Extending the blocking to the subnet is a great idea. But again, I am *not*
suggesting to block the user! I'm saying to increase the hostile response
toward *failed* login IPs.
Regular users should be unaffected.
Daniel
On June 29, 2017 7:03:52 AM Grayhat <gray...@gmx.net> wrote:
:: On Wed, 28 Jun 2017 08:38:34 -0700
::
<amfes.93522e7ae3.15cef5aa0a8.27fe.f870105bb83edc7531c2ac44777e3...@amfes.com>
::
Daniel Miller <dmil...@amfes.com> wrote:
Again, my request is to auto-block *IPs* of *failed* auths. Not lock
the account. Not block valid auths. Regular users would never see a
problem.
The "problem" with such an approach are the critters I call "slow
crackers"; basically it's a distributed network of bots, those are
coordinated and will attempt, one at a time, to bruteforce a given
account, this means that you may see two/three logon attempts from
IP#1, then other two/three from IP#2 and so on, rotating IP through the
whole botnet, this means that, when the penalty time will expire, the
botnet had completed quite a number of attempt and can quietly reuse
IP#1 and so on to go on for the next cycle and, while such an approach
may seem slow, it isn't, imagine having multiple bots attempting to
crack a given account and performing the above in parallel, ASSP will
ban the IPs... sure, but that won't help
On the other hand, banning the account (username) isn't a good idea,
since, as already noted, someone may just lock off a legit user from
his inbox by running a distributed bruteforce attack.
A possible approach may be the following:
Upon a successful logon, ASSP stored the /24 user subnet, and does the
same for different ones, so ASSP will keep (say) 10 or the like IP
ranges associated with an account (ranges may have a timestamp so will
be removed after some time if they aren't used again)
After a number of failed logons from "unknown" IPs, ASSP will "block"
the account, but the block will ONLY be applied to logon attempts
coming from "unknown" IPs, regular one will be allowed to go through
The above means that a (say) German user coming from a given IP block
will be able to access the SMTP even if the user account was blocked
due to repeated bruteforce attempts, at the same time, attempts coming
from (say) China will be rejected with a "no such user" (or the like)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
