On 2024-05-22 at 19:03:48 UTC-0400 (Thu, 23 May 2024 11:03:48 +1200)
Peter via Postfix-users <pe...@pajamian.dhs.org>
is rumored to have said:
On 23/05/24 10:33, Northwind via Postfix-users wrote:
[...]
The attack continues at this time.
My questions are:
1. what's the purpose of this kind of attack? Brute force password
cracking, or DDoS?
Likely brute force.
Not exactly.
"Brute force" password cracking is almost never seen today, as it has
been replaced by a practice commonly called "credential stuffing" where
the attacker has some large collection of known-good username+password
combinations from another source (e.g. one of the many "breaches" of
online systems) and is simply trying the same combinations on your
system. This is a much more targeted attack and so can be slow enough to
evade rate-limit based protections.
This means that you need more prevention than was needed with classic
brute force. An attacker may not be working from a list of random names
and passwords or from common names and passwords, but from some smaller
list of names and passwords specific to your domain and users, so the
chances of a hit are based on whether your users use the same passwords
everywhere.
All the other suggestions are good, and I would add that in addition to
using Geo-IP data for excluding by country or region, you can
proactively exclude other large blocks at the packet level quite
broadly. The Spamhaus DROP list of criminal-controlled ranges would be
the first step, as you can rely on nothing you want coming from those
ranges. Next, you can look at the IPs which are doing the authentication
probes and find large blocks of cheap hosting from which none of your
users will ever be logging in. For example, you can count on never
seeing legitimate traffic on ports 465 or 587 (or any of the POP and
IMAP ports) from AWS, GCP, Linode, Digital Ocean, OVH, Alibaba, or Azure
network ranges.
It is also helpful as a matter of system design to decouple user email
addresses from their login usernames. For example, all of the email
addresses I give to companies are aliases, so none of them are at all
useful if compromised in a breach. The username I use to authenticate to
my mail server cannot be mailed from anywhere but the mail server
itself. This assures that no matter how many systems get breached where
I've got an account, none of those usernames and passwords are useful to
the thieves. I set this up almost 30 years ago as a spam control
measure, but the greatest benefit has been in basic account security.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org