Does this sound familiar:
Hackers! They are trying to penetrate your system, you want to block them and preferrably in the firewall, so Domino doesn't even notice.
SMTP Server: Authentication failed for user firstname.lastname@example.org ; connecting host 22.214.171.124
Can we do something about it? Definitely. Below I present to you (1) a simple agent that sends IP-addresses to Ubuntu's firewall, and (2) some configuration settings in the events4.nsf database.
The idea is to add an Event handler per server, in the Monitoring Configuration database, that triggers an agent in yet another database. Separate, so the design of the events4.nsf database isn't changed. I called mine dds.nsf, Domino Domain Security. It's based on the StdR5StatReport template, just like the Monitoring Results database you can find on your server.
Maybe it's better to show you the agent:
%REM Agent Block Intruder Created Feb 14, 2021 by Sjef Bosman/TCM Description: Block IP addresses on an Ubuntu server %END REM Option Public Option Declare Class IPBlocker Private blocked List As Boolean Private n As Integer Private cmd As String Sub New cmd= |/bin/sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=| End Sub Sub block(ip As String) Dim r As Integer If Not IsElement(blocked(ip)) Then Print "Blocking IP " ip r= Shell(cmd + ip + | reject' --permanent|) blocked(ip)= True n= n + 1 End If End Sub Sub flush Dim r As Integer If n>0 Then r= Shell(|/bin/sudo sudo firewall-cmd --reload|) Print "IP addresses blocked: " n End If End Sub End Class Sub Initialize Dim ns As New NotesSession Dim db As NotesDatabase Dim dc As NotesDocumentCollection Dim doc As NotesDocument Dim doc2 As NotesDocument Dim v As Variant Dim blocker As New IPBlocker Set db= ns.Currentdatabase Set dc= db.Unprocesseddocuments Set doc= dc.Getfirstdocument() Do Until doc Is Nothing Select Case doc.ErrorCode(0) Case "SMTP Server0x336E": v= Split(doc.EventText(0), " ") ' last element is ip-address Call blocker.block(CStr(v(UBound(v)))) End Select Set doc2= dc.Getnextdocument(doc) Call ns.Updateprocesseddoc(doc) Set doc= doc2 Loop Call blocker.flush() End Sub
The Event document is to be created in the Monitoring Configuration database, as follows:
Important: the Domino user ("notes") must have sudo rights without a password. Of course the agents should be signed by a user with sufficient rights to execute agents on the server.
And the result:
27/04/2021 18:33:49 SMTP Server: Authentication failed for user email@example.com ; connecting host 126.96.36.199 27/04/2021 18:33:50 SMTP Server: Authentication failed for user firstname.lastname@example.org ; connecting host 188.8.131.52 27/04/2021 18:36:10 AMgr: Agent ('Block Intruder' in 'dds.nsf') printing: Blocking IP 184.108.40.206 27/04/2021 18:36:12 AMgr: Agent ('Block Intruder' in 'dds.nsf') printing: IP addresses blocked: 1
It seems sensible to block complete IP-ranges, with some additional code in the IP-blocker class. The shell command is the following:
Do try it!
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='220.127.116.11/8' reject"