Skip to content

MS Exchange NLB IP banning #144

New issue
New issue
Open
Open
MS Exchange NLB IP banning#144
@IzualYang

Description

@IzualYang
IzualYang
opened on Feb 26, 2025

Temporary ban counters for IPs are maintained in memory, and restarting the EvlWatcher service will reset the dictionary (correct me if I am wrong).
For multiple Exchange servers in NLB, they have separate event logs. Even if I write a script to periodically merge (and deduplicate) the Permaban list in the configuration files, it takes a restart of service to apply the changes, which will impact the permaban mechanism.

Solution:

  • Follow the instructions of this article: https://michaelwaterman.nl/2024/06/29/step-by-step-guide-to-windows-event-forwarding-and-ntlmv1-monitoring/ , and configure Windows Event Forwarding (from both servers to both servers). Now we have all the event logs we need on the ForwardedEvents channel on both sides.
  • Merge and deduplicate the whitelist and banlist in the config.xml files, modify the BlockSMTPAuthExchangeFrontend rule and set the EventPath value to ForwardedEvents.
  • Restart the EvlWatcher service, sit back and watch the Live tab on the UI.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions