[BlueOnyx:17691] Re: IP Deny Management in BX

Michael Stauber mstauber at blueonyx.it
Wed May 27 01:25:26 -05 2015 

Hi Ernie,

> Is there any equivalent to the cPanel IP Deny Manager for 
> blocking unwanted refereal spam to websites?

I haven't used cPanel in many years, so I had to look up that feature
here: https://www.siteground.com/tutorials/cpanel/ip_deny_manager.htm

Generally the APF-Firewall will do that trick as well, but (as is) that
requires shell access to configure and such blocks then affect the
entire server and everything on it. I have started work on a GUI for it,
though. But still: I am not sure if I want to allow siteAdmins to
blacklist IP's or IP address ranges via the firewall. That's just too
risky and I doubt cPanel does it that way. They probably just throw in a
.htaccess that does the blocking on a per Vsite basis.

Which is the more sensible approach if you let siteAdmins mess with it.
I can certainly hack something like that together for BlueOnyx. I'll put
it on my list as it'll make a really nice add-on.

As I'm also getting more and more into protecting services on BlueOnyx
with GeoIP I might as well throw in GeoIP support in the per-Vsite HTTP
access restrictions. Sou you can then not only block by IP or network
addresses, but also by countries.

Somewhat earlier tonight I updated base-alpine for 5209R with an UIFC
class GeoIP which provides a GUI element for black- and whitelisting
countries. 5207R and 5208R will get it as well.

The AV-SPAM v6.1.0 (currently in development) uses it alongside with a
"Milter-GeoIP" for Sendmail that I wrote.

See: http://d2.smd.net/GeoIP/Milter-GeoIP.png

This new "Milter-GeoIP" has three functions:

1.) Protect SMTP-Auth
=======================

If a user logs in via SMTP-Auth with username and password, the IP can
be checked with GeoIP. If the originating country is blacklisted, then
this login will be marked as suspicious. The transaction can either be
"just reported" (email to server admin), can be blocked (and warned
about in an email) and (optionally) the account in question can be
suspended automatically. A suspend transaction will also trigger a
warning email to the server admin and the comment field of the suspended
user account will be updated with date and reason for the suspension.

2.) Daily limits for email-sending:
====================================

The age old problem: An account gets hacked and the server starts to
send SPAM. Any you usually only notice once you get blacklisted.

No more of that. Milter-GeoIP can keep accurate track of how many emails
each user and each Vsite sends per day. This includes emails sent by
scripts as well.

If a system user, a vsite (or its users) or an individual user account
sends more emails than allowed per day, then further sending of emails
on that day by this user (and/or all users of the Vsite) will be
prevented with a descriptive error message that states why.

This can be configured on per user and vsite level.

3.) Blocking of *all* SMTP connections via GeoIP:
==================================================

This is both controversial and optional: If enabled all SMTP connections
from blacklisted countries are rejected at the MTA level. This is either
done via failing all commands to someone who connects from a blacklisted
country. Or it can be done by dynamically generating a firewall rule via
APF (if it is installed).

Like said: That is pretty drastic. But you wouldn't believe how much the
SPAM flow drops if you block continental Asia, Russia and the former
Soviet republics. :p

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list