Mailing List CGatePro@mail.stalker.com Message #105724
From: Brian Turnbow <b.turnbow@twt.it>
Subject: RE: IP blocking
Date: Fri, 17 Jul 2015 09:01:00 +0200
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: E-box Connector 4.2.66-171
Hi Shaun,

I don't think there is a temporary denied IP list only a temporary blacklist.
When cgp blocks an ip temporarily it will place it in the temporary blacklist.
You can check in network - blacklisted ips using  test address.
Blacklisted IPs can connect the the server , but can't send mail use sip etc.
Denied IPs can't even open a tcp/udp session
If you want to deny the ips, you could change the script to set denied IPs as there is a setdeniedip cli command.

Brian


Brian Turnbow
Network Manager
TWT S.p.A.

> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Shaun Gamble
> Sent: venerdì 17 luglio 2015 07:12
> To: CommuniGate Pro Discussions
> Subject: Re: IP blocking
>
> Thanks Brian. I'm now utilising Niversoft's script. Unfortunately, it appears this
> script only adds the IP to the BlackListed IP list. Adding it to the temporary
> denied list is what I am after. This is getting me closer, so thank you.
>
> On 16/07/2015 10:22 PM, Brian Turnbow wrote:
> > HI  Shaun,
> >
> > Null routed addresses do not constitute an error (afaik) so are not
> > counted You can setup a route record to spamtrap
> > <littleannie@mydomain> = spamtrap
> >
> > That will make it trigger
> >
> > There is also a script from niversoft that sorts logs and blacklists
> > dictionary attack IPs that could help
> >
> > Regards
> >
> > Brian
> >
> >
> > Brian Turnbow
> > Network Manager
> > TWT S.p.A.
> >
> >> -----Original Message-----
> >> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com]
> >> On Behalf Of Shaun Gamble
> >> Sent: giovedì 16 luglio 2015 04:04
> >> To: CommuniGate Pro Discussions
> >> Subject: IP blocking
> >>
> >> CGP 6.1.2 x64  Windows 2012
> >>
> >> Block after 5 failed logins in 5 minutes
> >>                       5 protocol errors in 10 minutes
> >>
> >> Blocking time 2 hours
> >> Blocked Address Limits 30000
> >>
> >> Why is this IP not being blocked? I have had dictionary attacks
> >> through SMTP, POP and SIP for the last week. Either I have a setting
> >> incorrect somewhere or CGP is not doing its job. This IP kept up this
> >> attack for
> >> 10 minutes. The originator was switching IPs it was using every 10
> >> minutes. So entering the IP manually into the denied IP address is
> >> too late and a waste of time. It needs to occur when the attack is
> >> occurring. The blocking time can be increased if they use the same IP again.
> >>
> >> Below is a very small sample from the log.
> >>
> >> 20:24:00.938 1 POP-232729([122.155.16.155]:53698) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:53698->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:01.605 1 POP-232730([122.155.16.155]:54214) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:54214->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:02.280 1 POP-232731([122.155.16.155]:54307) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:54307->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:02.965 1 POP-232732([122.155.16.155]:54409) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:54409->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:03.685 1 POP-232733([122.155.16.155]:54499) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:54499->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:04.448 1 POP-232734([122.155.16.155]:54604) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:54604->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:05.206 1 POP-232735([122.155.16.155]:54720) failed to open
> >> ACCOUNT(littleannie) for [122.155.16.155]:54720->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:05.917 1 POP-232736([122.155.16.155]:54844) failed to open
> >> ACCOUNT(liu) for [122.155.16.155]:54844->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:06.639 1 POP-232737([122.155.16.155]:54960) failed to open
> >> ACCOUNT(liu) for [122.155.16.155]:54960->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:07.366 1 POP-232738([122.155.16.155]:55058) failed to open
> >> ACCOUNT(liu) for [122.155.16.155]:55058->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:08.087 1 POP-232739([122.155.16.155]:55160) failed to open
> >> ACCOUNT(liu) for [122.155.16.155]:55160->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:08.824 1 POP-232740([122.155.16.155]:55276) failed to open
> >> ACCOUNT(liu) for [122.155.16.155]:55276->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 20:24:09.502 1 POP-232741([122.155.16.155]:55375) failed to open
> >> ACCOUNT(liu) for [122.155.16.155]:55375->[myip]:110. Error
> >> Code=account is routed to NULL
> >>
> >> The above IP does not ever get blocked.
> >>
> >> When the attack finds a legit email address and tries to use the
> >> password to authenticate, then the IP blocking occurs (different IP
> >> address as it had switched, very small portion of the log which occurs for
> about 10 minutes):
> >>
> >> 23:30:12.656 1 POP-238481([159.226.89.27]:40626) failed to open
> >> ACCOUNT(mail) for [159.226.89.27]:40626->[myip]:110. Error
> >> Code=account is routed to NULL
> >> 23:30:13.985 1 ACCOUNT(legituser) login(POP) from
> >> [159.226.89.27]:41212 failed. Error Code=incorrect password
> >> 23:30:22.695 1 ACCOUNT(legituser) login(POP) from
> >> [159.226.89.27]:42318 failed. Error Code=incorrect password
> >> 23:30:31.377 1 ACCOUNT(legituser) login(POP) from
> >> [159.226.89.27]:43885 failed. Error Code=incorrect password
> >> 23:30:40.054 1 ACCOUNT(legituser) login(POP) from
> >> [159.226.89.27]:45466 failed. Error Code=incorrect password
> >> 23:30:43.519 1 ACCOUNT(legituser) login(POP) from
> >> [159.226.89.27]:46196 failed. Error Code=incorrect password
> >> 23:30:48.860 1 POP-238539([159.226.89.27]:46196) [159.226.89.27]
> >> temporarily blocked on login failure
> >>
> >> Yay but 10 minutes too late and the attacker now knows a legit email
> >> address to try. It shouldn't be able to get to this stage. What am I missing??
> >>
> >> Another question which may be a better solution, I do not require POP
> >> access from IPs other than client IPs. So how do I block POP
> >> connections from non- client IPs?
> >>
> >> --
> >>
> >> Shaun
> >> Fitzroy Island <http://www.fitzroyisland.com> Destination Darwin NT
> >> <http://www.destinationnt.com> MOM Backpackers
> >> <http://www.momdarwin.com> Value Inn Hotel
> >> <http://www.valueinn.com.au> Please do not send any unsolicited
> >> email. It is not wanted.
> >>
> >>
> >> #############################################################
> >> This message is sent to you because you are subscribed to
> >>    the mailing list <CGatePro@mail.stalker.com>.
> >> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch
> >> to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
> >> To switch to the INDEX mode, E-mail to
> >> <CGatePro-index@mail.stalker.com> Send administrative queries to
> >> <CGatePro-request@mail.stalker.com>
> > #############################################################
> > This message is sent to you because you are subscribed to
> >    the mailing list <CGatePro@mail.stalker.com>.
> > To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch
> > to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
> > To switch to the INDEX mode, E-mail to
> > <CGatePro-index@mail.stalker.com> Send administrative queries to
> > <CGatePro-request@mail.stalker.com>
>
> --
>
> Shaun
> Fitzroy Island <http://www.fitzroyisland.com> Destination Darwin NT
> <http://www.destinationnt.com> MOM Backpackers
> <http://www.momdarwin.com> Value Inn Hotel
> <http://www.valueinn.com.au> Please do not send any unsolicited email. It is
> not wanted.
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the
> DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster