Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x Contribs => Topic started by: gieres on September 08, 2023, 03:33:24 PM
-
Hi,
SME 10 - Server and gateway
Xt GeoIP installed
BadCountries :
config show masq
masq=service
BadCountries=SG,CN,IN,VN,BR,TW,KR,ID,RU,FI,HK,UA,NG,AR
DenylogTarget=drop
GeoIP=enabled
Logging=most
Stealth=no
Trace=disabled
XTGeoipOther=disabled
XTGeoipRev=disabled
XtServices=ftp,imap,imaps,pop3,pop3s,qpsmtpd,sqpsmtpd,sshd,pptpd
pptp=yes
status=enabled
In server-manager, in GeoIP panel, in statistics, it's wroten :
Administration XTABLES-ADDONS
GeoIP
Statistiques générées [ ipt ] 2023/09/08 02:05
Smeserver daily statistics for Xtables - GEOIP
from kooz2.albe.ovh - 2023-09-07
Numbers of IPs banned (xt_geoip) by country during LAST DAY
( XX means 'country not found' )
--------------------
CN | 5752 | 44.6%
IN | 1515 | 11.8%
RU | 1154 | 9.0%
KR | 1246 | 9.7%
XX | 843 | 6.5%
BR | 453 | 3.5%
VN | 360 | 2.8%
TW | 293 | 2.3%
US | 174 | 1.4%
SG | 125 | 1.0%
NL | 135 | 1.0%
HK | 203 | 1.6%
UA | 71 | 0.6%
SE | 4 | 0.0%
PL | 107 | 0.8%
PA | 1 | 0.0%
NG | 13 | 0.1%
LU | 4 | 0.0%
KH | 1 | 0.0%
JP | 76 | 0.6%
IL | 4 | 0.0%
ID | 107 | 0.8%
GB | 32 | 0.2%
FR | 17 | 0.1%
FI | 18 | 0.1%
DE | 24 | 0.2%
CY | 4 | 0.0%
CR | 3 | 0.0%
CO | 26 | 0.2%
CA | 6 | 0.0%
BO | 2 | 0.0%
AU | 2 | 0.0%
AT | 4 | 0.0%
AR | 106 | 0.8%
--------------------
| 12885 | 100%
--------------------
Why so many IPs (and SPECIALLY so many countries) banned by Xt GeoIP while BadCountries contains only 14 countries ?
Thanks in advance.
-
Have you got any 'per service' filters set?
eg you may have generic ones in
config show masq
But others in:
config show qpsmtpd
Check all your services for 'BadCountries'
config show |grep BadCountries
-
config getprop sshd BadCountries
-
Have you got any 'per service' filters set?
No.
config show |grep BadCountries
BadCountries=SG,CN,IN,VN,BR,TW,KR,ID,RU,FI,HK,UA,NG,AR
config getprop sshd BadCountries
[root@sme ~]#config getprop sshd BadCountries
[root@sme ~]#
Nothing.
-
Why so many IPs (and SPECIALLY so many countries) banned by Xt GeoIP while BadCountries contains only 14 countries
As a thought - this may be down to the mailstats reporting contrib by Brian?
Might need a bug.
-
As a thought - this may be down to the mailstats reporting contrib by Brian?
Might need a bug.
That table of percentage versus Country code is not from mailstats, the mailstats table shows the country for each of ALL emails for the interval and shows an asterisk if that country appears in the banned list:
Geoip results: (cutoff at 0.5%)
---------------------------------------------
Country Percent Count Rejected?
---------------------------------------------
US 88.8% 1129
DE 3.5% 44
GB 2.8% 35
NL 2.4% 31
CH 1.6% 20 *
---------------------------------------------
TOTALS 100.0% 1272
---------------------------------------------
-
Ok thanks Brian.
I'll try and take a peek at how this is calculated.
The person who really knows is mab. I'll try & ping them too.
May need a bug.
-
So the answers will lie buried in the smeserver-xt_geoip contrib.
First check what the crontab does
cat /etc/crontab |grep geoip
Something like this:
# saturday at 06:00 update xtables geoip base
00 06 * * 6 root /usr/share/xt_geoip/update_base >/dev/null
45 1 * * * root /usr/share/xt_geoip/geoip_stats f2b >/dev/null
50 1 * * * root /usr/share/xt_geoip/geoip_stats ssh >/dev/null
55 1 * * * root /usr/share/xt_geoip/geoip_stats ipt >/dev/null
05 2 * * * root /usr/share/xt_geoip/geoip_listat >/dev/null
That wil llead you to
/usr/share/xt_geoip/geoip_stats
Note that it will count entries from Fail2Ban if you have it enabled.
You can also look at generateStats in
/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/xt_geoip.pm
That shows you how it reads the generated files for display.
Beyond that we need mab to advise!
-
# cat /etc/crontab |grep geoip
# saturday at 06:00 update xtables geoip base
00 06 * * 6 root /usr/share/xt_geoip/update_base >/dev/null
45 1 * * * root /usr/share/xt_geoip/geoip_stats f2b >/dev/null
50 1 * * * root /usr/share/xt_geoip/geoip_stats ssh >/dev/null
55 1 * * * root /usr/share/xt_geoip/geoip_stats ipt >/dev/null
05 2 * * * root /usr/share/xt_geoip/geoip_listat >/dev/null
As you.
-
That is just to help you undestand how it works :-)
Do you have fail2ban installed as well?
-
Hi,
Thanks for details but it's too hard for me.
Yes, fail2ban is installed :
# config show fail2ban
fail2ban=service
BanTime=2592000
FindTime=300
Mail=enabled
status=enabled
-
Yes, fail2ban is installed :
See my comment above:
Note that it will count entries from Fail2Ban if you have it enabled.
Thanks for details but it's too hard for me.
What makes you think it is easy for me?
I just sit patiently and read things. After 40 years i understand a little more.
You just have to roll up your sleeves and start learning.