61
General Discussion / [SOLVED] - Intrusion Detection GeoIP Blocking Success?
« on: March 22, 2016, 08:37:48 pm »
Hi - I'm wondering if I don't have the the IDS/GeoIP blocking setup quite right, or if maybe it's not completely 100% successful at blocking all traffic?
I blocked a lot of countries, including Iran, but later that day I received a SPAM email on a server behind OPNsense that came from Iran. A geoiplookup utility identifies it as Iran, as does its whois info. The IP address was 2.180.53.127
(7) --> geoiplookup 2.180.53.127
GeoIP Country Edition: IR, Iran, Islamic Republic of
GeoIP City Edition, Rev 1: IR, 16, Kordestan, N/A, N/A, 35.713100, 47.265598, 0, 0
GeoIP ASNum Edition: AS48159 Telecommunication Infrastructure Company
(5) --> whois 157.55.234.250
inetnum: 2.180.16.0 - 2.180.63.255
netname: tckhr-DSL
descr: Telecommunication Company of Khorasan Razavi for ADSL users
country: IR
person: Jamil Sabaghi
address: Khomeini ST Mashhad Iran
Here's a snippet of from my mail server:
Mar 22 10:15:53 myhostname postfix/smtpd[2629]: connect from unknown[2.180.53.127]
Mar 22 10:15:56 myhostname postfix/smtpd[2629]: CEAD023BA027: client=unknown[2.180.53.127]
Mar 22 10:15:57 myhostname postfix/cleanup[2639]: CEAD023BA027: message-id=<9059532066.SIM_0099577ADC51@myhostname.com>
Mar 22 10:15:57 myhostname postfix/qmgr[3927]: CEAD023BA027: from=<tarrantNikki09@biurex.pl>, size=5807, nrcpt=1 (queue active)
Mar 22 10:15:57 myhostname postfix/smtpd[2629]: disconnect from unknown[2.180.53.127] ehlo=1 mail=1 rcpt=1 data=1 quit=1 command$
Mar 22 10:16:02 myhostname postfix/local[2640]: CEAD023BA027: to=<user@myhostname.com>, relay=local, delay=9, delays=3.7/0.01/0/$
Here's how I have IDS/GeoIP setup on OPNsense:
http://imgur.com/a/iVRJx
Is there a log that would show me drops due to IDS/GeoIP matches? Any insight would be greatly appreciated.
Thanks.
I blocked a lot of countries, including Iran, but later that day I received a SPAM email on a server behind OPNsense that came from Iran. A geoiplookup utility identifies it as Iran, as does its whois info. The IP address was 2.180.53.127
(7) --> geoiplookup 2.180.53.127
GeoIP Country Edition: IR, Iran, Islamic Republic of
GeoIP City Edition, Rev 1: IR, 16, Kordestan, N/A, N/A, 35.713100, 47.265598, 0, 0
GeoIP ASNum Edition: AS48159 Telecommunication Infrastructure Company
(5) --> whois 157.55.234.250
inetnum: 2.180.16.0 - 2.180.63.255
netname: tckhr-DSL
descr: Telecommunication Company of Khorasan Razavi for ADSL users
country: IR
person: Jamil Sabaghi
address: Khomeini ST Mashhad Iran
Here's a snippet of from my mail server:
Mar 22 10:15:53 myhostname postfix/smtpd[2629]: connect from unknown[2.180.53.127]
Mar 22 10:15:56 myhostname postfix/smtpd[2629]: CEAD023BA027: client=unknown[2.180.53.127]
Mar 22 10:15:57 myhostname postfix/cleanup[2639]: CEAD023BA027: message-id=<9059532066.SIM_0099577ADC51@myhostname.com>
Mar 22 10:15:57 myhostname postfix/qmgr[3927]: CEAD023BA027: from=<tarrantNikki09@biurex.pl>, size=5807, nrcpt=1 (queue active)
Mar 22 10:15:57 myhostname postfix/smtpd[2629]: disconnect from unknown[2.180.53.127] ehlo=1 mail=1 rcpt=1 data=1 quit=1 command$
Mar 22 10:16:02 myhostname postfix/local[2640]: CEAD023BA027: to=<user@myhostname.com>, relay=local, delay=9, delays=3.7/0.01/0/$
Here's how I have IDS/GeoIP setup on OPNsense:
http://imgur.com/a/iVRJx
Is there a log that would show me drops due to IDS/GeoIP matches? Any insight would be greatly appreciated.
Thanks.