Re: [Assp-test] Possible feature requests
What about using the existing AUTH features MaxAUTHErrors ResetMaxAUTHErrorIPs MaxAUTHErrorIPs AUTHUserIPfrequency autValencePB DelayIP PenaltyBox Thomas Von:Daniel Miller <dmil...@amfes.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 29.06.2017 22:37 Betreff: Re: [Assp-test] Possible feature requests Extending the blocking to the subnet is a great idea. But again, I am *not* suggesting to block the user! I'm saying to increase the hostile response toward *failed* login IPs. Regular users should be unaffected. Daniel On June 29, 2017 7:03:52 AM Grayhat <gray...@gmx.net> wrote: > :: On Wed, 28 Jun 2017 08:38:34 -0700 > :: > <amfes.93522e7ae3.15cef5aa0a8.27fe.f870105bb83edc7531c2ac44777e3...@amfes.com> > :: > Daniel Miller <dmil...@amfes.com> wrote: > >> Again, my request is to auto-block *IPs* of *failed* auths. Not lock >> the account. Not block valid auths. Regular users would never see a >> problem. > > The "problem" with such an approach are the critters I call "slow > crackers"; basically it's a distributed network of bots, those are > coordinated and will attempt, one at a time, to bruteforce a given > account, this means that you may see two/three logon attempts from > IP#1, then other two/three from IP#2 and so on, rotating IP through the > whole botnet, this means that, when the penalty time will expire, the > botnet had completed quite a number of attempt and can quietly reuse > IP#1 and so on to go on for the next cycle and, while such an approach > may seem slow, it isn't, imagine having multiple bots attempting to > crack a given account and performing the above in parallel, ASSP will > ban the IPs... sure, but that won't help > > On the other hand, banning the account (username) isn't a good idea, > since, as already noted, someone may just lock off a legit user from > his inbox by running a distributed bruteforce attack. > > A possible approach may be the following: > > Upon a successful logon, ASSP stored the /24 user subnet, and does the > same for different ones, so ASSP will keep (say) 10 or the like IP > ranges associated with an account (ranges may have a timestamp so will > be removed after some time if they aren't used again) > > After a number of failed logons from "unknown" IPs, ASSP will "block" > the account, but the block will ONLY be applied to logon attempts > coming from "unknown" IPs, regular one will be allowed to go through > > The above means that a (say) German user coming from a given IP block > will be able to access the SMTP even if the user account was blocked > due to repeated bruteforce attempts, at the same time, attempts coming > from (say) China will be rejected with a "no such user" (or the like) > > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
Extending the blocking to the subnet is a great idea. But again, I am *not* suggesting to block the user! I'm saying to increase the hostile response toward *failed* login IPs. Regular users should be unaffected. Daniel On June 29, 2017 7:03:52 AM Grayhatwrote: :: On Wed, 28 Jun 2017 08:38:34 -0700 :: :: Daniel Miller wrote: Again, my request is to auto-block *IPs* of *failed* auths. Not lock the account. Not block valid auths. Regular users would never see a problem. The "problem" with such an approach are the critters I call "slow crackers"; basically it's a distributed network of bots, those are coordinated and will attempt, one at a time, to bruteforce a given account, this means that you may see two/three logon attempts from IP#1, then other two/three from IP#2 and so on, rotating IP through the whole botnet, this means that, when the penalty time will expire, the botnet had completed quite a number of attempt and can quietly reuse IP#1 and so on to go on for the next cycle and, while such an approach may seem slow, it isn't, imagine having multiple bots attempting to crack a given account and performing the above in parallel, ASSP will ban the IPs... sure, but that won't help On the other hand, banning the account (username) isn't a good idea, since, as already noted, someone may just lock off a legit user from his inbox by running a distributed bruteforce attack. A possible approach may be the following: Upon a successful logon, ASSP stored the /24 user subnet, and does the same for different ones, so ASSP will keep (say) 10 or the like IP ranges associated with an account (ranges may have a timestamp so will be removed after some time if they aren't used again) After a number of failed logons from "unknown" IPs, ASSP will "block" the account, but the block will ONLY be applied to logon attempts coming from "unknown" IPs, regular one will be allowed to go through The above means that a (say) German user coming from a given IP block will be able to access the SMTP even if the user account was blocked due to repeated bruteforce attempts, at the same time, attempts coming from (say) China will be rejected with a "no such user" (or the like) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
:: On Wed, 28 Jun 2017 08:38:34 -0700 :::: Daniel Miller wrote: > Again, my request is to auto-block *IPs* of *failed* auths. Not lock > the account. Not block valid auths. Regular users would never see a > problem. The "problem" with such an approach are the critters I call "slow crackers"; basically it's a distributed network of bots, those are coordinated and will attempt, one at a time, to bruteforce a given account, this means that you may see two/three logon attempts from IP#1, then other two/three from IP#2 and so on, rotating IP through the whole botnet, this means that, when the penalty time will expire, the botnet had completed quite a number of attempt and can quietly reuse IP#1 and so on to go on for the next cycle and, while such an approach may seem slow, it isn't, imagine having multiple bots attempting to crack a given account and performing the above in parallel, ASSP will ban the IPs... sure, but that won't help On the other hand, banning the account (username) isn't a good idea, since, as already noted, someone may just lock off a legit user from his inbox by running a distributed bruteforce attack. A possible approach may be the following: Upon a successful logon, ASSP stored the /24 user subnet, and does the same for different ones, so ASSP will keep (say) 10 or the like IP ranges associated with an account (ranges may have a timestamp so will be removed after some time if they aren't used again) After a number of failed logons from "unknown" IPs, ASSP will "block" the account, but the block will ONLY be applied to logon attempts coming from "unknown" IPs, regular one will be allowed to go through The above means that a (say) German user coming from a given IP block will be able to access the SMTP even if the user account was blocked due to repeated bruteforce attempts, at the same time, attempts coming from (say) China will be rejected with a "no such user" (or the like) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
>>> but I don't know how to implement immediate blocking after multiple >>> different IPs fail. I should elaborate a little. I don't track ASSP logs for failures of any particular email address, I look for any auth failures on a per IP Address basis and ban accordingly Doug -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
[assp_auth_failure] # Ignore failures on our local networks ignoreip = 127.0.0.1 172.21.0.0/16 192.168.0.0/16 10.0.0.0/24 enabled = true port = smtp,ssmtp filter = assp_auth_failure action = iptables-multiport[name=ASSP_AUTH, port="25,587", protocol=tcp] sendmail-whois[name=ASSP_AUTH, dest=supportemailaddress] logpath = /assp/logs/maillog.txt # Monitor failures within a 7 day period findtime = 10080 # Ban for 7 days bantime = 10080 # 5 failures from a single IP address within $findtime will cause the ban maxretry = 5 Doug -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
Although, unless you've got some special rules, this would be difficult to implement with fail2ban. With fail2ban (and I don't play with it much) you could have every failed Auth blocked - but I don't know how to implement immediate blocking after multiple different IPs fail. Daniel On June 28, 2017 8:40:31 AM Daniel Millerwrote: Exactly. Just opening a discussion on whether such might be beneficial integrated in ASSP. Daniel On June 28, 2017 8:32:52 AM Doug Lytle via Assp-test wrote: My initial reaction to this was "cool idea!", but then I thought about the implications to valid users. I currently do this with Fail2Ban with an expire time. Doug -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
Exactly. Just opening a discussion on whether such might be beneficial integrated in ASSP. Daniel On June 28, 2017 8:32:52 AM Doug Lytle via Assp-testwrote: My initial reaction to this was "cool idea!", but then I thought about the implications to valid users. I currently do this with Fail2Ban with an expire time. Doug -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
Again, my request is to auto-block *IPs* of *failed* auths. Not lock the account. Not block valid auths. Regular users would never see a problem. Daniel On June 28, 2017 8:15:17 AM Peter Hinman <peter.hin...@myib.com> wrote: My initial reaction to this was "cool idea!", but then I thought about the implications to valid users. A spammer would essentially be able to lock out valid users - a DOS attack. I can see use cases where this could be a good feature, but I wouldn't want this feature enabled by default, and I would want some warning in the documentation so that users didn't enable it blindly. Just my thoughts. Peter -Original Message- From: Daniel Miller [mailto:dmil...@amfes.com] Sent: Tuesday, June 27, 2017 2:10 PM To: ASSP development mailing list <assp-test@lists.sourceforge.net> Subject: Re: [Assp-test] Possible feature requests My intended function is to specifically block IP's with invalid auths. So users with properly configured clients will never see an issue. Daniel On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote: A big problem with that is it would cause a DOS for the username if it is valid. - Bob On 6/27/2017 3:21 PM, Daniel Miller wrote: I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad logins for a given user across ALL IP's) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
>>> My initial reaction to this was "cool idea!", but then I thought about the >>> implications to valid users. I currently do this with Fail2Ban with an expire time. Doug -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
My initial reaction to this was "cool idea!", but then I thought about the implications to valid users. A spammer would essentially be able to lock out valid users - a DOS attack. I can see use cases where this could be a good feature, but I wouldn't want this feature enabled by default, and I would want some warning in the documentation so that users didn't enable it blindly. Just my thoughts. Peter -Original Message- From: Daniel Miller [mailto:dmil...@amfes.com] Sent: Tuesday, June 27, 2017 2:10 PM To: ASSP development mailing list <assp-test@lists.sourceforge.net> Subject: Re: [Assp-test] Possible feature requests My intended function is to specifically block IP's with invalid auths. So users with properly configured clients will never see an issue. Daniel On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote: > A big problem with that is it would cause a DOS for the username if it > is valid. > > - Bob > > On 6/27/2017 3:21 PM, Daniel Miller wrote: >> I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad >> logins for a given user across ALL IP's) > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Possible feature requests
My intended function is to specifically block IP's with invalid auths. So users with properly configured clients will never see an issue. Daniel On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote: A big problem with that is it would cause a DOS for the username if it is valid. - Bob On 6/27/2017 3:21 PM, Daniel Miller wrote: I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad logins for a given user across ALL IP's) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Possible feature requests
I'm not saying either of these are good ideas - just wondering. Like everybody I see a lot of hack attempts. One possibility I'm considering is when a given local account name is tried - but with wrong passwords - that account is flagged and all further invalid logins are added to a blacklist. This is different from existing MaxAUTHErrors - because the existing controls are for a single IP. I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad logins for a given user across ALL IP's), AUTHUserErrorTime (length of time account should be place in auto-blacklist mode). The other item is to have a delay on invalid authentication - so invalid attempts tie up spammer resources and slow their attempts. -- Daniel -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test