subject:"\[Assp\-test\] Possible feature requests"

Re: [Assp-test] Possible feature requests

2017-07-01 Thread Thomas Eckardt

What about using the existing AUTH features


MaxAUTHErrors
ResetMaxAUTHErrorIPs
MaxAUTHErrorIPs
AUTHUserIPfrequency
autValencePB
DelayIP
PenaltyBox

Thomas






Von:Daniel Miller <dmil...@amfes.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  29.06.2017 22:37
Betreff:    Re: [Assp-test] Possible feature requests



Extending the blocking to the subnet is a great idea. But again, I am 
*not* 
suggesting to block the user! I'm saying to increase the hostile response 
toward *failed* login IPs.

Regular users should be unaffected.

Daniel



On June 29, 2017 7:03:52 AM Grayhat <gray...@gmx.net> wrote:

> :: On Wed, 28 Jun 2017 08:38:34 -0700
> ::
> 
<amfes.93522e7ae3.15cef5aa0a8.27fe.f870105bb83edc7531c2ac44777e3...@amfes.com> 

> ::
> Daniel Miller <dmil...@amfes.com> wrote:
>
>> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
>> the account. Not block valid auths. Regular users would never see a
>> problem.
>
> The "problem" with such an approach are the critters I call "slow
> crackers"; basically it's a distributed network of bots, those are
> coordinated and will attempt, one at a time, to bruteforce a given
> account, this means that you may see two/three logon attempts from
> IP#1, then other two/three from IP#2 and so on, rotating IP through the
> whole botnet, this means that, when the penalty time will expire, the
> botnet had completed quite a number of attempt and can quietly reuse
> IP#1 and so on to go on for the next cycle and, while such an approach
> may seem slow, it isn't, imagine having multiple bots attempting to
> crack a given account and performing the above in parallel, ASSP will
> ban the IPs... sure, but that won't help
>
> On the other hand, banning the account (username) isn't a good idea,
> since, as already noted, someone may just lock off a legit user from
> his inbox by running a distributed bruteforce attack.
>
> A possible approach may be the following:
>
> Upon a successful logon, ASSP stored the /24 user subnet, and does the
> same for different ones, so ASSP will keep (say) 10 or the like IP
> ranges associated with an account (ranges may have a timestamp so will
> be removed after some time if they aren't used again)
>
> After a number of failed logons from "unknown" IPs, ASSP will "block"
> the account, but the block will ONLY be applied to logon attempts
> coming from "unknown" IPs, regular one will be allowed to go through
>
> The above means that a (say) German user coming from a given IP block
> will be able to access the SMTP even if the user account was blocked
> due to repeated bruteforce attempts, at the same time, attempts coming
> from (say) China will be rejected with a "no such user" (or the like)
>
>
>
>
>
> 
--
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-29 Thread Daniel Miller

Extending the blocking to the subnet is a great idea. But again, I am *not* 
suggesting to block the user! I'm saying to increase the hostile response 
toward *failed* login IPs.


Regular users should be unaffected.

Daniel



On June 29, 2017 7:03:52 AM Grayhat  wrote:


:: On Wed, 28 Jun 2017 08:38:34 -0700
::
 
::

Daniel Miller  wrote:


Again, my request is to auto-block *IPs* of *failed* auths. Not lock
the account. Not block valid auths. Regular users would never see a
problem.


The "problem" with such an approach are the critters I call "slow
crackers"; basically it's a distributed network of bots, those are
coordinated and will attempt, one at a time, to bruteforce a given
account, this means that you may see two/three logon attempts from
IP#1, then other two/three from IP#2 and so on, rotating IP through the
whole botnet, this means that, when the penalty time will expire, the
botnet had completed quite a number of attempt and can quietly reuse
IP#1 and so on to go on for the next cycle and, while such an approach
may seem slow, it isn't, imagine having multiple bots attempting to
crack a given account and performing the above in parallel, ASSP will
ban the IPs... sure, but that won't help

On the other hand, banning the account (username) isn't a good idea,
since, as already noted, someone may just lock off a legit user from
his inbox by running a distributed bruteforce attack.

