13
Adding more info from IDS Blocks
Idea shared by Montague WebWorks - 4/6/2022 at 12:52 PM
Proposed
Back when I was first dealing with the onslaught of hacking attempts at the beginning of covid, I was pretty methodical in giving each blacklist entry a good description, so I could tell later where they came from and what the date was.  Lately I've been lazy and just click the Block button. The result of which, of course, is a long list of IP numbers with the description "IDS Block."

My suggestion is to add the country and the date the block was added automatically to the description so we don't have to edit each one after we add them (which requires a trip to another section of the admin site, and a good memory). We could then sort the description column and see which countries are hitting us hardest. Maybe even add a DateAdded column so we can sort on that as well.
Thanks

Mik MullerMontague WebWorks

13 Replies

Reply to Thread
0
+1
0
Nice idea. 
0
+1
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
I would add that all the info that is presented on the IDS page should be saved as discrete data, which can be sorted and searched on, including the date.
Mik MullerMontague WebWorks
5
Additionally, for extra credit, if ST decides to start crowd-pooling spam data (see other suggestions), to crowd-pool this data as well so other SM admins can benefit. I mean, if Russia is attacking, which we know they are and will be doing more so, I think we could all benefit from a shared pool of such activity.
Mik MullerMontague WebWorks
0
I like the idea but lets face it, all these hack attacks are coming from either compromised servers or bot farms and the IP's are changed every few attempts to try to foil the spamblocking/bruteforce hacking on our servers. You can bet most of those attacks are not coming from the countries listed but are simply spoofed IP's or compromised devices being used by the real hackers from elsewhere.
Just to add, the amount of hacking attempts has been insane for quite awhile.
3
True, but if a hacker were trying to spoof their IP, they would likely not use an IP registered in Russia or North Korea, which shows up in my IDS quite a lot.

In either case, I was simply noting that the IDS page shows a lot of info (country, type of attack, etc), all of which is lost when we add them to the blacklist. I think it should all be saved.
Mik MullerMontague WebWorks
0
Quote
"True, but if a hacker were trying to spoof their IP, they would likely not use an IP registered in Russia or North Korea, which shows up in my IDS quite a lot. "

Unless of course the hackers were from the US trying to make it look like those other countries were the ones hacking.... just my 2 cents... ;-)
1
lol
Mik MullerMontague WebWorks
3
Specifically all this info should be added to the black list page.

Mik MullerMontague WebWorks
1
Zach Sylvester Replied
Employee Post
Hello, 

Thanks for posting to the community. I like this idea but I personally think this is kinda out of scope for SmarterMail. These rules should be implemented on your firewall in front of your server. SmarterMail should be your last line of defense when it comes to IDS/firewall functionality. A really good firewall solution is SonicWall Firewall. Or a PaloAlto firewall. While SmarterMail is very versatile I don't really think it should be intended to be a complete all-in-one security tool. Currently in SmarterMail if you really want to do this like say for instance you want to block Russia you could just blacklist the CIDR blocks for Russia. If you go to this website it will let you generate a list of CIDR blocks for a particular region or country. https://www.countryipblocks.net/acl.php

Please let me know if you have any questions or any comments or addons for consideration. 

Kind Regards, 
Zach Sylvester System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
2
True, but they'll never get everything, and as someone else said, anyone could tunnel their way to anywhere else using a VPN.

No matter what, the IDS will trap something, and it would be helpful to store the info it gleaned to trap the IP. Throwing that info away when you add it to the blacklist seems like a missed opportunity to learn what to add to any other firewalls or blocks that may be employed.
Mik MullerMontague WebWorks
2
Yes, +10! I do the same exact thing BTW! I would like to have a way to automatically block /24 range or get the actual range from WHOIS.

Further, I would like to have an end user editable format string to generate the comment like: "\c from \ip(\ty)on \date:\time\tz". This would translate to "Russia from 127.0.0.1(Default SMTP) on 20220420:1315ET".

Thus, you have \c = country, \ip = IP Address, \ty = IDS Description, and remainder is self explanatory. I'm sure other folks may have additional escape replacement string values that would like to add.

Reply to Thread