Re: AW: AW: WG: [vchkpw] lock account after login failures
Feucht, Florian writes: > > Perhaps he did, but "locked out CONNECTIONS from that IP for 10 > > minutes" reads differently to me. If Tom had meant what you said, then > > I would have expected something like "locked out authentication attempts > > from that username/IP pair for 10 minutes." > > This idea is great, but doesn't work for me, because all traffic passes > a proxy firewall (including a esmtp daemon) - so the firewall is the one > and only entity which makes a connection to the mailserver... We have many clients behind firewalls. They too would suffer from a simple block on an IP address. > about the DoS attack: sure, it's possible to knock somebody out of his > mailbox... but i think this is better than if somebody takes it over... I think it's a close call. The difference between somebody deleting your mail before you can read it and somebody blocking your access day after day is small. Yes, if they can delete your mail they can also read it, which may be a bigger problem, but being unable to read your mail is bad enough. As I said before, there are ways to greatly reduce the chances of somebody getting at your mail. Give your mailbox a randomly-generated name and use an alias to deliver to it. Then it doesn't matter how weak your password is because they'll be trying [EMAIL PROTECTED] instead of [EMAIL PROTECTED] This is something that you can do right now, although it is a pain to administer. Maybe vpopmail and qmailadmin should be extended so that there is an option to create random mailbox names with aliases (to avoid name collisions the random mailbox names would have to have to start with an underscore or something like that). > if it happens that somebody starts DDoS this way, i can do the > following: > - look at my firewall log > - find out his (or her's ;) ) IP Address > - block the IP(-Pool) > - contact the ISP, if it doesn't stop. That was a workable solution three or four years ago. These days the script kiddies use distributed DoS attacks using hundreds of computers thay've managed to install backdoors on. You could spend every minute of your life blocking IP addresses and still not be able to pick up your mail. A tarpit is a two-edge sword... -- Paul Allen Softflare Support
AW: AW: WG: [vchkpw] lock account after login failures
> Perhaps he did, but "locked out CONNECTIONS from that IP for 10 minutes" > reads differently to me. If Tom had meant what you said, then I would > have expected something like "locked out authentication attempts from > that username/IP pair for 10 minutes." This idea is great, but doesn't work for me, because all traffic passes a proxy firewall (including a esmtp daemon) - so the firewall is the one and only entity which makes a connection to the mailserver... But for others this might be the best solution...! Thanks for the information. about the DoS attack: sure, it's possible to knock somebody out of his mailbox... but i think this is better than if somebody takes it over... Personally i feel much better if i know that my mailbox gets locked before somebody takes my mail away (via pop3) (my opinion) if it happens that somebody starts DDoS this way, i can do the following: - look at my firewall log - find out his (or her's ;) ) IP Address - block the IP(-Pool) - contact the ISP, if it doesn't stop. MfG Florian
Re: AW: WG: [vchkpw] lock account after login failures
X-Istence writes: > Paul L. Allen wrote: > > >Tom Collins writes: > > > > > > > >>What if the system tracked it by IP, and after three failures locked > >>out connections from that IP for 10 minutes? [...] > He meant log it on an account AND ip basis. Perhaps he did, but "locked out CONNECTIONS from that IP for 10 minutes" reads differently to me. If Tom had meant what you said, then I would have expected something like "locked out authentication attempts from that username/IP pair for 10 minutes." -- Paul Allen Softflare Support
Re: AW: WG: [vchkpw] lock account after login failures
Paul L. Allen wrote: Tom Collins writes: What if the system tracked it by IP, and after three failures locked out connections from that IP for 10 minutes? That has problems for companies behind a firewall which use external mail servers (we have several clients in that situation). All it takes is one person to type his password wrong and they're all locked out for ten minutes. Worse, he types it into his mail client configuration and polls every five minutes. The result is that they get onto us and complain that our mail servers are broken. Then we waste 15 minutes convincing them that they have to disable all their mail clients for ten minutes then turn them back on one at a time until they find the one with the bad password. He meant log it on an account AND ip basis.
