernames@domain.com trying to find a real user.

I'll check out the script you reference and see if that may help.

thanks.

I see. Yes, the script works well. But it will only work when its an IP that actually returns. Many bot nets are so big that you'll never see the same IP twice. If these connections are all coming from the same group of servers (repeated connections), then it should work very well for you.

I've got the script partially working. It is collecting IP addresses but not pushing them into the hMailServer Autoban list. I also was trying to setup your IDS Viewer code. I can logon and then it shows a blank page. No header or foot, nothing. Could be related to the same issues as the autoban push.

I'm using MYSQL separate from the hMailServer... I downloaded an MYSQL ODBC connector for Windows, but I think it's 64 bit and I may need 32 bit. But the script is writing data to the IDS table using that connector.... hmmm.

[SorenR]

Unfortunately, autoban doesn't come into play here since its not trying passcodes. It's sending a RCPT TO - to random usernames@domain.com trying to find a real user.

I'll check out the script you reference and see if that may help.

thanks.

I see. Yes, the script works well. But it will only work when its an IP that actually returns. Many bot nets are so big that you'll never see the same IP twice. If these connections are all coming from the same group of servers (repeated connections), then it should work very well for you.

I've got the script partially working. It is collecting IP addresses but not pushing them into the hMailServer Autoban list. I also was trying to setup your IDS Viewer code. I can logon and then it shows a blank page. No header or foot, nothing. Could be related to the same issues as the autoban push.

I'm using MYSQL separate from the hMailServer... I downloaded an MYSQL ODBC connector for Windows, but I think it's 64 bit and I may need 32 bit. But the script is writing data to the IDS table using that connector.... hmmm.

So, you got the handler set up in Windows Scheduler?

[lonance]

I see. Yes, the script works well. But it will only work when its an IP that actually returns. Many bot nets are so big that you'll never see the same IP twice. If these connections are all coming from the same group of servers (repeated connections), then it should work very well for you.

I've got the script partially working. It is collecting IP addresses but not pushing them into the hMailServer Autoban list. I also was trying to setup your IDS Viewer code. I can logon and then it shows a blank page. No header or foot, nothing. Could be related to the same issues as the autoban push.

I'm using MYSQL separate from the hMailServer... I downloaded an MYSQL ODBC connector for Windows, but I think it's 64 bit and I may need 32 bit. But the script is writing data to the IDS table using that connector.... hmmm.

So, you got the handler set up in Windows Scheduler?

Actually, I found that it does work. No, I don't have it in Scheduler yet. I was manually running the script from the desktop, but I wasn't seeing anything since I didn't have any IP addresses over 2 times in the DB until my cell phone email checked email several times and then it got blocked!
I've been looking over many of your scripts and others so that I can add GeoIP blocking. I want it to automagically put those CN and RU IPs in the autoban list.
I like the idea of logging all those IP addresses as well and was trying to do the PHP code that Palinka has to view them... not having any luck with that.

[palinka]

Actually, I found that it does work. No, I don't have it in Scheduler yet. I was manually running the script from the desktop, but I wasn't seeing anything since I didn't have any IP addresses over 2 times in the DB until my cell phone email checked email several times and then it got blocked!

You need to add the part that deletes IDS entries for successful logons. You need a custom hmailserver build or version 5.7 for that, which has the event Sub OnClientLogon(oClient).