Wow, I posted those instructions a long time ago. I didn't know so many people ended up running blackice!
I have no plans to replace blackice until a server upgrade means it won't run any more. Hopefully that won't be for several years. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Howard > Smith (N.O.R.A.D.) > Sent: Friday, January 04, 2008 12:59 PM > To: [email protected] > Cc: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Blackice Server Settings > > ISS no longer supports blackice and it is no longer in production , what > are users replacing it with ? > > > Howard Smith > . > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Wednesday, September 27, 2006 5:58 PM > To: [email protected] > Cc: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Blackice Server Settings > > I've gotten some requests to post the information on how to use Blackice > Server to block email harvesting attacks. So here it is! > > > Before you install Blackice Server you must turn Data Execution Prevention > OFF on your server. Blackice and DEP will not coexist. On your server > right click on "MY COMPUTER" then go to properties and then go to advanced. > Under performance, select the SETTINGS button and then click on the Data > Execution Prevention tab. If DEP is listed as enabled for anything, remove > it for the listed services. > > Next, you can install Blackice. > > When you install Blackice server you should install it with the trusting > mode enabled to allow all inbound traffic. I believe it asks you what you > want when you install Blackice. I don't recall for sure if it does or not > because it has been several years since I installed it. If it doesn't ask > you the protection level that you want, after you install blackice you can > go into the GUI and go to the firewall tab and under protection level you > can select "trusting: allow all inbound traffic" > > Blackice should run without causing you any trouble so you should have time > to complete the other configuration items. The whole install and > configuration only took me about 15 minutes. I installed it on a dedicated > email server. I don't have any experience with Blackice on a server running > other stuff besides email and webmail. > > Also, you can always stop the Blackice service if you hit a problem. > Blackice does its thing by watching traffic across the network card. If you > stop Blackice then its effectively as if Blackice isn't installed on the > server. When the service is stopped Blackice is gone and all is back as it > was before. > > Attached is the issuelist.csv file which comes with Blackice server. > Blackice uses this file as a database of different types of attacks. Line > 227 had to be modified to indicate an action of IP|RST. The IP|RST tells > Blackice to block the IP of the attacker as the action to take. Ignore the > comments to the far right of line 227. The comments say to block the > attacker if they attempt to send email to 10 non-existent email addresses > within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All > you need to change in this file is to add IP|RST to line 227. The attached > file already has the change. It is from the most current version if > Blackice so if you just bought Blackice you can move the attached file into > the Blackice directory and you're good to go. > > Next, in the Blackice GUI you'll want to go to the firewall tab and put a > checkmark in front of "Enable Auto Blocking" The GUI updates the > firewall.ini file to tell Blackice that auto-blocking is enabled. The line > in my firewall.ini is the following: > > auto-blocking = enabled, 2000, BIgui > > Next, go to the blackice.ini file and manually edit it to add the following > 4 lines: > > > smtp.error.count=6 > smtp.error.interval=30 > pam.smtp.error.count=6 > pam.error.interval=30 > > > The above settings in blackice.ini tells Blackice that if it detects an > attempt to send to 6 non-existent email addresses within 30 seconds then it > should activate the Email_Error action in line 227 of issuelist.csv. We set > the action to be IP|RST (in issuelist.csv) which specifies that the IP > should be blocked. So if the QTY/Timeframe is met, the IP is blocked. The > block of the IP will automatically go away after a specified time. This is > good because an IP is never permanently blocked forever. > > I believe the IP is removed from the blocklist after 24 hours. I have to > find where you specify the length of time that the IP should remain blocked. > I'll post that when I find it. > > Also, on those 4 config lines above you can obviously choose how aggressive > you want to be at blocking email harvesting by setting a different > error.count and error.interval. I figured 6 attempts at bad addresses in 30 > seconds was most certainly someone trying to guess email addresses on our > servers. > > > Another thing that you will want to do is go into the Blackice GUI and go to > the intrusion detection tab. Here you will want to add your internal and > external IP addresses as ranges of IP addresses that you want to trust. > > If Blackice ever blocks an IP that shouldn't be blocked (say some customer > who isn't well-behaved but who is still a customer), through the GUI you can > right click on your customer's info in the EVENTS tab and then select the > option to trust and accept them. This will prevent them from ever being > automatically blocked by Blackice. > > I know the above is a bit to digest but don't let it scare you. Blackice > is a simple install and you can literally have it installed and running and > blocking email harvesting in about 15 minutes. > > Some other advantages is that Blackice has a directory where it places a > text file with the IP of the attacker as part of the filename. Over time, > you will see patterns of IPs by just looking at the filenames. If there is > a range of IPs that seem to be attacking your servers you can then go block > them at your firewall. Blackice will also show you in its online GUI all of > the attackers and errors they generated. If I see that someone has port > scanned us a couple hundred times I may go block them at the firewall to > stop them from profiling our servers. If you look at the issuelist.csv, you > can see that you can also use Blackice to handle a vast number of other > types of attacks. I only use it for the email address harvesting, but it > could be used to do a whole lot more. > > At $300 it's a cheap solution. I very seldom ever look at Blackice. It > just does its thing and I forget its even there most of the time! > > I wrote most of this from memory and I don't believe I missed anything. If > you're going to install Blackice, feel free to email me and tell me the time > and date you plan to install it. I'll email you my phone number and if you > should hit a problem you can give me a call and I 'll walk you through it. > > Good luck. > > Dave > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
