Need Best Solution to Allow IP addresses to By Pass Custom Rule to Block SMTP 25



  • Hello,

    I have many attempts from the outside world to login to mydomain user accounts which i've noticed on my anti spam proxy filter logs. I found an article where someone created an custom rule to block any brute force attempts.
    alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP AUTH LOGON brute force attemp"; content:"AUTH LOGIN"; nocase; classtype:suspicious-login; sid:1000001; rev:2;)

    My issue is the rule blocks all attempts including my attempt to send out mail using my mobile provider's network. What is the best solution for allowing to bypass the rule for my mobile network, PassLists, IP List or IP Rep. I created an Alias with IPs of 24.114.0.0/17 and
    72.136.0.0/13. Any Help would be much appreciated.

    Karl


  • Banned

    Yeah that shouldn't be too difficult to accomplish.

    You can create your alias for Suricata at /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.
    Once you've created your alias change your custom rule to the following.
    This just sets the rule to alert on any source IP not included in your alias, instead of any source included in the built in $EXTERNAL_NET alias.

    
    alert tcp !$MY_NET any -> any 25
    
    


  • Thanks for your response,

    I should've been more clear. I'm using snort. I'm currently using now a Pass List which work fine now but I am concerned that if I leave the country and use my cell phone it will once again get blocked based on the IP address i will have which won't be on the the alias Pass List.


  • Banned

    Oh ok, can you just setup a VPN server on your pfSense box and export the client to your cell phone, VPN won't be on port 25 and once you are connected you'll be on an IP you can set an alias for.



  • I do have VPN setup on my server and also the client on my phone. I will need to gives this a test.

    Thanks,