  Many sites experience attempts from SMTP servers illegally trying to gain entry to their system. For example, Denial of Service (DoS) attacks and attempts to guess system passwords are the most common ways hackers try to cause trouble.
You can control unwanted outside connections using these options:
• permanently block suspicious IP addresses to your filter documents in the Filters folder
• temporarily block IP addresses that register strikes against your server by appearing to guess your passwords
• temporarily suspend unwanted connections
• monitor system abuse and configure Internet Services to trigger warnings from unwanted connections using the settings on the Abuse subtab on the UCE/SPAM tab.
Temporarily block unwanted IP addresses
If your FirstClass site connects to the Internet, you will inevitably experience unwanted connections from IP addresses that repeatedly try to log into your system with incorrect user IDs or passwords.
Internet Services has a "strike out" option that temporarily blocks unwanted IP connections using this entry in the rules.MailRules file (located in the Filters folder on the administrator's Desktop)
.: IF ($spamlevel > $HighSpamMax && $XtremeCausesNDN) STRIKE # this action must come before the NDN action
and the parameter settings on the Junk subtab on the UCE/Spam tab.
 Note To enable the STRIKE rule in the rules.MailRules file, you must select "Extreme causes NDN" on the Mail Rules subtab on the UCE/Spam tab.
Basically, if your site receives a certain number of strikes (bad connection attempts) from an IP address within a certain period of time, Internet Services adds it to a temporary block list for a certain period of time, which you set on the Junk subtab on the UCE/Spam tab. You can log the temporary list to a permanent file and clear entries from the Control tab on the Internet Services Monitor form.
For example, say you have this setup on your system:
Internet Services will allow an offending IP address to attempt to connect to your site three times with less than one minute between attempts, before blocking it for five minutes. So, if the first connection happens at 58 seconds, the next connection at 57 seconds, and the third connection at 59 seconds, Internet Services knows that all three connections are from the same troublesome address and will block it for the prescribed amount of time.
If the IP address tries to connect to your site in intervals greater than one minute (for example, every 64 seconds between attempts) Internet Services resets the counter after each attempt and begins the process over. Since the offending address waited longer than the one minute between each attempt to try to connect to your site, Internet Services does not consider it the same offending address and will not strike it out. Therefore, it is not blocked for the amount of time you've set on "Amount of time to block struck out IPs".
 Tip If you can establish that the offending IP address belongs to a particular user or organization, you can add it to your filter list so you can block it permanently. However, most hackers use IP addresses that cannot be traced back to the correct origin.
Temporarily suspend unwanted IP addresses
Along with temporarily blocking unwanted IP addresses, you can temporarily tie up their resources in a virtual "blackhole". Using this approach, you can dissuade attackers from trying to access your system. When an offending IP address tries to connect, Internet Services discards any data sent while producing a slow, timed stream of characters to keep the connection alive. This way you tie up their resources and slow their ability to hit your site and other sites.
Note Some RBL services request that you implement this feature in order to use their service.
To blackhole unwanted connections, you must select "Reject connections based on Filters" on the Connections tab on the Basic Internet Setup form and have the IP address listed in your filter documents in the Filters folder. You then set the parameters in the Connection black hole
section on the Connections tab.
 You can flush suspended connections on the Control tab on the Internet Services Monitor form.
|