Re[6]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
> I placed on a test machine and then trial on a production IMail server. I > really want this thing to work, but as I train and set-up, found that the > SMTP service stops and will not restart and getting a cannot find DLL and > SMTP. Sandy - have you experienced anything along this line? Nothing like that exactly, no. But you must make sure that anti-virus/anti-malware software is off during the install, and that you exempt the eEye folders and apps from heuristic scanning + detection after restart. NOD32 and AVG will both be hypersensitive to Blink; Blink's EXEs and DLLs may end up in quarantine unless they are excluded. Also -- the usual concept of no more than one memory-resident AV at once -- you should make sure Blink's anti-virus module is off. Off-list, let's work together to get it up. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[4]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
I placed on a test machine and then trial on a production IMail server. I really want this thing to work, but as I train and set-up, found that the SMTP service stops and will not restart and getting a cannot find DLL and SMTP. Sandy - have you experienced anything along this line? -Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: Saturday, January 05, 2008 2:46 PM To: Craig Edmonds Subject: Re[4]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement > Can you use eEye's Blink on a mail server? O'course. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
> Can you use eEye's Blink on a mail server? O'course. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
Can you use eEye's Blink on a mail server? Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman Sent: 04 January 2008 21:37 To: Howard Smith (N.O.R.A.D.) Subject: Re[2]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement > To replace blackice functions as to load on a server and monitor and > block what applications sends out on individual ports. I have an > offending app or task that trying to send out on random ports , I am > trying to find it and block it Yep, a HIPS like BlackIce can't be replaced by a separate firewall. I have kind of been holding in reserve my newfound love for eEye's Blink, but there it is -- pls contact me off-list for more info if you want. I'm currently rolling it out to 125 stations and find it more than able. I have no relationship to the vendor. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
> We too use Black Ice with great success (except Windows 2003R2 will not > install and run). The replacement is IMP Proventia and very expensive at > about $700 per server. We are also looking for a more cost-effective > replacement. Blink again -- cost is insanely reasonable. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
We too use Black Ice with great success (except Windows 2003R2 will not install and run). The replacement is IMP Proventia and very expensive at about $700 per server. We are also looking for a more cost-effective replacement. -Don From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Sent: Friday, January 04, 2008 3:47 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement The best part of Black Ice is it's easy to read interface to see what hitting the server. I will continue to use it just for that purpose, with an ACL in the router ahead of the server to do the heavy lifting of access control. It is an effective blocker for UDP port probes, when used in conjunction with an ACL which blocks the TCP and IP port probes, so an outsider cannot execute anything. On the other side, I would never use a software application on the server as the primary defense...been there, done that years ago when the Witty.A virus struck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 12:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protect
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
The best part of Black Ice is it's easy to read interface to see what hitting the server. I will continue to use it just for that purpose, with an ACL in the router ahead of the server to do the heavy lifting of access control. It is an effective blocker for UDP port probes, when used in conjunction with an ACL which blocks the TCP and IP port probes, so an outsider cannot execute anything. On the other side, I would never use a software application on the server as the primary defense...been there, done that years ago when the Witty.A virus struck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 12:21 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select "trusting: allow all inbound traffic" Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server
Re[2]: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
> To replace blackice functions as to load on a server and monitor and > block what applications sends out on individual ports. I have an > offending app or task that trying to send out on random ports , I am > trying to find it and block it Yep, a HIPS like BlackIce can't be replaced by a separate firewall. I have kind of been holding in reserve my newfound love for eEye's Blink, but there it is -- pls contact me off-list for more info if you want. I'm currently rolling it out to 125 stations and find it more than able. I have no relationship to the vendor. --Sandy --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
