2
[Beta] IDS blocks continue even after being removed
Problem reported by echoDreamz - 4/13/2020 at 12:37 PM
Submitted
I removed all IDS blocks globally, 0 listed across all cards, but Smartermail was still reporting in logs that the IP was being blocked for X rule. I had to restart the service for it to release the IDS block. This was across numerous IPs, not just 1.

4 Replies

Reply to Thread
0
Employee Replied
Employee Post
Thank you for reporting this. I have added it to our bugs list.
0
Employee Replied
Employee Post
I created a simple SMTP brute password, attempted logging in until I was blocked, reattempted but failed (as expected), unblocked the IP and was able to successfully log in.  You're not getting this?  What specific IDS blocks do you have configured and which ones were persisting?

[2020.04.13] 15:29:35.355 [192.168.0.21][62055155] rsp: 220 MSI06.st.local
[2020.04.13] 15:29:35.355 [192.168.0.21][62055155] connected at 4/13/2020 3:29:35 PM
[2020.04.13] 15:29:39.928 [192.168.0.21][62055155] Country code: Unknown
[2020.04.13] 15:29:39.928 [192.168.0.21][62055155] cmd: ehlo mac
[2020.04.13] 15:29:39.929 [192.168.0.21][62055155] rsp: 250-MSI06.st.local Hello [192.168.0.21]250-SIZE250-AUTH LOGIN CRAM-MD5 NTLM250-8BITMIME250-DSN250 OK
[2020.04.13] 15:29:43.767 [192.168.0.21][62055155] cmd: auth login
[2020.04.13] 15:29:43.767 [192.168.0.21][62055155] rsp: 334 VXNlcm5hbWU6
[2020.04.13] 15:29:45.391 [192.168.0.21][62055155] Authenticating as remmett@smartermail.io
[2020.04.13] 15:29:45.391 [192.168.0.21][62055155] rsp: 334 UGFzc3dvcmQ6
[2020.04.13] 15:29:47.139 [192.168.0.21][62055155] Authentication failed - login failed 
[2020.04.13] 15:29:47.139 [192.168.0.21][62055155] rsp: 535 Authentication failed
[2020.04.13] 15:29:50.663 [192.168.0.21][62055155] cmd: auth login
[2020.04.13] 15:29:50.663 [192.168.0.21][62055155] rsp: 334 VXNlcm5hbWU6
[2020.04.13] 15:29:52.118 [192.168.0.21][62055155] Authenticating as remmett@smartermail.io
[2020.04.13] 15:29:52.118 [192.168.0.21][62055155] rsp: 334 UGFzc3dvcmQ6
[2020.04.13] 15:29:54.791 [192.168.0.21][62055155] Authentication failed - login failed 
[2020.04.13] 15:29:54.791 [192.168.0.21][62055155] Authentication failed - blacklisted ip
[2020.04.13] 15:29:54.791 [192.168.0.21][62055155] rsp: 421 Too many authentication failures by this IP, closing transmission channel
[2020.04.13] 15:30:00.477 [192.168.0.21][62055155] cmd: auth login
[2020.04.13] 15:30:00.478 [192.168.0.21][62055155] rsp: 334 VXNlcm5hbWU6
[2020.04.13] 15:30:00.478 [192.168.0.21][62055155] disconnected at 4/13/2020 3:30:00 PM
[2020.04.13] 15:30:05.226 [192.168.0.21][59984550] connected at 4/13/2020 3:30:05 PM
[2020.04.13] 15:30:05.226 [192.168.0.21][59984550] "421 Server is busy, try again later." response returned.
[2020.04.13] 15:30:05.226 [192.168.0.21][59984550] IP blocked by brute force abuse detection rule
[2020.04.13] 15:30:05.226 [192.168.0.21][59984550] disconnected at 4/13/2020 3:30:05 PM
[2020.04.13] 15:36:36.641 [192.168.0.21][1000883] connected at 4/13/2020 3:36:36 PM
[2020.04.13] 15:36:36.641 [192.168.0.21][1000883] "421 Server is busy, try again later." response returned.
[2020.04.13] 15:36:36.641 [192.168.0.21][1000883] IP blocked by brute force abuse detection rule
[2020.04.13] 15:36:36.641 [192.168.0.21][1000883] disconnected at 4/13/2020 3:36:36 PM
[2020.04.13] 15:39:52.301 [192.168.0.21][56271421] rsp: 220 MSI06.st.local
[2020.04.13] 15:39:52.301 [192.168.0.21][56271421] connected at 4/13/2020 3:39:52 PM
[2020.04.13] 15:39:57.904 [192.168.0.21][56271421] Country code: Unknown
[2020.04.13] 15:39:57.904 [192.168.0.21][56271421] cmd: ehlo mac
[2020.04.13] 15:39:57.905 [192.168.0.21][56271421] rsp: 250-MSI06.st.local Hello [192.168.0.21]250-SIZE250-AUTH LOGIN CRAM-MD5 NTLM250-8BITMIME250-DSN250 OK
[2020.04.13] 15:40:01.684 [192.168.0.21][56271421] cmd: auth login
[2020.04.13] 15:40:01.684 [192.168.0.21][56271421] rsp: 334 VXNlcm5hbWU6
[2020.04.13] 15:40:03.536 [192.168.0.21][56271421] Authenticating as remmett@smartermail.io
[2020.04.13] 15:40:03.536 [192.168.0.21][56271421] rsp: 334 UGFzc3dvcmQ6
[2020.04.13] 15:40:11.163 [192.168.0.21][56271421] rsp: 235 Authentication successful
[2020.04.13] 15:40:11.165 [192.168.0.21][56271421] Authenticated as remmett@smartermail.io

0
echoDreamz Replied
[2020.04.13] 12:27:42.221 [REMOVED][31390751] "421 Server is busy, try again later." response returned.
[2020.04.13] 12:27:42.221 [REMOVED][31390751] IP blocked by brute force abuse detection rule
However, no blocks existed at the time, I had removed all of them nearly 10 minutes before this.
0
Employee Replied
Employee Post
Chris, can you add debug log ids: 72333 and 72334?  The latter is the verbose version of the logging.  With these enabled, can you send me the logs if you encounter this issue again? Thanks.

Reply to Thread