VPOP3
Other Products
Download
Purchase
Support
My Account
 
VPOP3
Other Products
Download
Purchase
Support
My Account
 
  • Delicious
  • Sales: 0800 634 6513
    General: 0845 053 0371

news and info

Block login attacks with abuseIPDB

VPOP3 will automatically block IP addresses which repeatedly try to log in with an incorrect username or password. However, to prevent blocking users who accidentally enter the wrong details for too long, this usually just blocks the IP address for a few minutes (the default is 30 minutes).

There is an online database at https://www.abuseipdb.com/ which is used by many organisations to report abusive IP addresses. This database has an API which is free for low usage (1000 or 3000 calls a day). The data from multiple users is amalgamated to give a confidence of abuse from a particular IP address. That means that if just one or two services report problems, it could be accidental failed logins or similar, so we can ignore it, but if many report problems it is more likely to be deliberate attacks, so we can take action.

This article is about using the abuseIPDB database to identify failed login attempts to VPOP3 and then blocking those IP addresses for longer periods. We will use some Lua scripting to report failed logins to abuseIPDB then utilise the ‘GeoIP’ facility in VPOP3 to block those IP addresses that are rated at ‘100%’ by abuseIPDB.

This script requires VPOP3 Enterprise v8.1 or later.

Sign up to abuseIPDB

The first step is to sign up for an abuseIPDB account. For most VPOP3 users, their free account will suffice. You can increase the free account’s 1000 API-calls-a-day limit to 3000 API calls a day if you have your own website and change the account to a ‘webmaster’ account.

To sign up for an abuseIPDB account, go to https://www.abuseipdb.com/pricing

Once you have the account, you can go to your account settings and sign up as a ‘webmaster’ user if you wish – just follow the instructions (it involves uploading a small file to a special location on your web server)

You will now need to generate an API key so that our script can report and check data on IP addresses. To do this, in your abuseIPDB account, go to the ‘API’ tab, and click on ‘Create Key’. The key is a long alphanumeric string.

Create new database tables in VPOP3

We want to create a new database table in VPOP3 so that we can track when we have blocked IP addresses, so that they can be automatically be removed after a certain amount of time.

To do this, on your VPOP3 server, go to a command prompt and navigate to the VPOP3 directory, then type ‘psql’

In the psql prompt, type:

create table geoipv4_autoblocks (addr inet, dateadded timestamp with time zone default now());
create table abuseipdb (addr inet, dateadded timestamp with time zone default now());

geoipv4_autoblocks contains the IP address and when it was added to the block list. This will be used to automatically remove blocks after a specified time.

This creates two database tables for the script to use.

abuseipdb contains IP addresses and when they were reported to abuseIPDB, so that VPOP3 will only report addresses a maximum of once per day.

Create Lua Script

In the VPOP3 settings, go to Settings -> Scripts and choose the ‘Scheduler.lua’ script from the drop-down box. For this article we will assume that there is nothing in that script. If you already have functions in this script, then you may need to modify those by adding the script here, rather than replacing or adding it.

The Scheduler.lua script can contain functions which VPOP3 will periodically run in the background. We will use this to have VPOP3 check the failed logins log database table every five minutes and act accordingly.

In this script, copy and paste the function as below (again, if you already have a ‘Sched5Min’ function, you will need to modify it accordingly):

Script

You can change the first few lines of this function to meet your requirements. You MUST set the abuseIPDB API key and your email address as appropriate.

If you don’t want to receive notification emails, change the ‘notificationEmail’ line to:
notificationEmail = nil;

The ‘triggerCount’ value is the number of different failed usernames attempted over the past day which will trigger notification. The ‘purgeDays’ value is how long IP addresses will be blocked for if blocked by this script.

Block IP addresses

The Lua script above will create ‘GeoIP’ entries in VPOP3 with the identifier of ‘block’ if it sees repeated failed login attempts and the IP address has a 100% rating on abuseIPDB.

To use these to actually block IP addresses from trying to log into VPOP3, we need to go to the appropriate Services in the VPOP3 settings, go to the ‘IP Access Restrictions’ tab and add a new restriction to ‘block’ addresses using GeoIP lookup where the search result is ‘block’

You can add this IP Access Restriction to multiple services as you wish – eg the POP3, SMTP and IMAP4 services

Post a Comment