I'm sure that there are many opinions around here, but I don't think that servers should be the place where you enforce security with a software firewall. Although you might like some of what it tells you, I would think that a firewall and AV software would do the trick perfectly fine. Of course you can tune your firewall to your heart's content, and do things like limit outgoing ports, run IDS, etc. If you have enough servers, you might also want to set up off-site vulnerability scanning on a scheduled basis. If you are worried about inside your network you should set up VLANs. As we saw a couple of years ago with Blackice, and then again last year with Symantec Corporate, software that intercepts packets from the network are themselves vulnerable to exploitation, and this is a good reason to use a hardware firewall as at least a first level of defense, and only allow in what is necessary. Matt Howard Smith (N.O.R.A.D.) wrote: To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: ISS no longer supports blackice and it is no longer in production , what are users replacing it with ? Howard Smith . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom Sent: Wednesday, September 27, 2006 5:58 PM To: declude.junkmail@declude.com Cc: [EMAIL PROTECTED] Subject: [Declude.JunkMail] Blackice Server Settings I've gotten some requests to post the information on how to use Blackice Server to block email harvesting attacks. So here it is! Before you install Blackice Server you must turn Data Execution Prevention OFF on your server. Blackice and DEP will not coexist. On your server right click on "MY COMPUTER" then go to properties and then go to advanced. Under performance, select the SETTINGS button and then click on the Data Execution Prevention tab. If DEP is listed as enabled for anything, remove it for the listed services. Next, you can install Blackice. When you install Blackice server you should install it with the trusting mode enabled to allow all inbound traffic. I believe it asks you what you want when you install Blackice. I don't recall for sure if it does or not because it has been several years since I installed it. If it doesn't ask you the protection level that you want, after you install blackice you can go into the GUI and go to the firewall tab and under protection level you can select "trusting: allow all inbound traffic" Blackice should run without causing you any trouble so you should have time to complete the other configuration items. The whole install and configuration only took me about 15 minutes. I installed it on a dedicated email server. I don't have any experience with Blackice on a server running other stuff besides email and webmail. Also, you can always stop the Blackice service if you hit a problem. Blackice does its thing by watching traffic across the network card. If you stop Blackice then its effectively as if Blackice isn't installed on the server. When the service is stopped Blackice is gone and all is back as it was before. Attached is the issuelist.csv file which comes with Blackice server. Blackice uses this file as a database of different types of attacks. Line 227 had to be modified to indicate an action of IP|RST. The IP|RST tells Blackice to block the IP of the attacker as the action to take. Ignore the comments to the far right of line 227. The comments say to block the attacker if they attempt to send email to 10 non-existent email addresses within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All you need to change in this
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
If it is going on all the time, use the command line and issue: netstat -b which will show you the executable name and the connection. If you need to narrow down the TCP connection over a longer period of time, use the free TCPView from Sysinternals dot com (now a Microsoft Technet site). Perhaps someone else will have an opinion on a good host based firewall for an email server. Andrew. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Howard Smith (N.O.R.A.D.) > Sent: Friday, January 04, 2008 11:55 AM > To: declude.junkmail@declude.com > Subject: RE: [Declude.JunkMail] Blackice Server EndOfLife - > need replacement > > To replace blackice functions as to load on a server and > monitor and block > what applications sends out on individual ports . I have an > offending app or > task that trying to send out on random ports , I am trying to > find it and > block it > > > Howard Smith > N.O.R.A.D. Inc. > P.O. Box 680116 > Miami, Florida 33168 > www.norad.com > www.securetrek.com > www.siteshuttle.com > www.audiovideotrek.com > [EMAIL PROTECTED] > Office - (305) NETWORK (638-9675) > Sales - (786) 206-0045 > Fax 1 - (305) 359-5144 > > > Confidentiality Notice: This email message, including any > Attachments, is > for the sole use of the intended recipient(s) and may contain > confidential > and privileged information. Any unauthorized review, use, > disclosure or > distribution is prohibited. If you are not the intended > recipient, please > contact [EMAIL PROTECTED] by email and destroy all copies of > the original > message. > > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Matt > Sent: Friday, January 04, 2008 2:25 PM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] Blackice Server Settings > > In relation to spam or in relation to security? > > My answers would be Alligate (on a separate server) and a firewall, > respectively. > > Matt > > > > Howard Smith (N.O.R.A.D.) wrote: > > ISS no longer supports blackice and it is no longer in > production , what > > are users replacing it with ? > > > > > > Howard Smith > > . > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dave > > Beckstrom > > Sent: Wednesday, September 27, 2006 5:58 PM > > To: declude.junkmail@declude.com > > Cc: [EMAIL PROTECTED] > > Subject: [Declude.JunkMail] Blackice Server Settings > > > > I've gotten some requests to post the information on how to > use Blackice > > Server to block email harvesting attacks. So here it is! > > > > > > Before you install Blackice Server you must turn Data > Execution Prevention > > OFF on your server. Blackice and DEP will not coexist. On > your server > > right click on "MY COMPUTER" then go to properties and then go to > advanced. > > Under performance, select the SETTINGS button and then > click on the Data > > Execution Prevention tab. If DEP is listed as enabled for anything, > remove > > it for the listed