What about using the existing AUTH features
MaxAUTHErrors
ResetMaxAUTHErrorIPs
MaxAUTHErrorIPs
AUTHUserIPfrequency
autValencePB
DelayIP
PenaltyBox
Thomas
Von: Daniel Miller <dmil...@amfes.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 29.06.2017 22:37
Betreff: Re: [Assp-test] Possible feature requests
Extending the blocking to the subnet is a great idea. But again, I am
*not*
suggesting to block the user! I'm saying to increase the hostile response
toward *failed* login IPs.
Regular users should be unaffected.
Daniel
On June 29, 2017 7:03:52 AM Grayhat <gray...@gmx.net> wrote:
> :: On Wed, 28 Jun 2017 08:38:34 -0700
> ::
>
<amfes.93522e7ae3.15cef5aa0a8.27fe.f870105bb83edc7531c2ac44777e3...@amfes.com>
> ::
> Daniel Miller <dmil...@amfes.com> wrote:
>
>> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
>> the account. Not block valid auths. Regular users would never see a
>> problem.
>
> The "problem" with such an approach are the critters I call "slow
> crackers"; basically it's a distributed network of bots, those are
> coordinated and will attempt, one at a time, to bruteforce a given
> account, this means that you may see two/three logon attempts from
> IP#1, then other two/three from IP#2 and so on, rotating IP through the
> whole botnet, this means that, when the penalty time will expire, the
> botnet had completed quite a number of attempt and can quietly reuse
> IP#1 and so on to go on for the next cycle and, while such an approach
> may seem slow, it isn't, imagine having multiple bots attempting to
> crack a given account and performing the above in parallel, ASSP will
> ban the IPs... sure, but that won't help
>
> On the other hand, banning the account (username) isn't a good idea,
> since, as already noted, someone may just lock off a legit user from
> his inbox by running a distributed bruteforce attack.
>
> A possible approach may be the following:
>
> Upon a successful logon, ASSP stored the /24 user subnet, and does the
> same for different ones, so ASSP will keep (say) 10 or the like IP
> ranges associated with an account (ranges may have a timestamp so will
> be removed after some time if they aren't used again)
>
> After a number of failed logons from "unknown" IPs, ASSP will "block"
> the account, but the block will ONLY be applied to logon attempts
> coming from "unknown" IPs, regular one will be allowed to go through
>
> The above means that a (say) German user coming from a given IP block
> will be able to access the SMTP even if the user account was blocked
> due to repeated bruteforce attempts, at the same time, attempts coming
> from (say) China will be rejected with a "no such user" (or the like)
>
>
>
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
