IDS rule to kill /24 CIDR block?
Question asked by Mark Thornton - 4/26/2024 at 11:54 AM
I vaguely remember some discussion about IDS rules and the possibility of installing a /24 network block when a defined number of authentication failures occur within that block. Does that exist, or is the only option to occasionally scan the SMTP log and look for the abusers? 

4 Replies

Reply to Thread
You right click the offenders IDS Blocks and block the /24 subnet.
Kyle Kerst Replied
Employee Post
This was suggested once, but this has not been implemented as of yet. You can however blacklist the CIDR block right from the IDS Blocks page now though as Brian pointed out :-) I wait for a number of IPs to show up in my block list and when I spot a common CIDR block I blacklist the whole CIDR and remove the rest of the IDS blocks. I hope that helps!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Mark Thornton Replied
When I observed the abuse it was not triggering into the ip blocklist. I was in the smtp log for another reason and noticed the same /24 subnet kept attempting logins but only one or two attempts before moving to a new ip in the subnet. I hadn't seen that behavior before. 
AWRData Replied
For habitual and repetitive abusers, I use the Windows firewall to block IPs.  In theory, it should reduce load on the SmarterMail service.  I do this with iptables on my Solaris machines, as well, to take the load off tcpd, as well as full blocks in my border firewalls.

Just keep track of what you block, when you block it, and where you block it, as this will help save headaches later on when or if IP block ownership changes and you suddenly start blocking legitimate sources.

Reply to Thread