A possible approach may be the following:

Upon a successful logon, ASSP stored the /24 user subnet, and does the
same for different ones, so ASSP will keep (say) 10 or the like IP
ranges associated with an account (ranges may have a timestamp so will
be removed after some time if they aren't used again)

After a number of failed logons from "unknown" IPs, ASSP will "block"
the account, but the block will ONLY be applied to logon attempts
coming from "unknown" IPs, regular one will be allowed to go through

The above means that a (say) German user coming from a given IP block
will be able to access the SMTP even if the user account was blocked
due to repeated bruteforce attempts, at the same time, attempts coming
from (say) China will be rejected with a "no such user" (or the like)





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-29 Thread Grayhat

:: On Wed, 28 Jun 2017 08:38:34 -0700
::

::
Daniel Miller  wrote:

> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
> the account. Not block valid auths. Regular users would never see a
> problem.

The "problem" with such an approach are the critters I call "slow
crackers"; basically it's a distributed network of bots, those are
coordinated and will attempt, one at a time, to bruteforce a given
account, this means that you may see two/three logon attempts from
IP#1, then other two/three from IP#2 and so on, rotating IP through the
whole botnet, this means that, when the penalty time will expire, the
botnet had completed quite a number of attempt and can quietly reuse
IP#1 and so on to go on for the next cycle and, while such an approach
may seem slow, it isn't, imagine having multiple bots attempting to
crack a given account and performing the above in parallel, ASSP will
ban the IPs... sure, but that won't help

On the other hand, banning the account (username) isn't a good idea,
since, as already noted, someone may just lock off a legit user from
his inbox by running a distributed bruteforce attack.

A possible approach may be the following:

Upon a successful logon, ASSP stored the /24 user subnet, and does the
same for different ones, so ASSP will keep (say) 10 or the like IP
ranges associated with an account (ranges may have a timestamp so will
be removed after some time if they aren't used again)

After a number of failed logons from "unknown" IPs, ASSP will "block"
the account, but the block will ONLY be applied to logon attempts
coming from "unknown" IPs, regular one will be allowed to go through

The above means that a (say) German user coming from a given IP block
will be able to access the SMTP even if the user account was blocked
due to repeated bruteforce attempts, at the same time, attempts coming
from (say) China will be rejected with a "no such user" (or the like)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Doug Lytle via Assp-test

>>> but I don't know how to implement immediate blocking after multiple 
>>> different IPs fail.

I should elaborate a little.

I don't track ASSP logs for failures of any particular email address, I look 
for any auth failures on a per IP Address basis and ban accordingly

Doug

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Doug Lytle via Assp-test


[assp_auth_failure]


# Ignore failures on our local networks
ignoreip = 127.0.0.1 172.21.0.0/16 192.168.0.0/16 10.0.0.0/24

enabled  = true
port = smtp,ssmtp
filter   = assp_auth_failure

action   = iptables-multiport[name=ASSP_AUTH, port="25,587", protocol=tcp]
   sendmail-whois[name=ASSP_AUTH, dest=supportemailaddress]
logpath  = /assp/logs/maillog.txt

# Monitor failures within a 7 day period
findtime = 10080

# Ban for 7 days
bantime  = 10080

# 5 failures from a single IP address within $findtime will cause the ban
maxretry = 5


Doug

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Daniel Miller

Although, unless you've got some special rules, this would be difficult to 
implement with fail2ban.


With fail2ban (and I don't play with it much) you could have every failed 
Auth blocked - but I don't know how to implement immediate blocking after 
multiple different IPs fail.


Daniel



On June 28, 2017 8:40:31 AM Daniel Miller  wrote:


Exactly. Just opening a discussion on whether such might be beneficial
integrated in ASSP.

Daniel



On June 28, 2017 8:32:52 AM Doug Lytle via Assp-test
 wrote:


My initial reaction to this was "cool idea!", but then I thought about the
implications to valid users.


I currently do this with Fail2Ban with an expire time.

Doug

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Daniel Miller

Exactly. Just opening a discussion on whether such might be beneficial 
integrated in ASSP.


