Interop w/IPBAN or something similar

[EKjellquist]

One thing that would be helpful in automating the ban of bad IPs might be either to have support for IPBAN directly (https://github.com/DigitalRuby/IPBan/wiki) or possibly to write a custom log .txt that could use IPBAN's existing utility.

I've used the built-in AMS antispam tools from the get-go, many of which have been critical to help control and eliminate spam, but of course it only goes so far. I haven't yet written any scripts to do so (though that's a future project), but I'm basically taking IPs from the SMTP logs that fail due to anti-hammering (or one of the other filters) and manually put them in a ban.txt file that IPBAN looks at and automatically adds to its blacklist. All it needs is basically a plaintext file in a specific directory to either ban or unban IPs, and if there was an option in AMS / AFS to choose to write IPs to a file when they trigger specific filtering rulesets (ban), and then write them to a different file if enough time expires (unban).

I already use anti-hammering to block IPs for a day on unsuccessful logins, etc; what I'm looking for is more of a '2nd tier' ban, where, say, if an IP triggers an anti-hammer block, then that block gets released and that same IP gets blocked again over some period, to write that IP to a file to have IPBAN permanently block it until I manually unblock. It would be helpful for AMS to have a separate log file showing which IPs were blocked in this way with a timestamp.

I'm thinking I could get pretty close to the above using content filtering rules alone, but there doesn't seem to be a trigger rule variable for when an IP triggers a block from Anti-hammering (or similarly, when an IP block 'falls off' after enough time). I can certainly put in an action to write the IP to a file though.

For example, I have anti-hammering set so upon 5 fails w/i a 6 hour period, an IP gets blocked for 24 hours. in the SMTP log, for a repeated attempt after an IP is blocked, looks something like this:

Mon, 22 Jun 2020 00:20:14 -> 1.2.3.4 -> Failed: Action=[Accept Connection], Details=[Port 587: IP Blocked (Anti-Hammering).]

If there was a custom event for this, something like ####IP BLOCKED AH#### that could trigger writing that IP to a file to ban it, that's all I need. if an IP later falls off the hammering threshold, something like ####IP UNBLOCKED AH####, write that IP to a different file. Even better, if there was a file that could keep statistics of how many times an IP triggered a block rule that I could then use, say like 5 blocks w/i the past week/month or something, to perma-block that IP until I manually released it. Putting that IP right in AMS manual blacklist would be fine, as well as writing to a file, with a trigger like ####IP REPEAT OFFENDER####.

If I can achieve the above with existing content rules, I wouldn't mind doing that too - my goal here is ultimately to take advantage of AMS' IP block info to put into IPBAN so other machines can block those worst offending IPs that have no traffic other than malicious...

[sjoram]

Different solutions will be more or less appropriate for different scenarios, but whilst AMS doesn't have this functionality, I found a more effective solution was to use 'dynamic' blacklists at the firewall level. Whilst this won't prevent a targeted attack, it does seem to prevent at least 95% of the 'noise' I'd been seeing previously.

The advantage of doing it at the firewall level means that other internet facing services (web server etc) are also able to benefit.

I'm using RouterOS here (Mikrotik) and I have a Powershell script running on my Windows server to allow the router to fetch a script to update its firewall blacklists on whatever interval you configure. Whilst you could build a script to run on the device itself, fetching the lists from the internet, I find it more secure to host the script internally, so that I can block the router/firewall itself from making direct connections out to the internet (to limit another attack surface). I'm sure similar scripts could be crafted to suit other vendors.

I'm sourcing from the following lists:
http://iplists.firehol.org/?ipset=firehol_level1
http://iplists.firehol.org/?ipset=firehol_level2
http://iplists.firehol.org/?ipset=firehol_level3
http://iplists.firehol.org/?ipset=firehol_webclient

