Using IPBan with AMS

Using IPBan with AMS

Postby EKjellquist » Tue Oct 13, 2020 3:18 pm

Folks,

Just wanted to pass on my experience with DigitalRuby's IPBan. IPBan pro is expected to be available soon (which allows a single interface across a range of machines), but you can still use the free version which is fairly simple to set up for an individual Windows PC / server. It uses the built-in Windows firewall across a range of services to auto-block IPs (which plenty of fancier firewall software does, certainly), but there's a lot this can do for no cost, especially great for smaller shops, testbeds, personal servers, etc. Originally I was using this purely for blocking NTLM login failures, but it can be adapted for any service that has a log file.

https://github.com/DigitalRuby/IPBan/releases/ version 1.5.8 as of this writing.

After installing, the local policy needs to be able to audit logon events, which can be done with an elevated cmd prompt:

auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable

Then, to set up IPBan as a service, another elevated prompt (where c:\path\to\service is wherever you installed IPBan):

sc create IPBAN type= own start= auto binPath= c:\path\to\service\DigitalRuby.IPBan.exe DisplayName= IPBAN

You can check out the parameters / HowTos at https://github.com/DigitalRuby/IPBan/wiki/Configuration. The main reason I list this on this forum is in monitoring AMS' logs as well, which can be added to the config. I have SMTP with anti-hammering enabled, which blocks connection attempts after X failures for a reasonably short time (1 hour). However, those attempts will still come through and choke up your logs (and why not block those IPs from everything, not just AMS?). So adding in the following makes IPBan pick up both SMTP login failures as well as any SMTP transactions from IPs that have triggered anti-hammering. By default, IPBan will auto-block those IPs after 5 bad attempts for 24 hours (though you can adjust that to your own thresholds). Thanks to Jeff Johnson for his help!

<!-- Ability Mail Server SMTP Login / Anti-hammering failures, Windows -->
<LogFile>
<Source>AbilityMailServer4</Source>
<PathAndMask>
C:/Code Crafters/Ability Mail Server 4/config/logs/smtp_*.txt
</PathAndMask>
<FailedLoginRegex>
<![CDATA[
^(?<timestamp>.+?)\s->\s(?<ipaddress>.+?)\s->\sFailed:\sAction=\[Login\],\sDetails=\[(?<username>[^\\]]+)\]|^(?<timestamp>.+?)\s->\s(?<ipaddress>.+?)\s->\sFailed:\sAction=\[Accept Connection\].*?IP\sBlocked\s\(Anti-Hammering\)
]]>
</FailedLoginRegex>
<PlatformRegex>Windows</PlatformRegex>
<PingInterval>10000</PingInterval>
<MaxFileSize>0</MaxFileSize>
</LogFile>
EKjellquist
 
Posts: 95
Joined: Tue Sep 09, 2014 10:40 pm

Return to General

Who is online

Users browsing this forum: Google [Bot] and 3 guests

cron