$EW_GLOBAL usage...

Junior Member
User avatar
Posts: 37
Joined: Sat Sep 01, 2007 2:13 pm

$EW_GLOBAL usage...

Postby Johan » Wed May 14, 2014 4:28 pm

This is not working as expected. Can one of you PHP guru's help me with my little problem? :-)

if ($EW_SESSION['reply'] == '554 Authentication failed') {
$sid = (string)$EW_SESSION[sid];
if( in_array($sid, $EW_GLOBAL) ) {
$EW_GLOBAL[$sid] += 1;
ew_log( $sid . ' Count:' . $EW_GLOBAL[$sid], EW_LOG_LOW );
} else {
$EW_GLOBAL[$sid] = 1;
ew_log( $sid . ' Created Global counter!', EW_LOG_LOW );
}
}

Also I assume that unset($EW_GLOBAL[$sid]) will remove the array value?

Thanks - Johan

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: $EW_GLOBAL usage...

Postby Alexander Telegin » Thu May 15, 2014 12:30 pm

You have to use array_key_exists instead in_array because you store value by key

Also I assume that unset($EW_GLOBAL[$sid]) will remove the array value?


Yes, it does.

What are you trying to achieve? It's a bad idea store all session IDs into memory. You may run out of memory in few days (depending on traffic).

Junior Member
User avatar
Posts: 37
Joined: Sat Sep 01, 2007 2:13 pm

Re: $EW_GLOBAL usage...

Postby Johan » Fri May 23, 2014 4:01 pm

Alex,

I am using it to track DOS and Harvester attacks on my MX servers. I have been testing this since I posted the original message because of your concern about memory usage. I have not seen any significant memory increase to date. I add the SID to $EW_GLOBAL on the OnReply where I detect a authentication failure and track in the array the number of login failures associated to that SID. In the OnDisconnect event I check the login failure count on the SID and if it exceeds my limit I blacklist the IP address. I remove the SID from $EW_GLOBAL with the unset function there as well. Seems to be working really well. This avoids having to track this in a database and the overhead associated with it.

Here is what it looks like in the log...

2014-05-23 08:44:23 3205 0 ------ Requested connection from 222.124.166.253, Country: Indonesia, SID:1405230844230200
2014-05-23 08:44:23 3205 15 OnConnect: Checking DNSBL [253.166.124.222.dnsbl.webequipped.com]
2014-05-23 08:44:25 3205 2168 Connected to xxx.xxx.xxx.xxx
2014-05-23 08:44:26 3205 3198 <-- 220 Hello
2014-05-23 08:44:27 3205 3494 --> EHLO [192.168.2.33]
2014-05-23 08:44:27 3205 3510 <-- 250-Welcome xxx.xxx.xxx.xxx, nice to meet you...
2014-05-23 08:44:27 3205 3510 <-- 250-AUTH=PLAIN LOGIN
2014-05-23 08:44:27 3205 3510 <-- 250-AUTH PLAIN LOGIN
2014-05-23 08:44:27 3205 3510 <-- 250-SIZE 10485760
2014-05-23 08:44:27 3205 3510 <-- 250-VRFY
2014-05-23 08:44:27 3205 3510 <-- 250 HELP
2014-05-23 08:44:27 3205 3869 --> AUTH LOGIN d2F5bmU=
2014-05-23 08:44:27 3205 3884 <-- 334 UGFzc3dvcmQ6
2014-05-23 08:44:27 3205 4259 --> d2F5bmU=
2014-05-23 08:44:27 3205 4274 1405230844230200 Created Global counter!
2014-05-23 08:44:27 3205 4274 <-- 554 Authentication failed
2014-05-23 08:44:28 3205 4617 --> AUTH LOGIN d2F5bmU=
2014-05-23 08:44:28 3205 4633 <-- 334 UGFzc3dvcmQ6
2014-05-23 08:44:28 3205 5023 --> d2F5bmUx
2014-05-23 08:44:28 3205 5039 1405230844230200 Count:2
2014-05-23 08:44:28 3205 5039 <-- 554 Authentication failed
2014-05-23 08:44:29 3205 5413 --> AUTH LOGIN d2F5bmU=
2014-05-23 08:44:29 3205 5429 <-- 334 UGFzc3dvcmQ6
2014-05-23 08:44:29 3205 5803 --> d2F5bmUxMjM=
2014-05-23 08:44:29 3205 5819 1405230844230200 Count:3
2014-05-23 08:44:29 3205 5819 <-- 554 Authentication failed
2014-05-23 08:44:29 3205 6193 --> AUTH LOGIN d2F5bmU=
2014-05-23 08:44:29 3205 6209 <-- 334 UGFzc3dvcmQ6
2014-05-23 08:44:30 3205 6505 --> cGFzc3dvcmQ=
2014-05-23 08:44:30 3205 6521 1405230844230200 Count:4
2014-05-23 08:44:30 3205 6521 <-- 554 Authentication failed
2014-05-23 08:44:30 3205 6911 --> AUTH LOGIN d2F5bmU=
2014-05-23 08:44:30 3205 6926 <-- 334 UGFzc3dvcmQ6
2014-05-23 08:44:30 3205 7223 --> MTIzNDU2
2014-05-23 08:44:30 3205 7238 1405230844230200 Count:5
2014-05-23 08:44:30 3205 7238 <-- 554 Authentication failed
2014-05-23 08:44:31 3205 7550 --> AUTH LOGIN d2F5bmU=
2014-05-23 08:44:31 3205 7566 <-- 334 UGFzc3dvcmQ6
2014-05-23 08:44:31 3205 7878 --> cXdlcnR5
2014-05-23 08:44:31 3205 7893 1405230844230200 Count:6
2014-05-23 08:44:31 3205 7893 <-- 554 Authentication failed
2014-05-23 08:44:31 3205 8221 --> QUIT
2014-05-23 08:44:31 3205 8237 <-- 221 Goodbye
2014-05-23 08:44:31 3205 8252 !Counter = 6
2014-05-23 08:44:31 3205 8252 !Removed the global counter
2014-05-23 08:44:32 3205 8689 !OnDisconnect:Bot_Attack_Detected

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: $EW_GLOBAL usage...

Postby Alexander Telegin » Sat May 24, 2014 12:57 am

Ah I see. Great idea!

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest