OPNsense Forum

English Forums => General Discussion => Topic started by: TheLatestWire on March 22, 2016, 08:37:48 pm

Title: [SOLVED] - Intrusion Detection GeoIP Blocking Success?
Post by: TheLatestWire on March 22, 2016, 08:37:48 pm
Hi - I'm wondering if I don't have the the IDS/GeoIP blocking setup quite right, or if maybe it's not completely 100% successful at blocking all traffic?

I blocked a lot of countries, including Iran, but later that day I received a SPAM email on a server behind OPNsense that came from Iran.  A geoiplookup utility identifies it as Iran, as does its whois info.  The IP address was 2.180.53.127

(7) -->  geoiplookup 2.180.53.127
GeoIP Country Edition: IR, Iran, Islamic Republic of
GeoIP City Edition, Rev 1: IR, 16, Kordestan, N/A, N/A, 35.713100, 47.265598, 0, 0
GeoIP ASNum Edition: AS48159 Telecommunication Infrastructure Company

(5) -->  whois 157.55.234.250
inetnum:        2.180.16.0 - 2.180.63.255
netname:        tckhr-DSL
descr:          Telecommunication Company of Khorasan Razavi for ADSL users
country:        IR
person:         Jamil Sabaghi
address:        Khomeini ST Mashhad Iran

Here's a snippet of from my mail server:
Mar 22 10:15:53 myhostname postfix/smtpd[2629]: connect from unknown[2.180.53.127]
Mar 22 10:15:56 myhostname postfix/smtpd[2629]: CEAD023BA027: client=unknown[2.180.53.127]
Mar 22 10:15:57 myhostname postfix/cleanup[2639]: CEAD023BA027: message-id=<9059532066.SIM_0099577ADC51@myhostname.com>
Mar 22 10:15:57 myhostname postfix/qmgr[3927]: CEAD023BA027: from=<tarrantNikki09@biurex.pl>, size=5807, nrcpt=1 (queue active)
Mar 22 10:15:57 myhostname postfix/smtpd[2629]: disconnect from unknown[2.180.53.127] ehlo=1 mail=1 rcpt=1 data=1 quit=1 command$
Mar 22 10:16:02 myhostname postfix/local[2640]: CEAD023BA027: to=<user@myhostname.com>, relay=local, delay=9, delays=3.7/0.01/0/$

Here's how I have IDS/GeoIP setup on OPNsense:
http://imgur.com/a/iVRJx (http://imgur.com/a/iVRJx)

Is there a log that would show me drops due to IDS/GeoIP matches?  Any insight would be greatly appreciated.

Thanks.

Title: Re: Intrusion Detection GeoIP Blocking Success?
Post by: cdburgess75 on March 23, 2016, 03:20:15 am
The alerts tab show the log. I set this up a few days ago to stop India from sending me cryptolocker .js

It works great and super easy to setup.
Title: Re: Intrusion Detection GeoIP Blocking Success?
Post by: TheLatestWire on March 23, 2016, 03:40:34 am
Did you have to setup a separate rule for the Alert?  I have mine set to Drop and it looks like you can't choose both on the same rule.  It took me forever to pick all the countries I wanted to block.  I dread having to repeat that process just to enable an Alert rule.

Thanks.
Title: Re: Intrusion Detection GeoIP Blocking Success?
Post by: cdburgess75 on March 23, 2016, 03:52:41 pm
No,  I just made 1 rule for each country and chose block for action,  you will also see the block logs in the alert tab, along with any alerts.
Title: Re: Intrusion Detection GeoIP Blocking Success?
Post by: TheLatestWire on March 23, 2016, 04:05:55 pm
Excellent news about the alerts when the rule is set to block, thanks.

I'm still curious about the success rate though.  Just this morning a connection from China came through and delivered SPAM to my server despite the fact that I have China listed in the IDS/GeoIP blocking and that a whois and geoiplookup on the source IP both indicate it is an IP in China.
Title: Re: Intrusion Detection GeoIP Blocking Success?
Post by: franco on March 23, 2016, 04:24:33 pm
It kind of depends on the database completeness. If it's an incomplete database it's unfortunate; for publishers of those lists this is a revenue stream. The websites will have better databases that you can query, but their databases are not exportable for that reason so you go through their website for each one.