Country Block
-
I run my own postfix mail server. Probably 80% of the spam comes from russia, china, korea or japan. I get no legitimate mail from anyone in those countries. So, I will be installing this ASAP :)
-
Thank you.
You are right. Unfortunately, I don't feel bad. A country constantly scanning me or sending SPAM needs to be blocked on my network. I don't want them looking at my website, searching for vulnerabilities, or constantly trying to brute force my SSH server. I made it easy for me and those who get frustrated with trying to minimize the damage caused by these countries. Blocking the entire country could affect them, but I don't see how. If you did business with that country then you wouldn't block them but if you have no business then no harm done.
Maybe more tools like this will cause countries to enforce laws more in the future. Who knows…Where feasible, it's sensible security policy regardless of where you are in the world - if you don't have to allow something, don't allow it. Many companies do no business outside of their own country or a select few countries, so why allow the entire Internet? As useful as it is for those in this thread, who look to be largely in the US, it's just as useful to those in countries some US companies may want to block. Abuse isn't limited to any particular country, it comes from all over. A Russian company that does no business in the US could drop off their spam and hack attempts considerably by blocking the US, where it's sensible for some US companies to do the opposite. The same way those of us in the US see all these attacks from Russia, China, India, Nigeria, and elsewhere, people in those countries see just as much abuse from hosts in the US and see it the same way in the same circumstances - unnecessary traffic that can be blocked entirely. This isn't limited to any country, and isn't that much about enforcing sensible policies on Internet users. That's largely done in the US, but a large portion of the spam and hack attempts we see come from the US.
Keep in mind this can help a lot, but if you're being specifically targeted, may not provide the level of assurance you think it does. Every country has plenty of compromised hosts, or hosts that can be compromised, to use to launch attacks. It's a good measure to drop off things you know have no place being on your network, but still leaves plenty of exposure.
-
to th enewbie guy, country block in the 1.23 packages not installed (if you're using 1.2.3 pfsense release).
-
I'm having trouble with this package. After I click save, it says "Current status = Running". But a few minutes later it will stop running. Any ideas on how to debug this?
FYI, I only have the "Top Spammers" checked.
-
I'm having trouble with this package. After I click save, it says "Current status = Running". But a few minutes later it will stop running. Any ideas on how to debug this?
FYI, I only have the "Top Spammers" checked.
Are you making changes to firewall settings? Please read the FAQ on the first post.
-
No, this happens without making any firewall changes.
-
No, this happens without making any firewall changes.
To help you better I need more info.
Version of pfsense:
packages installed:
How you applying the package:
After it's running, when do you notice it's not: -
I'm using pfsense 1.2.3.
I installed the package with the web interface. When configuring it, I click enable, commit, and save. However, usually after clicking commit, it disables the Enable checkbox. So it's more like enable, commit, enable, save.
I notice it's not running after waiting a few minutes then going back to the Country Block configuration page.
# pkg_info arc-5.21o_1 Create & extract files from DOS .ARC files arj-3.10.22_1 Open-source ARJ arj-3.10.22_3 Open-source ARJ bandwidthd-2.0.1_1 Tracks bandwidth usage by IP address clamav-0.96.1 Command line virus scanner written entirely in C cyrus-sasl-2.1.22_1 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security Layer) denyhosts-2.5 Script to thwart ssh attacks gd-2.0.35,1 A graphics library for fast creation of images gdbm-1.8.3_3 The GNU database manager havp-0.91_1 HTTP Antivirus Proxy jpeg-6b_4 IJG's jpeg compression utilities lha-1.14i_6 Archive files using LZSS and Huffman compression (.lzh file libiconv-1.11_1 A character set conversion library lightsquid-1.7.1_1 A light and fast web based squid proxy traffic analyser mysql-client-5.1.44_1 Multithreaded SQL database (client) ntop-3.3.8 Network monitoring tool with command line and web interface openldap-client-2.4.10 Open source LDAP client implementation openldap-client-2.4.11 Open source LDAP client implementation openldap-client-2.4.22 Open source LDAP client implementation p5-GD-2.39 A perl5 interface to Gd Graphics Library version2 pcre-7.9 Perl Compatible Regular Expressions library pcre-8.00 Perl Compatible Regular Expressions library pcre-8.02 Perl Compatible Regular Expressions library perl-5.10.1 Practical Extraction and Report Language perl-5.10.1_1 Practical Extraction and Report Language perl-5.8.8_1 Practical Extraction and Report Language perl-5.8.9_3 Practical Extraction and Report Language python24-2.4.3_3 An interpreted object-oriented programming language snort-2.8.6_1 Lightweight network intrusion detection system squid-2.7.9 HTTP Caching Proxy squid_radius_auth-1.10 RADIUS authenticator for squid proxy 2.5 and later stunnel-4.25 SSL encryption wrapper for standard network daemons unzoo-4.4_2 A zoo archive extractorFrom the web interface: Country Block Dashboard Dashboard Widget: Antivirus Status Dashboard Widget: HAVP Dashboard Widget: Snort HAVP antivirus Lightsquid OpenVPN Status bandwidthd ntop snort squid stunnelAll the latest versions except squid, which looks like it was updated today.
-
Something is regenerating your firewall settings I think. Every time rules.debug is run your country block package stops running. I have been running country block for a month now without errors or interruption.
Start to eliminate variables. Disable packages and services and start to narrow it down. If you want to help me get to the bottom of this now email me your config and I can probably give you an answer within the hour.
-
Ok I'll start disabling packages and see what happens. If I can't figure it out I'll send you my config.
-
I disabled everything I could and no luck. What sections of the config should I send you?
Thanks for offering to look at it for me.
-
If you don't mind just send me the entire config.
-
That's fine. Just got to edit the config. I'll send it to you in a sec.
Edit: Sent. Thanks!
-
No probs here either. :)
-
I get file system errors trying to write.
I can look further into this, I usually don't support nanobsd because of special exceptions I make.
The script is getting hung up on creating two files, countries.txt and lists/countries.txt. Perhaps you can make these files and modify the permissions so they cannot be removed.Were you able to look further into this - or can you provide a little more detail on how to fix? I have the same issue (pfSense 1.2.3 on Alix). Thanks.
-
I must be doing something wrong, or am finding the wrong IP of spammed emails. First, I have nearly every country checked, including the Dominican Republic. I've still received a few emails and my mail server separates them and lists their IP in the subject line for me. Recently I found one with an IP of 200.42.239.139 which as stated here:
http://ip-address-lookup-v4.com/lookup.php?ip=200.42.239.139
Points to the Dominican Republic. Am I finding a fake IP from the sender? Thanks.
-
Depending on what the spammer uses as relay….
-
Look at the last ip address before your own email server in the received headers, that's the IP address checked by country block.
-
Version 1.4 released.
Added logging option.
Added missing country. (India is in the top 10 list)
Fixed misspellings.
Changed installation process. -
Version 1.4 released.
Added logging option.
Added missing country. (India is in the top 10 list)
Fixed misspellings.
Changed installation process.After some looking around…is the logging feature located under status --> system logs --> Firewall?