Possible feature requests

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Possible feature requests

Daniel Miller
I'm not saying either of these are good ideas - just wondering.

Like everybody I see a lot of hack attempts.  One possibility I'm
considering is when a given local account name is tried - but with wrong
passwords - that account is flagged and all further invalid logins are
added to a blacklist.  This is different from existing MaxAUTHErrors -
because the existing controls are for a single IP.  I'm suggesting
having settings MaxAUTHErrorsAllIPs (number of bad logins for a given
user across ALL IP's), AUTHUserErrorTime (length of time account should
be place in auto-blacklist mode).

The other item is to have a delay on invalid authentication - so invalid
attempts tie up spammer resources and slow their attempts.

--
Daniel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Daniel Miller
My intended function is to specifically block IP's with invalid auths.  
So users with properly configured clients will never see an issue.

Daniel

On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
> A big problem with that is it would cause a DOS for the username if it
> is valid.
>
> - Bob
>
> On 6/27/2017 3:21 PM, Daniel Miller wrote:
>> I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad
>> logins for a given user across ALL IP's)
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Peter Hinman
My initial reaction to this was "cool idea!", but then I thought about the implications to valid users.  A spammer would essentially be able to lock out valid users - a DOS attack.

I can see use cases where this could be a good feature, but I wouldn't want this feature enabled by default, and I would want some warning in the documentation so that users didn't enable it blindly.

Just my thoughts.

Peter

-----Original Message-----
From: Daniel Miller [mailto:[hidden email]]
Sent: Tuesday, June 27, 2017 2:10 PM
To: ASSP development mailing list <[hidden email]>
Subject: Re: [Assp-test] Possible feature requests

My intended function is to specifically block IP's with invalid auths.  
So users with properly configured clients will never see an issue.

Daniel

On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
> A big problem with that is it would cause a DOS for the username if it
> is valid.
>
> - Bob
>
> On 6/27/2017 3:21 PM, Daniel Miller wrote:
>> I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad
>> logins for a given user across ALL IP's)
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

assp-test mailing list
>>> My initial reaction to this was "cool idea!", but then I thought about the implications to valid users.

I currently do this with Fail2Ban with an expire time.

Doug

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Daniel Miller
In reply to this post by Peter Hinman
Again, my request is to auto-block *IPs* of *failed* auths. Not lock the
account. Not block valid auths. Regular users would never see a problem.

Daniel



On June 28, 2017 8:15:17 AM Peter Hinman <[hidden email]> wrote:

> My initial reaction to this was "cool idea!", but then I thought about the
> implications to valid users.  A spammer would essentially be able to lock
> out valid users - a DOS attack.
>
> I can see use cases where this could be a good feature, but I wouldn't want
> this feature enabled by default, and I would want some warning in the
> documentation so that users didn't enable it blindly.
>
> Just my thoughts.
>
> Peter
>
> -----Original Message-----
> From: Daniel Miller [mailto:[hidden email]]
> Sent: Tuesday, June 27, 2017 2:10 PM
> To: ASSP development mailing list <[hidden email]>
> Subject: Re: [Assp-test] Possible feature requests
>
> My intended function is to specifically block IP's with invalid auths.
> So users with properly configured clients will never see an issue.
>
> Daniel
>
> On 6/27/2017 1:07 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
>> A big problem with that is it would cause a DOS for the username if it
>> is valid.
>>
>> - Bob
>>
>> On 6/27/2017 3:21 PM, Daniel Miller wrote:
>>> I'm suggesting having settings MaxAUTHErrorsAllIPs (number of bad
>>> logins for a given user across ALL IP's)
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging
> tech sites, Slashdot.org! http://sdm.link/slashdot 
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Daniel Miller
In reply to this post by assp-test mailing list
Exactly. Just opening a discussion on whether such might be beneficial
integrated in ASSP.

Daniel



On June 28, 2017 8:32:52 AM Doug Lytle via Assp-test
<[hidden email]> wrote:

>>>> My initial reaction to this was "cool idea!", but then I thought about the
>>>> implications to valid users.
>
> I currently do this with Fail2Ban with an expire time.
>
> Doug
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Daniel Miller
In reply to this post by assp-test mailing list
Although, unless you've got some special rules, this would be difficult to
implement with fail2ban.

