Re: [courier-users] How to track failed authentication attempts?
On 24/Feb/11 22:23, Carlos Lopez wrote: The Kernel lacks support of Deep Packet Inspection... With DPI you can do all dirty tricks to leave crackers out of the box/net. It is true that the main kernel does not support it, but there are many commercial vendors that are open sourcing their products in a way to be on the Open Source arena, read this article from the internet: http://www.linux.com/news/enterprise/networking/44079-deep-packet-inspection-engine-goes-open-source Maybe I'm missing something, but it seems to me that 1. The Linux kernel, via iptables, supports inspecting _any_ value in a filtered packet. If tougher inspection is required, the packet can be passed to a userspace daemon using netfilter (which OpenDPI apparently can also do.) 2. OpenDPI software is involved in classifying protocols and applications, which is not much relevant for SMTP/IMAP/POP authentication, as we know both the protocol and the application already. 3. After TLS handshake, OpenDPI filters are not able to know the details of the communication. (In principle, knowing the server's key and having traced the handshake, it should be possible to decrypt packets content. The closed-source version ipoque is claimed to be able to detect encrypted or obfuscated protocols as well, and this may be what they mean.) 4. Still, failed authentication attempts from crackers look exactly like legitimate ones, except for their amount. Tracking them correctly implies knowledge of the users database (in addition to the server's keys), hence it is much much harder to do it using an external tool. -- -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Thus an 87382-node botnet can break an average password with 18 bits of entropy* by the end of the day, with three attempts from each IP. Many times? If many is 35 times per day for 20 years, that makes for about 255675 attempts: barely enough to break that 18-bit entropy password, let alone a strong one. OTOH, a million-node botnet could easily afford a few thousands attempts per day, from different IP addresses, without being noticed. It would crack most passwords in a few months. On 16.02.11 20:48, Michelle Konzack wrote: Hehe, in 2009 (some of my servers are in Khoy/Iran) I have gotten massiv hack attempts but my 7600 has blocked the crap successfuly. Unfortunately Linux can not do that. And that's why we'd like to have possibility to ban based on something different than just IP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Hello Matus UHLAR - fantomas, Am 2011-02-24 15:18:46, hacktest Du folgendes herunter: Unfortunately Linux can not do that. And that's why we'd like to have possibility to ban based on something different than just IP. The Kernel lakes for support of Deep Packet Inspection... With DPI you can do all dirty tricks to leafe crackers out of the box/net. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
The Kernel lakes for support of Deep Packet Inspection... With DPI you can do all dirty tricks to leafe crackers out of the box/net. It is true that the main kernel does not support it, but there are many commercial vendors that are open sourcing their products in a way to be on the Open Source arena, read this article from the internet: http://www.linux.com/news/enterprise/networking/44079-deep-packet-inspection-engine-goes-open-source the vendor specific open source link: http://www.opendpi.org/ -- Free Software Download: Index, Search Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Hi :-) On 16/Feb/11 00:32, Michelle Konzack wrote: Am 2011-02-15 11:57:34, hacktest Du folgendes herunter: Neither of them would resist against distributed attacks, though. Why? If you get three failure per IP in a certain time it is blocked... Thus an 87382-node botnet can break an average password with 18 bits of entropy* by the end of the day, with three attempts from each IP. For example, we could block logins, from any IP address, for users affected by more than N failed logins since the last password change. You mean you want to count and store the failures over years? Yes, for each user. I have not changed my password since more then 10 years because it is too complex to become hacked :-D but I have mistyped my password many times because it is very long... If peoples sitting byside me, they where never able to memorize it... Hahaha! Many times? If many is 35 times per day for 20 years, that makes for about 255675 attempts: barely enough to break that 18-bit entropy password, let alone a strong one. OTOH, a million-node botnet could easily afford a few thousands attempts per day, from different IP addresses, without being noticed. It would crack most passwords in a few months. IMHO, counting the global number of failures can counter that. A smart system could even estimate the entropy of a cleartext password and compute N above as a safe fraction of the required number of attempts, in order to avoid being unduly intrusive. -- [*] Entropy estimate: http://en.wikipedia.org/wiki/Password_strength -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
On 14/Feb/11 20:27, Bowie Bailey wrote: On 2/14/2011 2:21 PM, Carlos Lopez wrote: I was wondering whether there is some way in Courier (using authlib, using authmysql) to catch the event of a multiple login failure, such as in the case of spambots trying to bruteforce an account, to temporarily ban the IP? You can use either, Mysql or authlib logs and then do a grep or any similar tools that can filter any failure login. If you want to ban the IP that any anonymous user is using to login, in my case I've used Linux IPTABLES and dynamic rule changing thru a scrip. Check out fail2ban. You can use it to watch the log files and ban any IP with more than a certain number of failures. It can be used for any service that logs failures. Ipqbdb has similar functionality --Linux only. Neither of them would resist against distributed attacks, though. Built-in tarpit works well against timid attackers. Determined crackers quickly reach the maximum connection limit and may hold it indefinitely. I hope we'll have refined better countermeasures by the time well crafted attacks will come. For example, we