To replace blackice functions as to load on a server and monitor and block
what applications sends out on individual ports . I have an offending app or
task that trying to send out on random ports , I am trying to find it and
block it
Howard Smith
N.O.R.A.D. Inc.
P.O. Box 680116
Miami, Florida 33168
www.norad.com
www.securetrek.com
www.siteshuttle.com
www.audiovideotrek.com
[EMAIL PROTECTED]
Office - (305) NETWORK (638-9675)
Sales - (786) 206-0045
Fax 1 - (305) 359-5144
Confidentiality Notice: This email message, including any Attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact [EMAIL PROTECTED] by email and destroy all copies of the original
message.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Friday, January 04, 2008 2:25 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Blackice Server Settings
In relation to spam or in relation to security?
My answers would be Alligate (on a separate server) and a firewall,
respectively.
Matt
Howard Smith (N.O.R.A.D.) wrote:
ISS no longer supports blackice and it is no longer in production , what
are users replacing it with ?
Howard Smith
.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Wednesday, September 27, 2006 5:58 PM
To: declude.junkmail@declude.com
Cc: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Blackice Server Settings
I've gotten some requests to post the information on how to use Blackice
Server to block email harvesting attacks. So here it is!
Before you install Blackice Server you must turn Data Execution Prevention
OFF on your server. Blackice and DEP will not coexist. On your server
right click on "MY COMPUTER" then go to properties and then go to
advanced.
Under performance, select the SETTINGS button and then click on the Data
Execution Prevention tab. If DEP is listed as enabled for anything,
remove
it for the listed services.
Next, you can install Blackice.
When you install Blackice server you should install it with the trusting
mode enabled to allow all inbound traffic. I believe it asks you what you
want when you install Blackice. I don't recall for sure if it does or not
because it has been several years since I installed it. If it doesn't
ask
you the protection level that you want, after you install blackice you can
go into the GUI and go to the firewall tab and under protection level you
can select "trusting: allow all inbound traffic"
Blackice should run without causing you any trouble so you should have
time
to complete the other configuration items. The whole install and
configuration only took me about 15 minutes. I installed it on a
dedicated
email server. I don't have any experience with Blackice on a server
running
other stuff besides email and webmail.
Also, you can always stop the Blackice service if you hit a problem.
Blackice does its thing by watching traffic across the network card. If
you
stop Blackice then its effectively as if Blackice isn't installed on the
server. When the service is stopped Blackice is gone and all is back as
it
was before.
Attached is the issuelist.csv file which comes with Blackice server.
Blackice uses this file as a database of different types of attacks. Line
227 had to be modified to indicate an action of IP|RST. The IP|RST tells
Blackice to block the IP of the attacker as the action to take. Ignore
the
comments to the far right of line 227. The comments say to block the
attacker if they attempt to send email to 10 non-existent email addresses
within 120 seconds. The QTY/Timeframe is actually specified elsewhere.
All
you need to change in this file is to add IP|RST to line 227. The
attached
file already has the change. It is from the most current version if
Blackice so if you just bought Blackice you can move the attached file
into
the Blackice directory and you're good to go.
Next, in the Blackice GUI you'll want to go to the firewall tab and put a
checkmark in front of "Enable Auto Blocking" The GUI updates the
firewall.ini file to tell Blackice that auto-blocking is enabled. The
line
in my firewall.ini is the following:
auto-blocking = enabled, 2000, BIgui
Next, go to the blackice.ini file and manually edit it to add the
following
4 lines:
smtp.error.count=6
smtp.error.interval=30
pam.smtp.error.count=6
pam.error.interval=30
The above settings in blackice.ini tells Blackice that if it detects an
attempt to send to 6 non-existent email addresses within 30 seconds then
it
should activate the Email_Error action in line 227 of issuelist.csv. We
set
the action to be IP|RST (in issuelist.csv) which specifies that the IP
should be blocked. So if the QTY/Timeframe is met, the IP is blocked.
The
block of the IP will automatically go away after a specified time. This
is
good because an IP is never permanently blocked forever.
I believe the IP is removed from the blocklist after 24 hours. I have to
find where you specify the length of time that the IP should remain
blocked.
I'll post that when I find it.
Also, on those 4 config lines above you can obviously choose how
aggressive
you want to be at blocking email harvesting by setting a different
error.count and error.interval. I figured 6 attempts at bad addresses in
30
seconds was most certainly someone trying to guess email addresses on our
servers.
Another thing that you will want to do is go into the Blackice GUI and go
to
the intrusion detection tab. Here you will want to add your internal and
external IP addresses as ranges of IP addresses that you want to trust.
If Blackice ever blocks an IP that shouldn't be blocked (say some customer
who isn't well-behaved but who is still a customer), through the GUI you
can
right click on your customer's info in the EVENTS tab and then select the
option to trust and accept them. This will prevent them from ever being
automatically blocked by Blackice.
I know the above is a bit to digest but don't let it scare you. Blackice
is a simple install and you can literally have it installed and running
and
blocking email harvesting in about 15 minutes.
Some other advantages is that Blackice has a directory where it places a
text file with the IP of the attacker as part of the filename. Over time,
you will see patterns of IPs by just looking at the filenames. If there
is
a range of IPs that seem to be attacking your servers you can then go
block
them at your firewall. Blackice will also show you in its online GUI all
of
the attackers and errors they generated. If I see that someone has port
scanned us a couple hundred times I may go block them at the firewall to
stop them from profiling our servers. If you look at the issuelist.csv,
you
can see that you can also use Blackice to handle a vast number of other
types of attacks. I only use it for the email address harvesting, but it
could be used to do a whole lot more.
At $300 it's a cheap solution. I very seldom ever look at Blackice. It
just does its thing and I forget its even there most of the time!
I wrote most of this from memory and I don't believe I missed anything. If
you're going to install Blackice, feel free to email me and tell me the
time
and date you plan to install it. I'll email you my phone number and if you
should hit a problem you can give me a call and I 'll walk you through it.
Good luck.
Dave
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
