OVH Community, your new community space.

Block ip ranges on firewall


Andy
05-08-2014, 16:16
No problem, glad it helped. It's a tutorial I wrote many years ago so it's good to see it was of some use. I no longer use h-mail myself but when I did it was a nice little server.

csc2ya
29-07-2014, 15:47
This started again earlier, but I do now appear to have it resolved, and can also get the ip's of the losers that are doing it. It also shows they did not know my password. To do this, i've enabled auto ban, set it to ban after 1 failed login attempt, reset the counter after one minute, and remove the ban after a week.

I then added an ip range that only includes the server itself with a priority higher than 20, which means the webmail system won't be affected by any bans.

Doing it this way has the nice effect that I can see which accounts they are trying to use (mostly accounts that don't exist), and also their ip's.

I then untick expires on the bans, and change the ip range from x.x.x.x - x.x.x.x to x.x.x.0 - x.x.x.255, to ensure they won't be able to reconnect at a later date.

csc2ya
27-07-2014, 02:20
Thanks for that Andy. I've double checked my config using that tutorial, and the only thing that was different, was the 'my computer' range was set to all ip's....i've now set that range to 127.0.0.1 only.

I'm pretty confident that my settings are correct anyway. A friend (who runs hmail on his server) configured it for me, and he's run his own servers for years, so i'm confident he knows what he's doing. He's helped me out plenty of times in the past when i've broken things on my servers.

All the checks I did previously indicate that the server is not an open relay anyway.

It may have just been the local ip ranges that were set incorrectly and allowing the spam to be sent. None has been sent since as far as I can tell (i've had no bouncebacks anyway), and from looking at my hmail installation, there have been no open smtp connections, whereas there was a constant open smtp connection while the spam was being sent.

So as I say, i'm fairly confident it's solved now.

Again.....thanks for the help....I do appreciate it...i'll keep a close eye on the server over the next few days to see whether the changes worked.

Andy
27-07-2014, 01:44
If you haven't resolved this yet, have a look on this tutorial I wrote many years ago. It outlines the settings needed to prevent the server being used as a relay.

Tutorial: http://www.abyssunderground.co.uk/in...mailserver.php

csc2ya
25-07-2014, 23:48
Quote Originally Posted by heise
Well, use the obvious solution and switch to linux
I know that was said tongue in cheek, but switching to linux isn't an option, as I run several bits of software that only run on windows (they don't run on WINE either before you suggest that):

ircxpro (only runs on windows)
mirc (only runs on windows)
sam broadcaster (only runs on windows).

I have a kimsufi box that I use for anything that needs linux

heise
25-07-2014, 23:22
Well, use the obvious solution and switch to linux

csc2ya
25-07-2014, 22:08
I guess i'll have to deal with it as and when it happens then.

What I do know, is that someone wants to wreck my domain's reputation for e-mail, although, who it is, and why they want to do this completely eludes me.

This whole issue has actually been happening for years, and whereas some things i've tried have stopped it for a while, others have been completely ineffective.

In an ideal world, I would simply fire off a complaint to the owner of the ip block that's accessing it, but i'm well aware that some isp's will ignore such e-mails (even though they shouldn't).

I've considered involving the police in the past, but I doubt they would care about someone attempting to illegally use my server to send a few spam e-mails.

I also know that on occasions, they've done it purely to get at me for whatever reason...I know this because in the past, I've had emails spoofed to appear to come from my domain that have been sent to domains that couldn't possibly exist (user@domain < that format...notice the lack of extension), meaning I get my mailbox filled with bouncebacks.

They do seem to have stopped for now, but i'll have to keep an eye on it obviously.

Thanks for trying to help anyway guys.

Neil
25-07-2014, 14:28
You cannot block whole ranges only individual IPs and as Razakel says, find the source of the issue.

Razakel
25-07-2014, 14:26
Quote Originally Posted by heise
Instead of changing passwords and blocking IP, investigate why this is happening in the first place. Looks to me, that your software is having some vulnerability that is being exploited.
This. Fixing it with a firewall is basically a band-aid. If your server continues to send spam, the IP will be blocked from sending email until you actually solve the problem.

heise
25-07-2014, 13:56
Instead of changing passwords and blocking IP, investigate why this is happening in the first place. Looks to me, that your software is having some vulnerability that is being exploited.

csc2ya
25-07-2014, 11:26
Hi Neil

It's an OVH server (a Mini SP)

That's what i'm using to implement the block.

What I can't figure out, is how to block whole ranges.

i've uploaded a screenshot, which i'll link below to show what i'm trying to do:

http://winserv.csc2ya.co.uk/ovhfirewall.png

I'm well aware doing it that way won't work as evidenced by the error message.

What I need to know, is what to enter to block that entire range.

So far i've had no more spam sent since the adding the ip as an ipv4 deny entry, but I can guess it won't be long before they figure out that it's a single ip that's blocked and simply change their ip to get around it, hence me wanting to block the entire range.

Edit: I may have just figured it out.

I used an online calculator to find the subnet mask for the ip range, which came back as:

Subnet Mask for IP Address:

Subnet Mask : 255.255.255.128 (/25)
IP Address : 82.57.200.0
Net Block size : 128(2^7) addresses
I've entered 82.57.200.0/25 as an ipv4 block.

Would that be correct to block that entire range, or would it be 82.57.200.0/128?

Neil
25-07-2014, 10:40
Quote Originally Posted by csc2ya
It's a windows box. I'm looking for a way to block the ranges using the ovh firewall.
Hi

If its a VPS or OVH Server you can use the Network Level Firewall in the new Control Panel to block IP Addresses, you can find it under the IP section.

csc2ya
24-07-2014, 20:04
hmail on server 2008
It's a windows box. I'm looking for a way to block the ranges using the ovh firewall.

K.Kode
24-07-2014, 19:23
iptables -I INPUT -m iprange --src-range 1.1.1.1-1.1.2.255 -j DROP
iptables-save

csc2ya
24-07-2014, 13:20
I'm having an issue with spam being sent via my mailserver (hmail on server 2008).

This started yesterday. Upon noticing the bouncebacks, I cleared the mail queue, and blocked the ip that was connecting in the firewall followed by changing the password for my e-mail account.

It appears to have started again, this time from a different ip. I have once again changed my password, and added the ip to the firewall as a deny entry, which seems to have stopped it again for now.

What I ideally wanted to do, was to block all pop and smtp connections except for my webmail system (roundcube) (which only connects from one ip on my server).

On looking into this, it does not seem possible to do (it caused issues with sending and recieving legitimate e-mail when I tried).

The IP that has been sending spam appears to be located in oman. On looking into it a bit deeper, they are somehow relaying spam through my mailserver (i'm unsure how, as relaying is not allowed by my hmailserver installation).

What I want to do it block all the ip's from that particular isp from connecting to my server at all.

Can someone tell me how I can add a range of ip's to the firewall so that they are all blocked.

I've tried (this is only an example) 0.0.0.0 - 0.0.0.255, and also variations of 0.0/0 to block ranges, but these do not work.

Is it possible to block entire ranges using one rule.

It's getting to the point where i'm thinking about shutting off my mailserver altogether and hosting my e-mail elsewhere, but that's a hassle that I don't want to deal with right now.