With fail2ban (and I don't play with it much) you could have every failed
Auth blocked - but I don't know how to implement immediate blocking after
multiple different IPs fail.

Daniel



On June 28, 2017 8:40:31 AM Daniel Miller <[hidden email]> wrote:

> Exactly. Just opening a discussion on whether such might be beneficial
> integrated in ASSP.
>
> Daniel
>
>
>
> On June 28, 2017 8:32:52 AM Doug Lytle via Assp-test
> <[hidden email]> wrote:
>
>>>>> My initial reaction to this was "cool idea!", but then I thought about the
>>>>> implications to valid users.
>>
>> I currently do this with Fail2Ban with an expire time.
>>
>> Doug
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

assp-test mailing list

[assp_auth_failure]


# Ignore failures on our local networks
ignoreip = 127.0.0.1 172.21.0.0/16 192.168.0.0/16 10.0.0.0/24

enabled  = true
port     = smtp,ssmtp
filter   = assp_auth_failure

action   = iptables-multiport[name=ASSP_AUTH, port="25,587", protocol=tcp]
           sendmail-whois[name=ASSP_AUTH, dest=supportemailaddress]
logpath  = /assp/logs/maillog.txt

# Monitor failures within a 7 day period
findtime = 10080

# Ban for 7 days
bantime  = 10080

# 5 failures from a single IP address within $findtime will cause the ban
maxretry = 5


Doug

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

assp-test mailing list
In reply to this post by Daniel Miller
>>> but I don't know how to implement immediate blocking after multiple different IPs fail.

I should elaborate a little.

I don't track ASSP logs for failures of any particular email address, I look for any auth failures on a per IP Address basis and ban accordingly

Doug

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

GrayHat
In reply to this post by Daniel Miller
:: On Wed, 28 Jun 2017 08:38:34 -0700
::
<[hidden email]> ::
Daniel Miller <[hidden email]> wrote:

> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
> the account. Not block valid auths. Regular users would never see a
> problem.

The "problem" with such an approach are the critters I call "slow
crackers"; basically it's a distributed network of bots, those are
coordinated and will attempt, one at a time, to bruteforce a given
account, this means that you may see two/three logon attempts from
IP#1, then other two/three from IP#2 and so on, rotating IP through the
whole botnet, this means that, when the penalty time will expire, the
botnet had completed quite a number of attempt and can quietly reuse
IP#1 and so on to go on for the next cycle and, while such an approach
may seem slow, it isn't, imagine having multiple bots attempting to
crack a given account and performing the above in parallel, ASSP will
ban the IPs... sure, but that won't help

On the other hand, banning the account (username) isn't a good idea,
since, as already noted, someone may just lock off a legit user from
his inbox by running a distributed bruteforce attack.

A possible approach may be the following:

Upon a successful logon, ASSP stored the /24 user subnet, and does the
same for different ones, so ASSP will keep (say) 10 or the like IP
ranges associated with an account (ranges may have a timestamp so will
be removed after some time if they aren't used again)

After a number of failed logons from "unknown" IPs, ASSP will "block"
the account, but the block will ONLY be applied to logon attempts
coming from "unknown" IPs, regular one will be allowed to go through

The above means that a (say) German user coming from a given IP block
will be able to access the SMTP even if the user account was blocked
due to repeated bruteforce attempts, at the same time, attempts coming
from (say) China will be rejected with a "no such user" (or the like)





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Daniel Miller
Extending the blocking to the subnet is a great idea. But again, I am *not*
suggesting to block the user! I'm saying to increase the hostile response
toward *failed* login IPs.

Regular users should be unaffected.

