Hello,
I am happy with the use of
https://www.sans.org/blog/windows-firewall-script-to-block-ip-addresses-and-country-network-ranges/ PowerShell.exe -ExecutionPolicy Bypass
.\Import-Firewall-Blocklist.ps1 -inputfile ip.txt
PowerShell.exe -ExecutionPolicy Restricted
Where ip.txt can be the IDS block list or the
http://www.ipdeny.com/ipblocks/ country lists
The process was easy and great result.
Now, I am thinking about some proposals. We received several errors / bad commands. Those errors are from attacks.
I think they are not covered by IDS, and should be easy to add. We can build the cases list using the error codes:
rsp: 535 Authentication failed = covered by IDS
rsp: 500 command unrecognized
rsp: 504 Unrecognized authentication type.
rsp: 554 Sending address not accepted due to spam filter
rsp: 554 Security failure
May be others rsp: 4xx or rsp: 5xx
Why this? We suffered exponential increasing on blocked connections over SMTP in. This is closed. There is not any open external SMTP. Nobody can connect using this. Only by EWS or Webmail 2 step security. Then, I don't want to see them attacking us. I am thinking the way to block them at all.
1) New IDS rule by "504 Unrecognized authentication type."
[2021.04.02] 15:58:55.703 [115.207.19.98][4951420] Country code: CN
[2021.04.02] 15:58:55.953 [115.207.19.98][4951420] cmd: EHLO ylmf-pc
[2021.04.02] 15:58:55.953 [115.207.19.98][4951420] rsp: 250-mail.frimont.com Hello [115.207.19.98]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2021.04.02] 15:58:56.187 [115.207.19.98][4951420] cmd: AUTH LOGIN
[2021.04.02] 15:58:56.187 [115.207.19.98][4951420] rsp: 504 Unrecognized authentication type.
This ylmf-pc attack from China, Vietnam, etc. He is using always the same method, with differents IP.
I can block him by EHLO. But his records at log are huge. And he is a cracker or hacker.
There is not a rule to auto catch the IP for "504 Unrecognized authentication type", like other IDS rule.
This possible new rule can be able to detect him and block him automatically.
2) New IDS rule by "rsp: 500 command unrecognized"
14:02:01.978 [119.61.22.82][23963396] cmd: EHLO localhost
14:02:01.978 [119.61.22.82][23963396] rsp: 250-mail.frimont.com Hello [119.61.22.82]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
14:02:01.978 [119.61.22.82][23963396] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
14:02:02.416 [119.61.22.82][23963396] cmd: AUTH LOGIN
14:02:02.416 [119.61.22.82][23963396] rsp: 334 VXNlcm5hbWU6
14:02:03.306 [119.61.22.82][23963396] Authenticating as sistemas@frimont.com
14:02:03.306 [119.61.22.82][23963396] rsp: 334 UGFzc3dvcmQ6
14:02:03.760 [119.61.22.82][23963396] rsp: 535 Authentication failed
14:02:04.213 [119.61.22.82][23963396] cmd: *
14:02:04.213 [119.61.22.82][23963396] rsp: 500 command unrecognized
14:02:04.666 [119.61.22.82][23963396] cmd: QUIT
This example is good. We are blocking the EHLO "localhost"
He is a hacker/cracker. He try to authenticate. He sent a bad command. But I must dig into log to use this IP into blacklist.
3) New IDS rule using the event: "The domain given in the EHLO command violates an EHLO SMTP blocking rule"
We have some EHLO SMTP blocking rule, like this "localhost", "admin", administrator", etc.
03:53:26.874 [36.129.204.202][2368085] Country code: CN
03:53:34.812 [36.129.204.202][2368085] cmd: EHLO localhost
03:53:34.812 [36.129.204.202][2368085] rsp: 250-mail.frimont.com Hello [36.129.204.202]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
03:53:34.812 [36.129.204.202][2368085] The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected.
03:53:35.187 [36.129.204.202][2368085] disconnected at 3/25/2021 3:53:35 AM
We block several attacks with it. But, again, they fill thousands of log lines.
If there is a IDS rule to get the IP used for these EHLO SMTP cases, we can add them into blacklists.