Which software to use for bot detection over Lan
-
@Rico i do not have a mail server..Wondering....why my network is getting blacklisted over spam flow..Does the spam originated from the clients mails or where is it originating and destined and i really appreciate the help
-
Yes, probably something with malware on your LAN sending spam. That rule will block it log what clients are trying to send it.
Steve
-
@OpenWifi said in Which software to use for bot detection over Lan:
Wondering
Why should you wonder ??
You administer a firewall/router so you have all the whistles and bells to determine what goes in and out.I have a rule like this
in place on a LAN network that I do not trust - my captive portal network.
"Not trust" because I do not control the connected devices.With such a rule in place you can see in the firewall log what happens => who could be blamed - who is using the outgoing port 25. It's a real "click and done" solution.
The counter in front of the rule states that some devices wanted to connect to the outside world using port "25".
In my network, that is a no go. It means often that a mail client isn't setup the right way.
These days : for retrieving mail, a client should use POP or IMAP, using port 110 / 995 or 143 / 993.
Sending mails is done over 487 or port 465. Sending must be done the authenticated way, anonymous send (== 25 port) should never be allowed.edit => LOL => if you run a @OpenWifi it's pure madness NOT to block outgoing SMTP connection. From your Wi-Fi access unknown people could : try to steal those nuclear launch codes, break into the NSA etc etc and all this will happen with you being responsible for this IP.
-
@Gertjan but the first rule on my lan is allowing port 433 and 80 and the anti-lock out rule.I fear getting locked out of the webgui when i change that rule to block SMTP.So how do i go about it.Thank you
-
-
Rules are read from the top down.
You cant place a rule above the anti lockout rule.
-
@NogBadTheBad
.Will this work,just changed it now -
The order is ok.
This isn't :
Ditch that WAN_DHCP reference.
-
@OpenWifi said in Which software to use for bot detection over Lan:
@NogBadTheBad
.Will this work,just changed it nowOk - now, wait until this one :
starts counting.
You will find the notices in the firewall log - and know who - you will have his LAN IP - was trying to use the "25 port". -
Thank you everyone for your help.Already configured the rule to block smtp port 25.I believe this means clients on the lan would not be able to send mail!!
-
@OpenWifi said in Which software to use for bot detection over Lan:
I believe this means clients on the lan would not be able to send mail!!
Again, you admin a firewall. There is no such thing as "Wondering" and "Believing". Things happens because you let them happen. And things that you do not want, you stop. You are the boss.
A boss doesn't "trust" or "believe".Maybe this is new to you :
Mail clients like Outlook Express, Outlook (Office) or Thunderbird should not use port 25 to send mail.
They are set up to use (as stated) above : port 587 or port 465. These two port permit some one to send mails, if they can authenticity themselves first == have an account at that mail server.Like : you can not send mail using mail.gmail.com on port 25 : gmail does not allow this. gmail is not an open relay. You should use 587, no, better : port 465.
For historical reasons, ISP's allow that you use their mail servers so you can send your (not your unkown visitors !!) send mail to some one. This is an exception. Do understand that the ISP knows who you are : you are using their "land line" to connect to their services.
