8
IDS and Incoming Gateway as a Honeypot
Idea shared by Douglas Foster - 2/20/2021 at 3:05 PM
Under Consideration
I had noticed that my incoming gateway was deflecting SMTP login attempts.   Since it is only an incoming gateway, there are no valid logins.   I changed my IDS settings to block for 9999 minutes after 1 SMTP login failure.   In the last 24 hours, I have collected 751 blocked IP addresses from Iran, Brazil, and other countries..    
Using an incoming gateway allows for better security than operating without an incoming gateway.   Thought this information was worth sharing.

10 Replies

Reply to Thread
1
As an update:    I lost some of my blocks when the IDS timer expired.   Support helped me realize that I could make them permanent by selecting any or all and choosing "blacklist".

Now I am back to collecting attacker addresses.   Currently adding at least 100 attack addresses per day to the blacklist.  Now my only concern is managing performance as the list grows.
3
It would be great if we could export these in a CSV or something. We also copy these (and copying them is a pain!) and add them to a block list at the firewall level.
6
I'd like to see the ids blocks put in a log or database then after they expire if the ip shows up again a 2nd time in a 30 day period it adds them to the blacklist. It shouldnt be to hard since SM does this with greylisting. If would also be nice if it would send a email when it added blacklist entry.
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP
3
A very good idea, Matthew. And we would like to permanently see what IPs were blocked in the past and how many times.
3
Kyle Kerst Replied
Employee Post
@Matthew I think your suggestion of adding the IP to the blacklist automatically when detected by the IDS twice in a 30 day period, but believe this would require some longer term storage of the IDS list contents and may or may not be something we can implement. Only one way to find out though! I'll get a feature request submitted on this for you and we can go from there. Have a good one!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
>@Matthew I think your suggestion of adding the IP to the blacklist automatically when detected by the IDS twice in a 30 day period...

It's a great idea. Seriously, not trying to be a PITA, via this august forum I recommended introducing this kind of logic to the IDS years ago... Went nowhere but hope springs eternal!
2
Kyle Kerst Replied
Employee Post
Matthew I agree and one member of development actually came by earlier this week to express support for a feature request as well. That being said, we believe this would likely take the form of a report which details IDS blocks, repeat offenders, etc. A neat addition to this would be if the report allowed for something like Actions>Blacklist IP from the report itself. Just some stuff we've been discussing and I'll make sure this all gets noted with development. Have a good one!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
Just to reinforce the concept, we all know that our own customers can sometimes trigger an IDS event by accident by sending the wrong password in an email client. But dedicated spam engines wait for the IDS blocks to expire and then revisit the services that they are attempting to penetrate. I would think that some logic expressed as X strikes and you're out for good makes sense, rather than the X minutes or hours before releasing the block. Anyway, thanks to the dev team for considering it. Run it up the pole and see who salutes.
0
This can be done thru the API

I don't do it on our office implementation, but I have a program setup on my home implementation that monitors the logs daily.  It looks for failed access attempts and when exceeding a certain threshold it automatically adds those IPs into the Blacklist.   I see no reason it couldn't be scaled up to handle multiple domains and all.  Just my $.02

Most days I see 1 or 2 IPs... when kids are out of school and on holidays that can grow to 20 to 50 IPs per day... and this is on a home server... single domain, 10 mailboxes.   So... on a larger system, this could block a LOT of IPs so you would probably want to log WHEN they entered the blacklist somewhere so after X number of days you could remove them from the blacklist as well.
0
Bump
Kendra Support http://www.kendra.com support@kendra.com 425-397-7911 Junk Email filtered ISP

Reply to Thread