User Tools

Site Tools


reference:smtp_ids_ips

SMTP Server -> IDS/IPS

The IDS/IPS tab lets you set logging and automatic blocking parameters for the IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) component of the SMTP server.

SMTP servers are regularly attacked, both by incoming mail attacks (spam/viruses etc) and relay attacks (by spammers and other malware distributors trying to send mail through them). Because of this, there is a system in VPOP3 which will track attack attempts on the SMTP service and can automatically block IP addresses which try to do bad things.

IDS Logging

The IDS Logging section lets you tell VPOP3 to write details of suspicious events to a specified log. This can then be read by a third party IPS system to feed updates to a firewall or security alert system (eg Snort)

The IDS logging is disabled by default, and VPOP3 does not use it itself. The IPS component of VPOP3 uses its own log system. If you turn on IDS logging in VPOP3, you should have some system in place for rotating/truncating the log files. Check with the third party software which you are using how the file can be acceptably rotate/truncated. VPOP3 will not rotate or truncate the log file itself, it will simply append entries to the file (one text line per event), so it will grow indefinitely unless you have another process in place.

The IDS Log Filename should be in a location which the VPOP3 process has permission to write to. Usually this will mean it can not be on a shared drive or remote server. It is possible to use a Lua script to create the filename dynamically if you wish.

The IDS Log Line Format tells VPOP3 what data to store on each line in the log file. You can use replacements to indicate variable text.

  1. %T = UTC timestamp in ISO8601 format
  2. %I = the SMTP client's IP address (as seen by VPOP3)
  3. %E = the IDS event text description
  4. %D = extra event data

You can use an Lua script to customise the line format further - eg if the timestamp needs to be in a different format

Intrusion Prevention

The Intrusion Prevention section tells VPOP3 how to react to suspicious events when they occur

When an SMTP connection is initiated, the order of events is:

  • VPOP3 looks at the client IP address.
  • VPOP3 checks the Never Block List. If the IP address is there, the connection is allowed
  • VPOP3 checks in the Block List. If the IP address is there, then the connection is blocked
  • If the IP address was in the block list, but the entry expired within the past Client Error Monitor Period time, then the IPS log total value is seeded with the Client Error Re-Block value. This means that a badly behaved client is more likely to be blocked again if it continues to misbehave
  • VPOP3 checks the previous entries in the IPS event log over the past Client Error Monitor Period time. If the total of the entry values equals or exceeds the Client Error Block Threshold then the connection is added to the Block List with an expiry set to the Client Error Block Time in the future, and the connection is blocked

If the connection is allowed, then VPOP3 will add entries to the IPS event log as they occur. These will not cause the connection to be added to the block list immediately, but will only be checked at the next connection from the same IP address. This reduces computational load on the server, and means that isolated events from an IP address will not cause an entry to be added to the block list which will then expire before it is used.

The various events which are logged are shown on this page.

Every time an event occurs within the Client Error Monitor Period, then the value of that 'multiplier' is added onto that IP address's “score”.

Notes:

  1. changing an event's “multiplier” will take effect retrospectively.
  2. the Client Error Monitor Period should not be set for longer than 30 days, as events are purged from VPOP3's internal log after 30 days
  3. you cannot turn off the IDS component of VPOP3. You can achieve the same effect by setting all the 'multipliers' to zero, or decreasing the Monitor Period to 1 minute and increasing the Block Threshold to an unreachable value.

Manage Block List

When a connection attempts to connect and has already logged events over the Block Threshold, then it will be added to the Block List. Addresses can also be added to the Block List manually.

Note that the Block List affects ALL VPOP3 services. It is also updated by the Security settings in VPOP3, if someone repeatedly attempts to log in with bad details.

The Block List can be viewed to see which IP addresses are already in the block list, when they were added, and when they will expire. If you double-click on an entry, VPOP3 will show you why that address was added to the block list. You can delete entries from the block list.

You can manually add entries to the block list by entering the address and period that the address should be blocked, and pressing the Add button. The maximum time you can block an address for is 999,999,999 minutes (approximately 1900 years). The Address you specify can be an individual address, or a network range specified in CIDR format (eg 1.2.3.0/24)

Manage Never Block List

The Never Block list is used to tell VPOP3 never to block connections from the specified addresses. This can be useful for internal IP address ranges, or the IP addresses of partners or mail forwarding services.

Note that the Never Block List affects ALL VPOP3 services, and will also prevent the Security options from blocking IP addresses.

The Never Block List can be viewed to see which IP addresses are already in the list and when they were added. You can delete entries from the block list by selecting them and pressing the Delete button.

You can manually add entries to the never block list by entering the address and pressing the Add button. If you add an entry to the Never Block list, then it will automatically be removed from the Block List if the address is currently blocked.

The Address you specify can be an individual address, or a network range specified in CIDR format (eg 192.168.0.0/16)

View Event Log

This lets you see the recent past events added to the IDS event log. Events are displayed here even if they have a zero 'multiplier' so will not prevent access to VPOP3.

reference/smtp_ids_ips.txt · Last modified: 2018/11/14 10:45 by 127.0.0.1