Daniel



On June 29, 2017 7:03:52 AM Grayhat <[hidden email]> wrote:

> :: On Wed, 28 Jun 2017 08:38:34 -0700
> ::
> <[hidden email]>
> ::
> Daniel Miller <[hidden email]> wrote:
>
>> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
>> the account. Not block valid auths. Regular users would never see a
>> problem.
>
> The "problem" with such an approach are the critters I call "slow
> crackers"; basically it's a distributed network of bots, those are
> coordinated and will attempt, one at a time, to bruteforce a given
> account, this means that you may see two/three logon attempts from
> IP#1, then other two/three from IP#2 and so on, rotating IP through the
> whole botnet, this means that, when the penalty time will expire, the
> botnet had completed quite a number of attempt and can quietly reuse
> IP#1 and so on to go on for the next cycle and, while such an approach
> may seem slow, it isn't, imagine having multiple bots attempting to
> crack a given account and performing the above in parallel, ASSP will
> ban the IPs... sure, but that won't help
>
> On the other hand, banning the account (username) isn't a good idea,
> since, as already noted, someone may just lock off a legit user from
> his inbox by running a distributed bruteforce attack.
>
> A possible approach may be the following:
>
> Upon a successful logon, ASSP stored the /24 user subnet, and does the
> same for different ones, so ASSP will keep (say) 10 or the like IP
> ranges associated with an account (ranges may have a timestamp so will
> be removed after some time if they aren't used again)
>
> After a number of failed logons from "unknown" IPs, ASSP will "block"
> the account, but the block will ONLY be applied to logon attempts
> coming from "unknown" IPs, regular one will be allowed to go through
>
> The above means that a (say) German user coming from a given IP block
> will be able to access the SMTP even if the user account was blocked
> due to repeated bruteforce attempts, at the same time, attempts coming
> from (say) China will be rejected with a "no such user" (or the like)
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible feature requests

Thomas Eckardt/eck
What about using the existing AUTH features


MaxAUTHErrors
ResetMaxAUTHErrorIPs
MaxAUTHErrorIPs
AUTHUserIPfrequency
autValencePB
DelayIP
PenaltyBox

Thomas






Von:        Daniel Miller <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        29.06.2017 22:37
Betreff:        Re: [Assp-test] Possible feature requests




Extending the blocking to the subnet is a great idea. But again, I am *not*
suggesting to block the user! I'm saying to increase the hostile response
toward *failed* login IPs.

Regular users should be unaffected.

Daniel



On June 29, 2017 7:03:52 AM Grayhat <[hidden email]> wrote:

> :: On Wed, 28 Jun 2017 08:38:34 -0700
> ::
> <[hidden email]>
> ::
> Daniel Miller <[hidden email]> wrote:
>
>> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
>> the account. Not block valid auths. Regular users would never see a
>> problem.
>
> The "problem" with such an approach are the critters I call "slow
> crackers"; basically it's a distributed network of bots, those are
> coordinated and will attempt, one at a time, to bruteforce a given
> account, this means that you may see two/three logon attempts from
> IP#1, then other two/three from IP#2 and so on, rotating IP through the
> whole botnet, this means that, when the penalty time will expire, the
> botnet had completed quite a number of attempt and can quietly reuse
> IP#1 and so on to go on for the next cycle and, while such an approach
> may seem slow, it isn't, imagine having multiple bots attempting to
> crack a given account and performing the above in parallel, ASSP will
> ban the IPs... sure, but that won't help
>
> On the other hand, banning the account (username) isn't a good idea,
> since, as already noted, someone may just lock off a legit user from
> his inbox by running a distributed bruteforce attack.
>
> A possible approach may be the following:
>
> Upon a successful logon, ASSP stored the /24 user subnet, and does the
> same for different ones, so ASSP will keep (say) 10 or the like IP
> ranges associated with an account (ranges may have a timestamp so will
> be removed after some time if they aren't used again)
>
> After a number of failed logons from "unknown" IPs, ASSP will "block"
> the account, but the block will ONLY be applied to logon attempts
> coming from "unknown" IPs, regular one will be allowed to go through
>
> The above means that a (say) German user coming from a given IP block
> will be able to access the SMTP even if the user account was blocked
> due to repeated bruteforce attempts, at the same time, attempts coming
> from (say) China will be rejected with a "no such user" (or the like)
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
>
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...