Code: Select all

# Delete old blacklist files
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_L1.txt"
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_L2.txt"
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_L3.txt"
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol_client.txt"
# Set TLS1.2 (created where TLS1.0 default)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# Download latest blacklist files
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("https://iplists.firehol.org/files/firehol_level1.netset","C:\inetpub\wwwroot\blacklists\firehol_L1.txt")
$WebClient.DownloadFile("https://iplists.firehol.org/files/firehol_level2.netset","C:\inetpub\wwwroot\blacklists\firehol_L2.txt")
$WebClient.DownloadFile("https://iplists.firehol.org/files/firehol_level3.netset","C:\inetpub\wwwroot\blacklists\firehol_L3.txt")
$WebClient.DownloadFile("https://iplists.firehol.org/files/firehol_webclient.netset","C:\inetpub\wwwroot\blacklists\firehol_webclient.txt")
# Delete old import scripts
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol1.rsc"
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol2.rsc"
Remove-Item "C:\inetpub\wwwroot\blacklists\firehol3.rsc"
Remove-Item "C:\inetpub\wwwroot\blacklists\fireholwebclient.rsc"
# Create Firehol L1 import script
$script= "C:\inetpub\wwwroot\blacklists\firehol1.rsc"
"/ip firewall address-list remove [/ip firewall address-list find list=firehol_L1]" | Add-Content $script
$blacklist= Get-Content "C:\inetpub\wwwroot\blacklists\firehol_L1.txt" | Where-Object {$_ -notmatch "^#|0.0.0.0|10.0.0.0|192.168.0.0|224.0.0.0"}
ForEach ($address in $blacklist){
"/ip firewall address-list add addres=$address list=firehol_L1 timeout=2d" | Add-Content $script
}
# Create Firehol L2 import script
$script= "C:\inetpub\wwwroot\blacklists\firehol2.rsc"
"ip firewall address-list remove [/ip firewall address-list find list=firehol_L2]" | Add-Content $script
$blacklist= Get-Content "C:\inetpub\wwwroot\blacklists\firehol_L2.txt" | Where-Object {$_ -notmatch "^#|0.0.0.0|10.0.0.0|192.168.0.0|224.0.0.0"}
ForEach ($address in $blacklist){
"/ip firewall address-list add addres=$address list=firehol_L2 timeout=2d" | Add-Content $script
}
# Create Firehol L3 import script
$script= "C:\inetpub\wwwroot\blacklists\firehol3.rsc"
"ip firewall address-list remove [/ip firewall address-list find list=firehol_L3]" | Add-Content $script
$blacklist= Get-Content "C:\inetpub\wwwroot\blacklists\firehol_L3.txt" | Where-Object {$_ -notmatch "^#|0.0.0.0|10.0.0.0|192.168.0.0|224.0.0.0"}
ForEach ($address in $blacklist){
"/ip firewall address-list add addres=$address list=firehol_L3 timeout=2d" | Add-Content $script
}
# Create Firehol WebClient import script
$script= "C:\inetpub\wwwroot\blacklists\fireholwebclient.rsc"
"ip firewall address-list remove [/ip firewall address-list find list=firehol_webclient]" | Add-Content $script
$blacklist= Get-Content "C:\inetpub\wwwroot\blacklists\firehol_webclient.txt" | Where-Object {$_ -notmatch "^#|0.0.0.0|10.0.0.0|192.168.0.0|224.0.0.0"}
ForEach ($address in $blacklist){
"/ip firewall address-list add addres=$address list=firehol_webclient timeout=2d" | Add-Content $script
}


[EKjellquist]

This is what we came up with to add to IPBan's config for picking up both failed logins and anti-hammering from the SMTP logs:

<!-- Ability Mail Server SMTP Login / Anti-hammering failures, Windows -->
<LogFile>

<Source>AbilityMailServer4</Source>
<PathAndMask>
C:/Code Crafters/Ability Mail Server 4/config/logs/smtp_*.txt
</PathAndMask>
<FailedLoginRegex>
<![CDATA[
^(?<timestamp>.+?)\s->\s(?<ipaddress>.+?)\s->\sFailed:\sAction=\[Login\],\sDetails=\[(?<username>[^\\]]+)\]|^(?<timestamp>.+?)\s->\s(?<ipaddress>.+?)\s->\sFailed:\sAction=\[Accept Connection\].*?IP\sBlocked\s\(Anti-Hammering\)
]]>
</FailedLoginRegex>
<PlatformRegex>Windows</PlatformRegex>
<PingInterval>10000</PingInterval>
<MaxFileSize>0</MaxFileSize>
<FailedLoginThreshold>0</FailedLoginThreshold>

</LogFile>