:: On Wed, 28 Jun 2017 08:38:34 -0700 :: <amfes.93522e7ae3.15cef5aa0a8.27fe.f870105bb83edc7531c2ac44777e3...@amfes.com> :: Daniel Miller <dmil...@amfes.com> wrote:
> Again, my request is to auto-block *IPs* of *failed* auths. Not lock > the account. Not block valid auths. Regular users would never see a > problem. The "problem" with such an approach are the critters I call "slow crackers"; basically it's a distributed network of bots, those are coordinated and will attempt, one at a time, to bruteforce a given account, this means that you may see two/three logon attempts from IP#1, then other two/three from IP#2 and so on, rotating IP through the whole botnet, this means that, when the penalty time will expire, the botnet had completed quite a number of attempt and can quietly reuse IP#1 and so on to go on for the next cycle and, while such an approach may seem slow, it isn't, imagine having multiple bots attempting to crack a given account and performing the above in parallel, ASSP will ban the IPs... sure, but that won't help On the other hand, banning the account (username) isn't a good idea, since, as already noted, someone may just lock off a legit user from his inbox by running a distributed bruteforce attack. A possible approach may be the following: Upon a successful logon, ASSP stored the /24 user subnet, and does the same for different ones, so ASSP will keep (say) 10 or the like IP ranges associated with an account (ranges may have a timestamp so will be removed after some time if they aren't used again) After a number of failed logons from "unknown" IPs, ASSP will "block" the account, but the block will ONLY be applied to logon attempts coming from "unknown" IPs, regular one will be allowed to go through The above means that a (say) German user coming from a given IP block will be able to access the SMTP even if the user account was blocked due to repeated bruteforce attempts, at the same time, attempts coming from (say) China will be rejected with a "no such user" (or the like) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