could block logins, from any IP address, for users affected by more than N failed logins since the last password change. jm2c -- -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Lorenzo Perone writes: assumed cause. I'm now monitoring the mailq size via zabbix (as simple as mailq | wc -l ) and triggering alarms when it keeps growing too quickly. Do you think mailq output is a reliable indicator, or should Yes, it's reliable. we resort to maillog analysis for this, too? One reason why I ask is that I vaguely remember messages stuck in the mailq for months, allthough I haven't seen such ones in a while. No, that shouldn't happen. All messages should have the same maximum expiration time. pgpkFuDH7DcyG.pgp Description: PGP signature -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Hello Alessandro Vesely, Am 2011-02-15 11:57:34, hacktest Du folgendes herunter: Ipqbdb has similar functionality --Linux only. Neither of them would resist against distributed attacks, though. Why? If you get three failure per IP in a certain time it is blocked... I use fail2ban to get rid of more then 10.000 attempts per day in form of dictionary attacks (most of them try arround 200 login attempts in serie) Built-in tarpit works well against timid attackers. Determined crackers quickly reach the maximum connection limit and may hold it indefinitely. I hope we'll have refined better countermeasures by the time well crafted attacks will come. For example, we could block logins, from any IP address, for users affected by more than N failed logins since the last password change. You mean you want to count and store the failures over years? I have not changed my password since more then 10 years because it is too complex to become hacked :-D but I have mistyped my password many times because it is very long... If peoples sitting byside me, they where never able to memorize it... Hahaha! Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
I was wondering whether there is some way in Courier (using authlib, using authmysql) to catch the event of a multiple login failure, such as in the case of spambots trying to bruteforce an account, to temporarily ban the IP? You can use either, Mysql or authlib logs and then do a grep or any similar tools that can filter any failure login. If you want to ban the IP that any anonymous user is using to login, in my case I've used Linux IPTABLES and dynamic rule changing thru a scrip. -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
On 2/14/2011 2:21 PM, Carlos Lopez wrote: I was wondering whether there is some way in Courier (using authlib, using authmysql) to catch the event of a multiple login failure, such as in the case of spambots trying to bruteforce an account, to temporarily ban the IP? You can use either, Mysql or authlib logs and then do a grep or any similar tools that can filter any failure login. If you want to ban the IP that any anonymous user is using to login, in my case I've used Linux IPTABLES and dynamic rule changing thru a scrip. Check out fail2ban. You can use it to watch the log files and ban any IP with more than a certain number of failures. It can be used for any service that logs failures. -- Bowie -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Lorenzo Perone writes: Hi List, Hi Sam, I was wondering whether there is some way in Courier (using authlib, using authmysql) to catch the event of a multiple login failure, such as in the case of spambots trying to bruteforce an account, to temporarily ban the IP? Just had a look at the docs but couldn't find anything... is there any way to implement it? Just have to have something parsing mail logs, which will record the client's IP address, and a very distinctive error message. But, I don't believe that spambots are really that much of an issue here. The built-in error delay makes spambots give up rather quickly. pgpwWGGqtYiJn.pgp Description: PGP signature -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] How to track failed authentication attempts?
Hi, Thanx to everybody here, for so quick replies! On 2/15/11 12:30 AM, Sam Varshavchik wrote: Lorenzo Perone writes: I was wondering whether there is some way in Courier (using authlib, using authmysql) to catch the event of a multiple login failure, such as in the case of spambots trying to bruteforce an account, to temporarily ban the IP? ... Just have to have something parsing mail logs, which will record the client's IP address, and a very distinctive error message. But, I don't believe that spambots are really that much of an issue here. The built-in error delay makes spambots give up rather quickly. You're perfectly right, in fact. They weren't bruteforcing, just guessing a few typical pitfalls (doh!). And I had forgotten about the delay, which is a perfect deterrent. So we resorted to another idea. In fact problems with spammers using some compromised account have been extremely rare (until now), so it is more important to find out about it early than trying to solve an assumed cause. I'm now monitoring the mailq size via zabbix (as simple as mailq | wc -l ) and triggering alarms when it keeps growing too quickly. Do you think mailq output is a reliable indicator, or should we resort to maillog analysis for this, too? One reason why I ask is that I vaguely remember messages stuck in the mailq for months, allthough I haven't seen such ones in a while. Thanx for sharing your insight, for all these years over over.. On 2/14/11 8:21 PM, Carlos Lopez wrote: You can use either, Mysql or authlib logs and then do a grep or any similar tools that can filter any failure login. On 2/14/11 8:27 PM, Bowie Bailey wrote: Check out fail2ban. You can use it to watch the log files and ban any IP with more than a certain number of failures. It can be used for any service that logs failures. Thanks for these tips too. I know about these possibilities, I just thought that maybe I was missing something more 'event based' or 'builtin'.. As for the bans (based on clam/other criteria), I already use a combination of temporary bans at courierfilter level (sql tables) and (for the stubborn IPs) at os level (pf tables, freebsd). Regards, Lorenzo -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
