Wrong includes, some other

[EmEiBee]

Hello again, I'm shure I've got again the old files... Downloadet yesterday at this place... Am I wrong?

1st: many include_once point to different files like "{filename}data.php" but they don't exist. But same files without the "...data" at the are present so I think that are just a "ohhh, forget to edit" thingy.

2nd: PHP Notice: Undefined variable: redTo in .\dialtodayhits.php on line 27

• Here I have no idea

3rd: PHP Fatal error: Cannot redeclare ip_country() (previously declared in .\functions.php:204) in .\functions.php on line 204

• I think there is a problem due "functions.php" called many times from different files by "include_once" instead of a central "include" i.e. at index.php so that here the functions.php is called twice or more in a chain...

_OT-BTW: GeoLite2SQL now runs GeoLite is now running except that the data in "network_start" and "networkend" are hieroglyphs

[palinkas-jo-reggelt]

I stopped using this about a year ago after it became apparent that it was only useful for a tiny fraction of repeat offenders. It's just too cumbersome to maintain. The statistics were more useful than the actual banning. But you don't need to collect your own statistics because I can simply tell you: 60% of firewall banned IPs never ever returned to try again and only 1 or 2 percent returned more than a few times. My advice is to simply use autoban.

With respect to your GeoLite2SQL issue, it appears that your table structure is probably wrong - could be based on the old version? If you're using the latest version, it includes queries for dropping old tables and recreating them new. It should just work IF you're using the current code.

Are you getting any errors?

<#  Drop and add database tables  #>
Debug "----------------------------"
Debug "Drop and recreate database tables"
Try {
    If ($Type -match "country") {
        $GCQuery = "
            DROP TABLE IF EXISTS geocountry;
            CREATE TABLE geocountry (
                network_start VARBINARY(16) NOT NULL,
                network_end VARBINARY(16) NOT NULL,
                geoname_id INT NOT NULL,
                registered_country_geoname_id INT,
                represented_country_geoname_id INT,
                is_anonymous_proxy TINYINT,
                is_satellite_provider TINYINT,
                KEY geoname_id (geoname_id),
                KEY network_start (network_start),
                PRIMARY KEY network_end (network_end)
            ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
        "
    } Else {
        $GCQuery = "
            DROP TABLE IF EXISTS geocity;
            CREATE TABLE geocity (
                network_start VARBINARY(16) NOT NULL,
                network_end VARBINARY(16) NOT NULL,
                geoname_id INT NOT NULL,
                registered_country_geoname_id INT,
                represented_country_geoname_id INT,
                is_anonymous_proxy TINYINT,
                is_satellite_provider TINYINT,
                postal_code TINYINT,
                latitude DECIMAL(7,4),
                longitude DECIMAL(7,4),
                accuracy_radius TINYINT,
                KEY geoname_id (geoname_id),
                KEY network_start (network_start),
                PRIMARY KEY network_end (network_end)
            ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
        "
    }
    MySQLQuery $GCQuery

    If ($Type -match "country") {
        $GLQuery = "
            DROP TABLE IF EXISTS countrylocations;
            CREATE TABLE countrylocations (
                geoname_id INT NOT NULL,
                locale_code TINYTEXT,
                continent_code TINYTEXT,
                continent_name TINYTEXT,
                country_code TINYTEXT,
                country_name TINYTEXT,
                is_in_european_union TINYINT,
                KEY geoname_id (geoname_id)
            ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
        "
    } Else {
        $GLQuery = "
            DROP TABLE IF EXISTS citylocations;
            CREATE TABLE citylocations (
                geoname_id INT NOT NULL,
                locale_code TINYTEXT,
                continent_code TINYTEXT,
                continent_name TINYTEXT,
                country_code TINYTEXT,
                country_name TINYTEXT,
                subdivision_1_iso_code TINYTEXT,
                subdivision_1_name TINYTEXT,
                subdivision_2_iso_code TINYTEXT,
                subdivision_2_name TINYTEXT,
                city_name TINYTEXT,
                metro_code TINYINT,
                time_zone TINYTEXT,
                is_in_european_union TINYINT,
                KEY geoname_id (geoname_id)
            ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
        "
    }
    MySQLQuery $GLQuery
    Debug "Database tables successfully dropped and created"
    Email "[OK] Database tables dropped & recreated"
}
Catch {
    Debug "[ERROR] : Unable to drop/create database tables : $($Error[0])"
    Debug "[ERROR] : Quitting Script"
    Email "[ERROR] Failed to drop/create database tables. See error log."
    EmailResults
    Exit
}

[EmEiBee]

FireBan: Yes, that can be. What I have see is that the same IP not often comes back but an IP out of the same CIDR. AutoBan is on after a single fault but without the Windows FW in front where I nearby block whole CIDR- Blocks the number of entrys grow very fast and will be between 3000 to 7000 (30 days holdtime). I think it's better to don't let the badboys touch the MX... But I haven't the right idea ...

GeoLite: I have download it yesterday again after our touch, empty the folder except the config, delete the tables by hand and also delete the folder "Script-Created-Files". Then I let it run. I have do that some times the same way but the result is every time the same. I'll compare again tonight; now I have to continue welding my car... I'm a bit short on time with that ...

