Automatically Add Hackers to Firewall Block Rule

[akeilox]

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

[virmix]

Hi @virmix can you share the source for the IPBan.exe only ? Like the first post in this thread I was customizing Log type and reading for locating the failed login attempts, and wish to customize the logic if possible.

Would be much appreciated.

Sorry , the code is not a copy of original post , use an other old source code.
If you need any change I can change it for you.

The new version have new log information, like rule name and customer failed before fan.

See file .config for example the Group MySql:

That rule block ip if fail more of 2 login and block if one login fail and use username root or admin.

The new node was : Name,FailedBeforeBan,RegexUser

Code: Select all

 <Group>
	<Name>MySQL</Name>
        <Keywords>0x80000000000000</Keywords>
        <Path>Application</Path>
	<FailedBeforeBan>2</FailedBeforeBan>
        <Expressions>
          <Expression>
            <XPath>//Provider[@Name='MySQL']</XPath>
            <Regex></Regex>
          </Expression>
          <Expression>
            <XPath>//Data</XPath>
            <Regex>
              <![CDATA[
                Access denied for user .*?'@'(?<ipaddress>.*?)'
              ]]>
            </Regex>
            <RegexUser>'root','admin'</RegexUser>
          </Expression>
        </Expressions>
      </Group>

If not use FailedBeforeBan into group, the software take the the default settings

Code: Select all

 <add key="FailedLoginAttemptsBeforeBan" value="4" />

[akeilox]

Thank you for the reply @virmix

I did modify a very old VB code to C# long time ago, and added Daily Email Summary at end of the day to keep an eye on
- List of IPs blocked today
- How many times each IP attempted to login

like 1.2.3.4 5 attempts

This would then give me an idea of attacks on the mailserver whether its targeted or pinging.

I did add the IPs to mailenable Deny tab file via the API and noticed most of the times it returns Success as added but does not add the IP, which I had to go back and add manually.

Not sure what got changed since then, but if you can add such a feature or share the script I can make these changes.

[virmix]

Change the param 0 to 1 in config file
<add key="log" value="1"/>

See if folder LOGS exists. Inside you can see all IP Blocked and the rule (every day)
<add key="logsubfolder" value="LOGS"/>

It is possible you can se the IP bocked into firewall base you can check the right rule. For example the app create a separate rule for any service (SMTP, IMAP, POP, FTP) and others for Country IP and Possible BOT.


<add key="enableSMTP-Port" value="25,993,587"/>
<add key="enableIMAP-Port" value="143,993"/>
<add key="enablePOP-Port" value="110,995"/>
<add key="enableFTP-Port" value="21"/>
<add key="black_list_country" value="CN,KZ,IN,RU"/>


Use the app Firewall Manager to check easy every rule and get List of IP (click into colum NIP)

mea.png (20.53 KiB) Viewed 30191 times

mea-l.png (22.71 KiB) Viewed 30191 times

[jrecho1]

I downloaded IPBan and notice that is only added 1 IP in 2 weeks while in mailenalbe I see many IP blocked is there any way to have it add those to the windows firewall. Or does someone have a solution please

[jrecho1]

Hi Consulteware

I have just stumbled on your post, are you adding the IPs to the DENY tab file or to windows firewall?

Can you share a bit more on how application works, and will you be sharing the application with the community? I'm running Standard version, and interested to give it a spin.

My ultimate goal was to check the Ips against AbuseIpDb and add them to windows firewall if they were listed there before, like in https://www.hmailserver.com/forum/viewtopic.php?t=32739

But was not sure how to go about it. Your implementation looks good.

Is this what everybody needs?
Soon it Will be available the application to work with.

Can you send us the link to your new software please

[adz]

For those with this problem, another option that might be worth investigating - https://itefix.net/win2ban or https://github.com/DigitalRuby/IPBan

I am yet to use/trial this and would appreciate any comments from those who know more than me. IPBan seems OK.

Update: IPBan is already configured for Mailenable SMTP logging - see ipban.config. Sorry about duplicate

[virmix]

I create a new extension for Plesk.
More info : https://www.mailenable.com/forum/viewtopic.php?f=5&t=44704

- Manage Windows Firewall (Auto Prevention SMTP,POP,IMAP, FTP,MySql,MariaDb,RDP....)
- Can Block Country IP range
- Can Block Country Company by ASN
- Plugin for use Windows Defender in MailEnable as Antivirus
- Plugin Advanced AntiSpam in MailEnable
- Manage CloudFlare Firewall Rules and Settings
- Manage CloudFlare DNS from Plesk
- Manage MailEnable SMTP, POP blocked list
- Advanced MailEnable Settings by each version Edition