services. > > > > Next, you can install Blackice. > > > > When you install Blackice server you should install it with > the trusting > > mode enabled to allow all inbound traffic. I believe it > asks you what you > > want when you install Blackice. I don't recall for sure if > it does or not > > because it has been several years since I installed it. > If it doesn't > ask > > you the protection level that you want, after you install > blackice you can > > go into the GUI and go to the firewall tab and under > protection level you > > can select "trusting: allow all inbound traffic" > > > > Blackice should run without causing you any trouble so you > should have > time > > to complete the other configuration items. The whole install and > > configuration only took me about 15 minutes. I installed it on a > dedicated > > email server. I don't have any experience with Blackice on a server > running > > other stuff besides email and webmail. > > > > Also, you can always stop the Blackice service if you hit a problem. > > Blackice does its thing by watching traffic across the > network card. If > you > > stop Blackice then its effectively as if Blackice isn't > installed on the > > server. When the service is stopped Blackice is gone and > all is back as
RE: [Declude.JunkMail] Blackice Server EndOfLife - need replacement
To replace blackice functions as to load on a server and monitor and block what applications sends out on individual ports . I have an offending app or task that trying to send out on random ports , I am trying to find it and block it Howard Smith N.O.R.A.D. Inc. P.O. Box 680116 Miami, Florida 33168 www.norad.com www.securetrek.com www.siteshuttle.com www.audiovideotrek.com [EMAIL PROTECTED] Office - (305) NETWORK (638-9675) Sales - (786) 206-0045 Fax 1 - (305) 359-5144 Confidentiality Notice: This email message, including any Attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact [EMAIL PROTECTED] by email and destroy all copies of the original message. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Friday, January 04, 2008 2:25 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Blackice Server Settings In relation to spam or in relation to security? My answers would be Alligate (on a separate server) and a firewall, respectively. Matt Howard Smith (N.O.R.A.D.) wrote: > ISS no longer supports blackice and it is no longer in production , what > are users replacing it with ? > > > Howard Smith > . > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave > Beckstrom > Sent: Wednesday, September 27, 2006 5:58 PM > To: declude.junkmail@declude.com > Cc: [EMAIL PROTECTED] > Subject: [Declude.JunkMail] Blackice Server Settings > > I've gotten some requests to post the information on how to use Blackice > Server to block email harvesting attacks. So here it is! > > > Before you install Blackice Server you must turn Data Execution Prevention > OFF on your server. Blackice and DEP will not coexist. On your server > right click on "MY COMPUTER" then go to properties and then go to advanced. > Under performance, select the SETTINGS button and then click on the Data > Execution Prevention tab. If DEP is listed as enabled for anything, remove > it for the listed services. > > Next, you can install Blackice. > > When you install Blackice server you should install it with the trusting > mode enabled to allow all inbound traffic. I believe it asks you what you > want when you install Blackice. I don't recall for sure if it does or not > because it has been several years since I installed it. If it doesn't ask > you the protection level that you want, after you install blackice you can > go into the GUI and go to the firewall tab and under protection level you > can select "trusting: allow all inbound traffic" > > Blackice should run without causing you any trouble so you should have time > to complete the other configuration items. The whole install and > configuration only took me about 15 minutes. I installed it on a dedicated > email server. I don't have any experience with Blackice on a server running > other stuff besides email and webmail. > > Also, you can always stop the Blackice service if you hit a problem. > Blackice does its thing by watching traffic across the network card. If you > stop Blackice then its effectively as if Blackice isn't installed on the > server. When the service is stopped Blackice is gone and all is back as it > was before. > > Attached is the issuelist.csv file which comes with Blackice server. > Blackice uses this file as a database of different types of attacks. Line > 227 had to be modified to indicate an action of IP|RST. The IP|RST tells > Blackice to block the IP of the attacker as the action to take. Ignore the > comments to the far right of line 227. The comments say to block the > attacker if they attempt to send email to 10 non-existent email addresses > within 120 seconds. The QTY/Timeframe is actually specified elsewhere. All > you need to change in this file is to add IP|RST to line 227. The attached > file already has the change. It is from the most current version if > Blackice so if you just bought Blackice you can move the attached file into > the Blackice directory and you're good to go. > > Next, in the Blackice GUI you'll want to go to the firewall tab and put a > checkmark in front of "Enable Auto Blocking"The GUI updates the > firewall.ini file to tell Blackice that auto-blocking is enabled. The line > in my firewall.ini is the following: > > auto-blocking = enabled, 2000, BIgui > > Next, go to the blackice.ini file and manually edit it to add the following > 4 lines: > > > smtp.error.count=6 > smtp.error.interval=30 > pam.smtp.error.count=6 > pam.error.interval=30 > > > The above settings in blackice.ini tells Blackice that if it detects an > attempt to send to 6 non-existent email addresses within 30 seconds then it > should activate the Email_Error action in line 227 of issue
