Are those connections trying to login to IW, SSH, FTP, etc?

If so clearly relying on x failures from y IP isn’t going to cut as you pointed out. Still security is best done in a layered approached and with all the brute force attacks that use a single IP I believe autoblocking is a good thing.

Since security is a journey not a destination as what can’t be done may be possible tomorrow it is good to have layers. In cPanel one could set their account to use double authentication. Even after the correct user/pass was entered, if enabled, cPanel would then ask four questions before allowing a user to continue.

Once a positive login was performed cPanel stored that IP for future access so each additional login wouldn’t require answering those questions. This was good balance because it provided additional security and wasn’t overly annoying.

It is unfortunate so little attention is paid to security. I mean just look at Target. Yeah lets give access to remote companies yet run all network traffic unsegmented. Those keyless car keys have no real security in them and why more advanced thieves have been able to steal the codes out of the air. So many hardware devices and programs are so insecure it is really sad.

I heard one story of a couple that hooked up a baby monitor to their wireless network and due to poor security setup a remote user accessed their equipment and started speaking through the system. Another example are SQL injection attacks. They ALWAYS mean poor programming. It means the programmer(s) failed to sanitize user input; always.

And now more and more devices are rushing to become web enabled like refrigerators, washers, cars, etc and there is no real security thoughts going into these products. Oh and we can’t forget smartphones. That in and of itself could fill TB’s of poorly configured phones and programs.

So yeah I agree with your general idea that this solution won’t stop those quick connects from a single IP but still there is a problem for the attackers. If they want to hit an account and try 5,000 user/pass logins they will need 5,000 separate IPs. Not impossible for bot networks but still it isn’t as clear cut as blasting 5,000 from a single IP. Now ramp that up to 100,000 ids. Yup again not impossible but it takes more than a script running on a server in China or Russia.

So the journey of security continues. I will say do your best to locked down everything you can, whitelist what you can, open as few ports as possible, run multiple layer security when you can, and keep your eyes open for new methods to counteract those crafty attackers.

Hi Jeremy

I hope you don’t mind, and I have thought about your response，which is good, but there’s a lot more to it then what can be said on here, and probably should be on its own thread, but whilst we do have a lot of layers, from a lot of systems, firewalls, ids, ips etc, it reminds me of an email which did not do as it stated and it was fright which made people react, even though no real threat was involved, thereby causing the user to create the issue, and I think if were not careful, same could happen here.

It would be lovely to see threat level protection, ie initial probe, goes grey list, if matched ip on longer attack, go red list, if brute force etc detected on same ip, go black list, full block. The levels are reduced via number of detections before been progressed to higher level list.

This seems a better way without inducing user induced slow downs from over large lists.

I hope this makes sense and apologies if I have not explained too well

Many thanks

John

I agree security is a huge topic and really could have its own separate forum on this board as there are so many angles.

As for this specific issue one does have to consider their environment. I would agree for sure in a general hosting setup the autoban trigger setting should be high like 100, 200, or 500. In BFD that is very easy to do as it is just a setting in a conf file. That should rule out even most accidental users.

If the trigger for failed logins was set at 100 or 200 and someone did get added it is easy to remove them by editing the APF deny list. Of course if the environment is more controlled like just a single corporation with an IT team (or person) then a lower setting is probably more advised.

I’ve just installed BFD for testing, it works fine on maillog for vchkpw-pop3 entries but I can’t use on wchkpw-smtp entries. I made a new rule for them:

REQ="/var/qmail/bin/qmail-smtpd"

if [ -f "$REQ" ]; then
 PORTS="25,465,587"
 LP="/var/log/maillog"
 TLOG_TF="vpopmail"

 ## vpopmail [qmail]
 ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-smtp: null password given/s/.*null password given \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'` 
fi

What could be the problem?

Thank you!

Hi Dss

I hope you don’t mind my thoughts, and I also looked at SMTP, but quickly came to conclusion that for me, it does not matter as the same IP tried POP as well as SMTP (well from what I could see anyway) and Spamdyke is more usefull for SMTP, for many reasons, including limiting the number of recipients a sender could send too.

Many thanks

John

Hello,

Heres a rule that will work in BFD for SMTP

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

file must exist for rule to be active

REQ="/var/qmail/bin/qmail-smtpd"

if [ -f “$REQ” ]; then
LP="/var/log/maillog"
TLOG_TF=“vsmtpmail”

vpopmail [qmail]

ARG_VAL=$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sed -n -e '/vchkpw-smtp: password fail/s/.*password fail \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: system user not found/s/.*system user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p' -e '/vchkpw-smtp: vpopmail user not found/s/.*vpopmail user not found \([^ ]*\)\(.*\):\([^ ]*\).*/\3:\1/p'
fi