[palinkas-jo-reggelt]

FireBan: Yes, that can be. What I have see is that the same IP not often comes back but an IP out of the same CIDR. AutoBan is on after a single fault but without the Windows FW in front where I nearby block whole CIDR- Blocks the number of entrys grow very fast and will be between 3000 to 7000 (30 days holdtime). I think it's better to don't let the badboys touch the MX... But I haven't the right idea ...

I only autoban for one hour.

If its just a couple of networks that are bothering you, you can simply add them manually to windows firewall.

GeoLite: I have download it yesterday again after our touch, empty the folder except the config, delete the tables by hand and also delete the folder "Script-Created-Files". Then I let it run. I have do that some times the same way but the result is every time the same. I'll compare again tonight; now I have to continue welding my car... I'm a bit short on time with that ...

Some config may have changed as well. Try the new one. There might be new variables. I forgot because a lot changed with adding IPv6.

[EmEiBee]

FireBan: Ok, an hour is short; no problems with that? Badly there are much more than a couple of networks. Sometimes if a day is quite there are around 100 more or less. Hot days comes up with more than 1000 ... If I'm here I have it run nearby and enter many into the FW but that sucks...

GeoLite: I have copy & past your code into the script but after an comparison it's the same that I have... So nothing ist changed: Hieroglyphs to the horizon ;o) What I have seen is the following (former it runs to fast that I haven't noticed it):

` 24.08.2022 18:43:02 : Import converted CSVs to database 24.08.2022 18:43:03 : [ERROR] DATABASE ERROR : Unable to run query : LOAD DATA INFILE 'C:\Program Files (x86)\hMailServer\Events\geoip\Script-Created-Files\GeoLite2-Country-CSV\GeoCountryIPv4.csv' INTO TABLE geocountry FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '"' LINES TERMINATED BY '\n' IGNORE 1 ROWS (@network_start_hex, @network_last_hex, @geoname_id, @registered_country_geoname_id, @represented_country_geoname_id, @is_anonymous_proxy, @is_satellite_provider) SET network_start = UNHEX(@network_start_hex), network_end = UNHEX(@network_last_hex), geoname_id = NULLIF(@geoname_id, ''), registered_country_geoname_id = NULLIF(@registered_country_geoname_id, ''), represented_country_geoname_id = NULLIF(@represented_country_geoname_id, ''), is_anonymous_proxy = NULLIF(@is_anonymous_proxy, ''), is_satellite_provider = NULLIF(@is_satellite_provider, '');

Ausnahme beim Aufrufen von "Fill" mit 2 Argument(en): "Column 'geoname_id' cannot be null" `

Funny due he complains about the third column, but shreds columns 1 and 2 ... ;o)

[palinkas-jo-reggelt]

No problems with 1 hour. If you start "collecting" autoban entries and holding on to them the list will grow beyond the capabilities of administering them - meaning if you click on advanced settings in hmailserver admin, it will be verrrrrrry slow. I know. I tried.

Also, remember - in order to automate firewall banning, SOMETHING - some filter - has to decide whether its bannable or not. Therefore, your lists are only as good as your filters.

Believe me - I developed this thing. Its just not worth it. Maybe I'm not a good enough developer, but it became too cumbersome and just didn't stop the flow of bots trying to access my system. Like I said before, 60% never returned. Therefore, banning those 60% of IPs was effectively useless. The vast majority of the rest only came back once or twice. That's almost useless, as far as I'm concerned. Less than 1% were real problem children. But again - if they were being firewall banned, they were also being autobanned.

The hope at the beginning of the project was that it would slow down the flow of attack, but that didn't work out as expected.

As to the GeoLite2SQL issue - have you checked the actual data files to see if there is a blank 'geoname_id'? You should be able to find it by regex like this: ^.+,.+,,

[EmEiBee]

Ok, I will switch AutoBan to 3 hours ... Let's see what's happend ... (have set it to 1/120/180 right now)

I believe you; no questions about that. If you say that it don't help as expected I have no reason to doubt it. So I won't deal with it anymore ... The only thing what maybe help a little is to GeoBlock and only exclude known MX like the Microsoft, Google, ... MX. But that I have try more then twice and ever again run at the wall with PowerScript; I hate PS! A PS that runs on one machine often not run on an other similar one. PHP, available on every webserver, is the most better engine from my point of view...

I have take a look into the both filez GeoCountryIPv4.csv and GeoCountryIPv6.csv IP4: What I see is that "represented_country_geoname_id" is ever NULL IP6: In the 1st and 2nd line geoname_id, registered_country_geoname_id and represented_country_geoname_id are NULL Then the next some 1000 only represented_country_geoname_id is NULL (ever and all) same like IP4. Then at line 4696 to 4699 the same as line 1&2, next at line 5362, 5369, 5310, a.s.o. But don't explain the hieroglyphs in columns 1 & 2 either ...

EDIT say: How can I delete the settings from ...

netsh advfirewall set allprofiles logging filename "C:\scripts\hmailserver\fwban\pfirewall.log" netsh advfirewall set allprofiles logging droppedconnections enable

???

[palinkas-jo-reggelt]

EDIT say: How can I delete the settings from ...

netsh advfirewall set allprofiles logging filename "C:\scripts\hmailserver\fwban\pfirewall.log" netsh advfirewall set allprofiles logging droppedconnections enable

???

https://www.hmailserver.com/forum/viewtopic.php?t=32829 https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior

I don't know specifically and it doesn't say in these links, but I can guess its something like this:

netsh advfirewall set allprofiles logging disabled