Friday, 12 September 2008

Goodbye China!

If using a "biscuit tin as a firewall" was the answer - then the question had to be "How the hell do I stop China over-running my mail server?"

This is dedicated to anyone who runs their own mail server. Whether you're a business user supporting an enterprise deployment or a pokey home user just looking to get a little bit of IMAP love in your life - they day you find where the mail logs reside is the beginning of a vengeful game of strike and counter strike.

Perhaps some people are happy with it - but for me, reading the mail logs is an irritation. From time to time you expect the occasional prod from some random point in the country attempting to relay off your mail server but the constant drip drip offensive from one international region in particular is quite literally like Chinese water torture.

Almost 95% of relay attempts against my mail server, when processed through whois on dnsstuff.com, turned out to be from China. Perhaps they thought there was a gold medal in the offing?!!

The alliteration of attempts was impressive and it showed that although the majority of engagements failed trying to handshake my mail server (HERRO instead of EHLO perhaps?) - some were far less bot driven and much more sneakey in their attempts to trick my MTA in to relaying fun time Pr0n mail to the masses. Eventually it drove the fear of God in to me. Who knows what they get up to in the labs over there? The Xenophobe in me kicked in. Visions of faithful party members - miniturised and deployed inside ethernet frames - raiding my mail server with all manner of technoexploit know how meant that I could not rely on my MTA alone to deal with it. They had to be stopped at the perimiter!!!

Don't get me wrong here. I had hardened my Postfix implementation after a lengthy (5 minute) trawl through the first page of Google search results on the issue. I had also burnt the midnight oil on more than one occassion, taking the time to deploy my own domain local blacklist and also real time black listing (rbl). But the joy in rejecting mail from specific domains with my own custom FU 550 reject message was fleeting and the logs still showed presence of chinanet users enjoying all night exploitathons on my IP address. I felt that it was only a matter of time before they partied hard enough to break on through to the other side.

That was why I decided to retract the hospitality that was generally afforded on port 25 to the rest of the world. A bit drastic? Not really - the last time I looked, Hu Jintao wasn't in my Facebook so what do I care.

So I traded up and got myself a nice Netgear firewall router from the Prosafe range. The FVG318 fitted the bill perfectly. It had some great features and also included the explicit ability to block either individual IP addresses or supernet IP blocks. Perfect! The spam relay attempts came in - left their dirty finger prints all over my logs - associated ip ranges looked up and were then entered in to the 'no no' list. Moohahahahahaha!

Imagine my disappointment when I discovered that a so say professional device (that is where the pro in prosafe comes from --- right?) rejected my 21st attempt at entering a firewall rule.

Netgear and the art of WTF??!!!!
When the FVG318 says those three little words, it's hard to hide the rejection when you read "Too Many Entries" ! Tear my heart out why don't you!!!

Firmware Version: v2.1.2-67R - you're a dirty love rat!











Frankly - I don't know if it's unacceptable or not to have such a limitation in an off the shelf product. I could cry all I liked and Netgear were unlikely to fix my issue for me. As a result, it was time for Linux. Specifically - Smoothwall.

How and why I came to this decision - and how I built the damn thing have been blogged HERE

So how could Smoothwall be of benefit? Quite simple really. Give me the power to block the extensive range of IP addresses I needed in order to exact my vengeful nature upon the far east! At the same time, it would allow me to do it in a manner that meant I didn't have to enter the IP blocks one at a sodding time. Lucky for me, Smoothwall is the mutts nuts (or the dogs danglies if you prefer - choices choices eh! That's western living for yah).

Ok, if I was pedestrian about it - Smoothwall would allow me to plod through my hate list one item at a time, adding them via GUI interface. If I wanted to step up a gear then there was always the direct route. By enabling SSH access and having a quick prod about, it didn't take long to find the config file for the ipblock function under /var/smoothwall/ipblock

Putty and the art of TFFT!
As any responsible citizen should, all material of a sensitive nature has been removed to protect the innocent.










Smoothwall supports VI if you fancy your elite text based editor skills. Alternatively, you could always use WINSCP to provide you with graphical access to the directory structure and locate the ipblock config file for editing. You may want to make a backup before you balls it up though.

Smoothwall allows for IP blocks to be specified by CIDR notation. The ipblock file takes a comma separated list of parameters in this apparent order: (ip details) address/CIDR range, (logging) on/off, (punishment) drop/reject, (enable) on/off,

e.g - 220.152.128.0/17,off,DROP,on, China

That's great - but where the hell am I going to find a list of chinese IP blocks? The internet being the community it is, you can guarantee that this issue has been pissing people off for long enough to ensure that someone has already done the leg work for you. Enter the OKEAN web site. If I were a small dog, I would be humping this guys leg right now. Both Chinese and Korean IP blocks in contiguous / CIDR and dnsbl zone format. It's this kind of selflessness that makes the web a better place (rather than a virtual high street).


If I were a little dog!
Okean ... where are yooooou?
















With the IP booty in the swag bag (thanks Okean) all it needs now is for a quick cut and paste of the data in to the /var/smoothwall/ipblock/config file and bob is your aunty. The list appears immediately in the smoothwall ipblock list via the browser. A quick reload of the firewall to be on the safe side and there we go. China begone.

The sad reality is that a small percentage of people are either willingly or unwittingly helping their country gain an unsavoury reputation. A quick browse on the net shows that plenty of people are considering similar actions in order to protect their infrastructure from abuse. It could make the internet a very hit and miss affair for China over the next decade.

No comments: