Re: how to _delay_ failed authentication
On Wed, Apr 25, 2001 at 03:36:28PM +0200, Karsten W. Rohrbach wrote: oh yes it is in control of at least the process it calls directly (qmail-popup) which terminates nonzero on auth error Yeah, it exits nonzero at auth error and it exists nonzero in any other case. See my post (to qmail list) some days ago. qmail-popup ALWAYS exits with _exit(1); tcpserver lacks the feature of connection rate limiting which exactly would be the application in our case. i also thought about defining a scheme like openssh does (max simultaneous connections, soft threshold for sessions, percentage of connections to drop) combined with some advanced tarpitting per ip address (like accept n connections per minute from each ip address and back off with delay d and increase that delay each connection attempt, and perhaps multiply it with the exitcode of the process called). does this make sense? That's what I'd liked to accomplish with the server/client framework I wrote about. IMHO on a well administered system this is not error prone - at least not more than having a LDAP or MySQL server for authentication. The benefit however is that it can also be used in clustered environments and you won't need code changes to djb software. Putting all the load on tcpserver itself is IMHO a bad idea: - it would need massive code changes in tcpserver - it would slow down tcpserver itself - depending on implementation tcpserver would need a lot more memory - you'd have to have different versions of tcpserver (with/without rating) - on new versions of tcpserver you'd have to port/make patches again - lack of clustering support (POP-Toasters, SMTP-arrays) If the client really could not connect to the server you can have a failsafe method for this that either accepts like for ok or denies like for fail. DJB's strategy is always to have small, high specialised programs for special tasks. I like this idea, it's in the spirit of Unix and I think one should stick to it. \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Re: how to _delay_ failed authentication
Kittiwat Manosuthi [EMAIL PROTECTED] writes: Anybody know how to delay failed authentication attempts to prevent brute force pwd cracking on POP3 server using qmail vpopmail? You might be able to do this via PAM, if you have a checkpassword that supports PAM (available from www.qmail.org): http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/pam_delay/pam_delay/pam_delay.html -ScottG.
Re: how to _delay_ failed authentication
On Wed, Apr 25, 2001 at 03:12:31AM +0200, Karsten W. Rohrbach wrote: maybe add it to tcpserver? tcpserver ist not in control of checkpassword and has no knowledge of corrrect/incorrect user:password pairs. The solution I would like most (and which would be rather flexible and also working with clusters) would be to have a fast http server (maybe based on djb's publicfile). This server would have a configurable sized hash table (similar to dnscache) and a strategy for expiring entries. There would be two clients/APIs: - one would send ip:fail or ip:ok and the server would either increment or delete an internal counter - the other would send ip:query and the server would return allow or deny. These two clients could be placed withing the calling queue after tcpserver and checkpassword. Within this framework one could write other clients/servers that would e.g. allow for controlling the number of smtp connects per IP per time interval: - have a client that sends ip:connect to the server and the server returns ok or fail. - if the answer the ok give over to the next program in queue - if the answer is fail act similar to rblsmtpd and send a 4xx to every SMTP protocol request from the sender. I've been working on the last server/client with a friend. We have some code but it's not finished yet. \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Re: how to _delay_ failed authentication
Markus Stumpf([EMAIL PROTECTED])@2001.04.25 14:38:38 +: On Wed, Apr 25, 2001 at 03:12:31AM +0200, Karsten W. Rohrbach wrote: maybe add it to tcpserver? tcpserver ist not in control of checkpassword and has no knowledge of corrrect/incorrect user:password pairs. oh yes it is in control of at least the process it calls directly (qmail-popup) which terminates nonzero on auth error The solution I would like most (and which would be rather flexible and also working with clusters) would be to have a fast http server (maybe based on djb's publicfile). This server would have a configurable sized hash table (similar to dnscache) and a strategy for expiring entries. There would be two clients/APIs: - one would send ip:fail or ip:ok and the server would either increment or delete an internal counter - the other would send ip:query and the server would return allow or deny. These two clients could be placed withing the calling queue after tcpserver and checkpassword. tcpserver lacks the feature of connection rate limiting which exactly would be the application in our case. i also thought about defining a scheme like openssh does (max simultaneous connections, soft threshold for sessions, percentage of connections to drop) combined with some advanced tarpitting per ip address (like accept n connections per minute from each ip address and back off with delay d and increase that delay each connection attempt, and perhaps multiply it with the exitcode of the process called). does this make sense? Within this framework one could write other clients/servers that would e.g. allow for controlling the number of smtp connects per IP per time interval: - have a client that sends ip:connect to the server and the server returns ok or fail. - if the answer the ok give over to the next program in queue - if the answer is fail act similar to rblsmtpd and send a 4xx to every SMTP protocol request from the sender. client server is too errorprone and too mighty for this. we are talking about pop3 here, not smtp, primarily. the functionality you ar talking about in checkpassword is there afaik with a version that supports ldap. i would prefer hashing the ip and timestamp directly to disk. I've been working on the last server/client with a friend. We have some code but it's not finished yet. \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet. -- Dort wo andere Moral besitzen hat sie ein Loch. -- Erich Kaestner KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
Re: how to _delay_ failed authentication
On Tue, Apr 24, 2001 at 11:48:09AM +0700, Kittiwat Manosuthi wrote: Anybody know how to delay failed authentication attempts to prevent brute force pwd cracking on POP3 server using qmail vpopmail? That is completely useless, because of concurrency. Greetz, Peter.
Re: how to _delay_ failed authentication
On Tue, Apr 24, 2001 at 11:48:09AM +0700, Kittiwat Manosuthi wrote: Anybody know how to delay failed authentication attempts to prevent brute force pwd cracking on POP3 server using qmail vpopmail? IMHO not out of the box. But you surely could construct something in checkpassword that uses a (process independent) ip related counter and just as you use POP after SMTP to enable relaying you could add ip:deny lines to your tcpserver control file. \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Re: how to _delay_ failed authentication
Markus Stumpf([EMAIL PROTECTED])@2001.04.24 19:47:37 +: On Tue, Apr 24, 2001 at 11:48:09AM +0700, Kittiwat Manosuthi wrote: Anybody know how to delay failed authentication attempts to prevent brute force pwd cracking on POP3 server using qmail vpopmail? IMHO not out of the box. But you surely could construct something in checkpassword that uses a (process independent) ip related counter and just as you use POP after SMTP to enable relaying you could add ip:deny lines to your tcpserver control file. maybe add it to tcpserver? okay, it would have to have a scoreboard or whatever you might call it and so fopen() is invoked (maybe) too often... comments? /k -- What's the best part of getting a blowjob? Five minutes of silence. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
Re: how to _delay_ failed authentication
Well.. that's probably the way to go. Unfortunately, it's getting out of my league now. Anyone think this is an interesting thing to do? -Kittiwat From: Karsten W. Rohrbach [EMAIL PROTECTED] Markus Stumpf([EMAIL PROTECTED])@2001.04.24 19:47:37 +: On Tue, Apr 24, 2001 at 11:48:09AM +0700, Kittiwat Manosuthi wrote: Anybody know how to delay failed authentication attempts to prevent brute force pwd cracking on POP3 server using qmail vpopmail? IMHO not out of the box. But you surely could construct something in checkpassword that uses a (process independent) ip related counter and just as you use POP after SMTP to enable relaying you could add ip:deny lines to your tcpserver control file. maybe add it to tcpserver? okay, it would have to have a scoreboard or whatever you might call it and so fopen() is invoked (maybe) too often... comments? /k
how to _delay_ failed authentication
Anybody know how to delay failed authentication attempts to prevent brute force pwd cracking on POP3 server using qmail vpopmail? Sorry for cross posting. Thanks -kittiwat