Topic: Xt GeoIP - BadCountries

[gieres]

Hi,
SME 10 - Server and gateway
Xt GeoIP installed
BadCountries :

Code: [Select]

config show masq
masq=service
    BadCountries=SG,CN,IN,VN,BR,TW,KR,ID,RU,FI,HK,UA,NG,AR
    DenylogTarget=drop
    GeoIP=enabled
    Logging=most
    Stealth=no
    Trace=disabled
    XTGeoipOther=disabled
    XTGeoipRev=disabled
    XtServices=ftp,imap,imaps,pop3,pop3s,qpsmtpd,sqpsmtpd,sshd,pptpd
    pptp=yes
    status=enabled

In server-manager, in GeoIP panel, in statistics, it's wroten :

Administration XTABLES-ADDONS
GeoIP
Statistiques générées [ ipt ] 2023/09/08 02:05

  Smeserver daily statistics for Xtables - GEOIP
           from kooz2.albe.ovh - 2023-09-07

  Numbers of IPs banned (xt_geoip) by country during LAST DAY
       ( XX means 'country not found' )

--------------------
CN | 5752 | 44.6%
IN | 1515 | 11.8%
RU | 1154 | 9.0%
KR | 1246 | 9.7%
XX | 843 | 6.5%
BR | 453 | 3.5%
VN | 360 | 2.8%
TW | 293 | 2.3%
US | 174 | 1.4%
SG | 125 | 1.0%
NL | 135 | 1.0%
HK | 203 | 1.6%
UA | 71 | 0.6%
SE | 4 | 0.0%
PL | 107 | 0.8%
PA | 1 | 0.0%
NG | 13 | 0.1%
LU | 4 | 0.0%
KH | 1 | 0.0%
JP | 76 | 0.6%
IL | 4 | 0.0%
ID | 107 | 0.8%
GB | 32 | 0.2%
FR | 17 | 0.1%
FI | 18 | 0.1%
DE | 24 | 0.2%
CY | 4 | 0.0%
CR | 3 | 0.0%
CO | 26 | 0.2%
CA | 6 | 0.0%
BO | 2 | 0.0%
AU | 2 | 0.0%
AT | 4 | 0.0%
AR | 106 | 0.8%
--------------------
   | 12885 | 100%
--------------------

Why so many IPs (and SPECIALLY so many countries) banned by Xt GeoIP while BadCountries contains only 14 countries ?

Thanks in advance.

[ReetP]

Have you got any 'per service' filters set?

eg you may have generic ones in

Code: [Select]

config show masq

But others in:

Code: [Select]

config show qpsmtpd
Check all your services for 'BadCountries'

Code: [Select]

config show |grep BadCountries

[Jean-Philippe Pialasse]

Code: [Select]

config getprop sshd BadCountries

[gieres]

Have you got any 'per service' filters set?

No.

Code: [Select]

config show |grep BadCountries
    BadCountries=SG,CN,IN,VN,BR,TW,KR,ID,RU,FI,HK,UA,NG,AR

Code: [Select]

config getprop sshd BadCountries

[root@sme ~]#config getprop sshd BadCountries
[root@sme ~]#
Nothing.

[ReetP]

Why so many IPs (and SPECIALLY so many countries) banned by Xt GeoIP while BadCountries contains only 14 countries

As a thought - this may be down to the mailstats reporting contrib by Brian?

Might need a bug.

[brianr]

As a thought - this may be down to the mailstats reporting contrib by Brian?

Might need a bug.

That table of percentage versus Country code is not from mailstats, the mailstats table shows the country for each of ALL emails for the interval and shows an asterisk if that country appears in the banned list:

Code: [Select]

Geoip results: (cutoff at 0.5%)
---------------------------------------------
Country Percent Count Rejected?
---------------------------------------------
US 88.8% 1129
DE 3.5% 44
GB 2.8% 35
NL 2.4% 31
CH 1.6% 20 *
---------------------------------------------
TOTALS 100.0% 1272
---------------------------------------------


[ReetP]

Ok thanks Brian.

I'll try and take a peek at how this is calculated.

The person who really knows is mab. I'll try & ping them too.

May need a bug.

[ReetP]

So the answers will lie buried in the smeserver-xt_geoip contrib.

First check what the crontab does

Code: [Select]

cat /etc/crontab |grep geoip
Something like this:

Code: [Select]

#       saturday at 06:00 update xtables geoip base
00 06 * * 6 root /usr/share/xt_geoip/update_base >/dev/null
45 1 * * * root /usr/share/xt_geoip/geoip_stats f2b >/dev/null
50 1 * * * root /usr/share/xt_geoip/geoip_stats ssh >/dev/null
55 1 * * * root /usr/share/xt_geoip/geoip_stats ipt >/dev/null
05 2 * * * root /usr/share/xt_geoip/geoip_listat >/dev/null
That wil llead you to

/usr/share/xt_geoip/geoip_stats

Note that it will count entries from Fail2Ban if you have it enabled.

You can also look at generateStats in

Code: [Select]

/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/xt_geoip.pm
That shows you how it reads the generated files for display.

Beyond that we need mab to advise!

[gieres]

Code: [Select]

# cat /etc/crontab |grep geoip

Code: [Select]

#       saturday at 06:00 update xtables geoip base
00 06 * * 6 root /usr/share/xt_geoip/update_base >/dev/null
45 1 * * * root /usr/share/xt_geoip/geoip_stats f2b >/dev/null
50 1 * * * root /usr/share/xt_geoip/geoip_stats ssh >/dev/null
55 1 * * * root /usr/share/xt_geoip/geoip_stats ipt >/dev/null
05 2 * * * root /usr/share/xt_geoip/geoip_listat >/dev/null

As you.

[ReetP]

That is just to help you undestand how it works

Do you have fail2ban installed as well?

[gieres]

Hi,
Thanks for details but it's too hard for me.
Yes, fail2ban is installed :

Code: [Select]

# config show fail2ban
fail2ban=service
    BanTime=2592000
    FindTime=300
    Mail=enabled
    status=enabled


[ReetP]

Yes, fail2ban is installed :

See my comment above:

Note that it will count entries from Fail2Ban if you have it enabled.

Thanks for details but it's too hard for me.

What makes you think it is easy for me?

I just sit patiently and read things. After 40 years i understand a little more.

You just have to roll up your sleeves and start learning.