Daniel



On June 28, 2017 8:32:52 AM Doug Lytle via Assp-test 
 wrote:


My initial reaction to this was "cool idea!", but then I thought about the 
implications to valid users.


I currently do this with Fail2Ban with an expire time.

Doug

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Daniel Miller

Again, my request is to auto-block *IPs* of *failed* auths. Not lock the 
account. Not block valid auths. Regular users would never see a problem.


Daniel



On June 28, 2017 8:15:17 AM Peter Hinman <peter.hin...@myib.com> wrote:

My initial reaction to this was "cool idea!", but then I thought about the 
implications to valid users.  A spammer would essentially be able to lock 
out valid users - a DOS attack.


I can see use cases where this could be a good feature, but I wouldn't want 
this feature enabled by default, and I would want some warning in the 
documentation so that users didn't enable it blindly.


Just my thoughts.

Peter

-Original Message-
From: Daniel Miller [mailto:dmil...@amfes.com]
Sent: Tuesday, June 27, 2017 2:10 PM
To: ASSP development mailing list <assp-test@lists.sourceforge.net>
Subject: Re: [Assp-test] Possible feature requests

My intended function is to specifically block IP's with invalid auths.
So users with properly configured clients will never see an issue.

Daniel

On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:

A big problem with that is it would cause a DOS for the username if it
is valid.

- Bob

On 6/27/2017 3:21 PM, Daniel Miller wrote:

I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad
logins for a given user across ALL IP's)





--
Check out the vibrant tech community on one of the world's most engaging 
tech sites, Slashdot.org! http://sdm.link/slashdot 
___

Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Doug Lytle via Assp-test

>>> My initial reaction to this was "cool idea!", but then I thought about the 
>>> implications to valid users. 

I currently do this with Fail2Ban with an expire time.

Doug

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-28 Thread Peter Hinman

My initial reaction to this was "cool idea!", but then I thought about the 
implications to valid users.  A spammer would essentially be able to lock out 
valid users - a DOS attack.

I can see use cases where this could be a good feature, but I wouldn't want 
this feature enabled by default, and I would want some warning in the 
documentation so that users didn't enable it blindly.

Just my thoughts.

Peter

-Original Message-
From: Daniel Miller [mailto:dmil...@amfes.com] 
Sent: Tuesday, June 27, 2017 2:10 PM
To: ASSP development mailing list <assp-test@lists.sourceforge.net>
Subject: Re: [Assp-test] Possible feature requests

My intended function is to specifically block IP's with invalid auths.  
So users with properly configured clients will never see an issue.

Daniel

On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
> A big problem with that is it would cause a DOS for the username if it 
> is valid.
>
> - Bob
>
> On 6/27/2017 3:21 PM, Daniel Miller wrote:
>> I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad 
>> logins for a given user across ALL IP's)
>

--
Check out the vibrant tech community on one of the world's most engaging tech 
sites, Slashdot.org! http://sdm.link/slashdot 
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-27 Thread Daniel Miller

My intended function is to specifically block IP's with invalid auths.  
So users with properly configured clients will never see an issue.


Daniel

On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
A big problem with that is it would cause a DOS for the username if it 
is valid.


- Bob

On 6/27/2017 3:21 PM, Daniel Miller wrote:
I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad 
logins for a given user across ALL IP's)





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Possible feature requests

2017-06-27 Thread Daniel Miller


I'm not saying either of these are good ideas - just wondering.

Like everybody I see a lot of hack attempts.  One possibility I'm 
considering is when a given local account name is tried - but with wrong 
passwords - that account is flagged and all further invalid logins are 
added to a blacklist.  This is different from existing MaxAUTHErrors - 
because the existing controls are for a single IP.  I'm suggesting 
having settings MaxAUTHErrorsAllIPs (number of bad logins for a given 
user across ALL IP's), AUTHUserErrorTime (length of time account should 
be place in auto-blacklist mode).


The other item is to have a delay on invalid authentication - so invalid 
attempts tie up spammer resources and slow their attempts.


--
Daniel


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

Re: [Assp-test] Possible feature requests

[Assp-test] Possible feature requests

12 matches

Site Navigation

Mail list logo

Footer information