potato

Here’s a picture of a heart shaped potato :)

Well, if you got here, I don’t have to explain the issue, do I? :)

Basically, if you have a spammer on your Smartermail email server, changing the password will not kill the currently active sessions, thus, the spammer can keep sending emails. In this case, only a restart of Smartermail would solve the issue (active sessions would get dropped :) ).

 

Let me describe what the script does and why.

1. Checks if it needs to run. Remember, script needs to run on “Password change” event, but not on all of them!

Let’s break it down :

- We don’t want to run a script when a legitimate client changes the password himself through some control panel or webmail and thus blocking his IP.

- We only need to start the script if we (sysadmin) change the password

- We only need to start a script in case there was a spammer on the server, not in case where admin does a regular password change on user request.

In order to solve that, we use a “specially crafted” password, and the only requirement is that it has to end with letters “spm”  . Ofcourse you can change it to something else if you wish. You can do that by changing the password pattern in the script ).

2. Parses the current Smartermail’s SMTP log file and extracts all IP addresses that were used to log in with the email account for whom you’ve just changed the password.

3. Matches the extracted IP addresses with countries. This is usefull if your clients are from a specific region, so you can whitelist those countries ( I’m sure you’ll find an use case for this :) )

4. Takes last 10 unique IP addresses and adds them to the Windows firewall block list.  It will block incoming and outgoing connections only on port 25,465 and 587  for all “offensive” IP addresses.

5. Sleeps for  5 minutes and removes the IP addresses from the block list (you’d want to remove “unnecessary” firewall rules when they’re not needed).

So, in order to get this puppy going, you need to do this:

1. Create a new event in Smartermail ( Settings – Events )

2.  Event Category : User, Event type “User changed password”

3.  Click on “Actions”, click on “Add action” and set it like in the picture ( was lazy to type :D )

smartermailevent

Ofcourse, you can save the files in some other folder, just be sure to set the arguments right.

Bat file :

 

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command “C:\work\spmblock.ps1 %1 %2″

 

Powershell script ( I suggest that you download the .zip file with the script, instead of copying it from the post  ) :

 

$arguments = $args.Split(” “)
$email = $arguments[0]
$password = $arguments[1]
Function BlockSpammers{
#Check if we need to run
$pwd_regex = “spm\z” #you can change the trigger letters( leave the “\z”) or pattern here.
if($password -match $pwd_regex -eq $true){
$date = get-date -Format yyyy.MM.dd
$blockedips = $null

$ports = “25,465,587″
$countries = “(US|IE|DE|AU)” # you can add countries to the whitelist here
$match_regex = “\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b”
$web = New-Object Net.WebClient
del c:\work\ips.txt
del c:\work\tmp.txt
gc C:\Smartermail\Logs\$date-smtpLog.log | select-string “Authenticated as $email” | out-file c:\work\tmp.txt
Select-string -path c:\work\tmp.txt -Pattern $match_regex -AllMatches | % { $_.Matches } | % { $_.Value } > c:\work\ips.txt
$ips = gc c:\work\ips.txt
$ips = $ips | select-object -Unique | Select-Object -last 10
#check if we need to block the IP
foreach($ip in $ips){
$data = $web.DownloadString(“http://toic.org/network/geoip/search/?query=$ip”)
if ($data -match “Country code</td><td>$countries</td>” -eq $True){continue}
else{

netsh advfirewall firewall add rule name=”$ip” dir=in remoteip=$ip protocol=TCP localport=$ports action=block | out-null
netsh advfirewall firewall add rule name=”$ip” dir=out remoteip=$ip protocol=TCP localport=$ports action=block |out-null
$blockedips = $blockedips + $ip+”`n”
}
}
Start-Sleep 300
foreach($ip in $ips){
netsh advfirewall firewall delete rule name=”$ip” |out-null
}
}
}
BlockSpammers

 

You can download all files in a zip archive from HERE

 

Please note that you will have to allow Powershell to run unsigned scripts  ( Set-ExecutionPolicy Unrestricted ) .

Hope it helps some fo you.

Bye, Alesandro.

2182102I have been administering Windows hosting servers for over 7 years now and one thing that really made me angry is the lack of BASIC security features in Microsoft’s FTP server.