Re: AW: WG: [vchkpw] lock account after login failures
Tom Collins writes: > What if the system tracked it by IP, and after three failures locked > out connections from that IP for 10 minutes? That has problems for companies behind a firewall which use external mail servers (we have several clients in that situation). All it takes is one person to type his password wrong and they're all locked out for ten minutes. Worse, he types it into his mail client configuration and polls every five minutes. The result is that they get onto us and complain that our mail servers are broken. Then we waste 15 minutes convincing them that they have to disable all their mail clients for ten minutes then turn them back on one at a time until they find the one with the bad password. -- Paul Allen Softflare Support
Re: AW: WG: [vchkpw] lock account after login failures
On Friday, September 26, 2003, at 03:39 AM, Paul L. Allen wrote: You are still not considering the possibility that somebody mounts a denial of service attack. An attacker need only make three attempts every ten minutes to permanently lock somebody out. And the attacker can do that for every mailbox they know of on your system. How would you like it if I set up a cron job to run every ten minutes to block [EMAIL PROTECTED] I think you'd find it a little inconvenient. What if the system tracked it by IP, and after three failures locked out connections from that IP for 10 minutes? More secure and limits DoS to people who can initiate connections from your IP (or your proxy server if you use one). -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: AW: WG: [vchkpw] lock account after login failures
Feucht, Florian writes: > My idea is to store this information per user, so the others keep > unaffected from locked mailboxes. > > Another Possibility is to lock the account only for an specific amount > of time (lets say 10 minutes) after 3 password fails. So if somebody > tries some hardcore brute force, the database grows only for a small > period of time. You are still not considering the possibility that somebody mounts a denial of service attack. An attacker need only make three attempts every ten minutes to permanently lock somebody out. And the attacker can do that for every mailbox they know of on your system. How would you like it if I set up a cron job to run every ten minutes to block [EMAIL PROTECTED] I think you'd find it a little inconvenient. There are ways around the problem, as I suggested in another thread on security issues. Give your mailboxes random names like fekgopwa and use an alias to take mail for f.feucht and drop it into fekgopwa. Then people attempting to lock out the f.feucht mailbox would fail because the mailbox is actually fekgopwa. Pf course, you're still at the mercy of packet sniffers finding out not only the real mailbox name but also the password unless you use spop. -- Paul Allen Softflare Support
AW: WG: [vchkpw] lock account after login failures
Hi My idea is to store this information per user, so the others keep unaffected from locked mailboxes. Another Possibility is to lock the account only for an specific amount of time (lets say 10 minutes) after 3 password fails. So if somebody tries some hardcore brute force, the database grows only for a small period of time. Unfortunaltly i'm not a good C coder, bit I'll try to do this, when i have some spare time avail... this could be a chance to get into C a little bit more :) CU Flo -Ursprüngliche Nachricht- Von: Paul L. Allen [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 25. September 2003 16:13 An: [EMAIL PROTECTED] Betreff: Re: WG: [vchkpw] lock account after login failures Feucht, Florian writes: > is this problem unsolvable, or did i say something wrong? Doing it the way you suggest, counting failures, means remembering state somewhere, somehow. If you have a lot of idiot users, this state could become very large and slow. Also there are two possible denial of service attacks: the first is somebody deliberately giving a bad password several times to lock some user out; the second is somebody deliberately giving a bad password for every user on your system in order to make the state cdb large and slow. A simpler, but less effective, mechanism is for vchkpw to sleep for several seconds before it returns an "invalid password" response. Again, there is a denial of service attack which can be used if somebody has a big enough computer or a distributed attack network: keep giving bad passwords for all users so there are lots of processes sleeping and your machine spends all its time swapping them in and out. -- Paul Allen Softflare Support