Blocking the IP addresses based on the number of failed login is an ESSENTIAL feature for any FTP server, but it seems Microsoft doesn’t care about that ( until IIS 8 :) )

I swear, when I come to power, I will make that feature obligatory to every FTP server on the market, so…when it comes to that, vote for me! :D

Since I am seeing increasing numbers of brute force attacks in general ( FTP, email servers, application logins, etc… ) we had to come up with some solution that would harden our FTP servers.

I wrote a Powershell script that processes the FTP log file and if it detects over 50 failed logins from a particular IP address, it adds an “Deny” entry it in “FTP IPv4 Address and Domain Restrictions” . (Read More »)

wspFirst of all, you need to know that this project will be described in two or three posts, since there is a lot of stuff to cover.

In this first, introductory post, I will only give you  rough details of the modifications we did,  and  most important, why we did them in the first place.

 

WHY???

Since the new version of Websitepanel 2.0 has been crippled ( specifying the number of domain aliases and the drop of support for Windows Server 2003 /IIS6/SQL 2005 ) we have decided to implement the support for Windows 2012 and SQL 2012 into the currently avaiable 1.2.1 version.

I am aware that this change puts us out of WebsitePanel’s update roadmap, but since I honestly don’t like where the project is going, I don’t see it as a big problem since we are using it only for our shared hosting customers which only user IIS, SQL, FTP and email services. We have no need for OCS, Dynamics, Sharepoint, etc…

This modification is something we just had to do in order to give our customers features they are already used to have, but at the same time giving us  and our customers access to the newest features of IIS8 and MSSQL 2012  while still maintaining a single control point, aka central management system for all of your Windows 2003/R2, Windows 2008/R2 and Windows 2012 servers.

To get the idea of what exactly I am talking about, have a look at these posts:

http://www.websitepanel.net/global-forums/topic/domain-alias/

http://www.websitepanel.net/global-forums/topic/alias-domain/

http://www.websitepanel.net/search-results/?q=domain+alias

So, what we needed to do?

First Layer was the code modification itself.

This is a rough list of modifications we had to do:

1. Modify the operating system provider

2. Modifying the web server provider

3. Modifying the FTP server provider

4. Modifying the MSSQL server provider

Second layer is adding the new providers to the Websitepanel database

Third and the most complicated layer( atleast for me :)  ) is the modification of the Websitepanel Portal in order to have SQL server 2012 listed. Please note that we didn’t ADD the new entries for SQL Server 2012, but we have just modified the SQL server 2000 entries. We could do that because we were not using SQL server 2000.  If you are using it, you will need to add new entries to the Websitepanel Portal code.

Since we were adding new entries to the database manually, through SQL Server Management Studio, I don’t have the “magic” query you could just run on your database and have everything installed. Sorry for that :/

Please note that we have our modified version of Websitepanel 1.2.1 already in production and it is being used by our shared hosting users.( Plus hosting – www.plus.hr )

Bye bye for now, see you again in a couple of days with the post nr.2 :)

If you need the modified DLL files right now, feel free to drop me an email using the contact form on the top left corner of the website.

Ciao, Alesandro.

 

 

Here you can download the files for fixing mysql issues ( deleting database ) on WSP 1.0.1.0, 1.0.2 , 1.1.0, 1.1.2, 1.2.0 AND 1.2.1

INSTRUCTIONS :

Replace “websitepanel.providers.database.mysql.dll” file in “server\bin” folder with the one you downloaded. These fixes fixed my problem on all servers EXCEPT the one running mysql 5.0.27 version….ones runing 5.1 and 5.0.77 works fine. I Will update if I get this solved too…

Currently I am getting this error on 5.0.27 server: ERROR: ‘MySQL Server 5.0′ DeleteDatabase System.Data.EvaluateException: Cannot perform ‘=’ operation on System.Byte[] and System.String.

FIX for 1.0.1.0 version can be found HERE

FIX for the 1.0.2 version can be found HERE

FIX for the 1.1.0 version can be found HERE

FIX for the 1.1.2 version can be found HERE

FIX for the 1.2.0 version can be found HERE – UPDATED!!

FIX for the 1.2.1 version acan be found HERE – UPDATED!!

FIX for the 1.2.1.6 version acan be found HERE - UPDATED!!

Hope it will be helpfull.

If you have any questions, just let me know.

Ofcourse, these fixes are provided AS-IS . I dont guarantee it will work on your machine, and I cannot take responsibility for any damages cause by it.