| SMTP password guessing attempts not being blocked [message #105364] |
Thu, 08 August 2013 22:08  |
jimmonteath
Messages: 4
Registered: December 2009
|
|
|
|
The anti-hammering feature appears to be enabled with default settings, yet we still see repeated SMTP password guessing attempts in a single session.
I interpret the defaults to mean that more that 10 failed login attempts in 60 seconds will block the IP for 5 minutes. We see 10 failed logins in 40 seconds. These eventually cross the "SMTP failed commands" threshold (11) but that does not prevent immediate reconnection. We do block the offending IP addresses on our firewall, but this is usually after the fact.
Our settings and related log entries are below. Any suggestions for why anti-hammering isn't being triggered? Kerio Connect V8.1.2
Thanks,
Jim
Administration Console -> Configuration:
Advanced Options -> Login guessing protection:
- Block IP addresses suspicious of password guessing attacks = enabled.
- Never block this IP address group = "Local clients". Offending IP addresses are not in this group.
SMTP Server -> Security Options:
- Max. number of failed commands in a SMTP session = 11 (intentionally set high to allow anti-hammering protection)
mailserver.cfg
<table name="AntiHammering">
<variable name="Pop3Enabled">1</variable>
<variable name="ImapEnabled">1</variable>
<variable name="HttpEnabled">1</variable>
<variable name="SmtpEnabled">1</variable>
<variable name="LdapEnabled">1</variable>
<variable name="NntpEnabled">1</variable>
<variable name="XmppEnabled">1</variable>
<variable name="FailedLogins">10</variable>
<variable name="CheckTime">60</variable>
<variable name="BlockTime">300</variable>
<variable name="SafeAcl">Local Clients</variable>
</table
-
Attachment: security.log
(Size: 1.04KB, Downloaded 800 times)
-
Attachment: debug.log
(Size: 3.85KB, Downloaded 867 times)
|
|
|
|
|
|
| Re: SMTP password guessing attempts not being blocked [message #105578 is a reply to message #105456] |
Fri, 16 August 2013 16:34  |
jimmonteath
Messages: 4
Registered: December 2009
|
|
|
|
I have been advised by Technical Support that anti-hammering only protects against plaintext login attempts for SMTP. It does not block SASL authentication attempts. I cannot find this limitation documented anywhere public.
Unfortunately, this makes the feature useless to us. We are not going to compromise login security in order to gain anti-hammering protection.
Apparently Kerio have a suggestion on file for expanding the anti-hammering feature to also protect again SASL authentication. I have also posted this as a suggestion and would appreciate your votes.
|
|
|
|
|
|
|
|
| Re: SMTP password guessing attempts not being blocked [message #117388 is a reply to message #117350] |
Sat, 08 November 2014 07:06 |
NickySmith
Messages: 3
Registered: March 2011
Location: Greensboro, NC USA
|
|
|
|
[08/Nov/2014 01:03:39] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:03:39] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
[08/Nov/2014 01:03:45] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:03:45] SMTP server connection from 198.46.135.74 closed after 3 bad commands
[08/Nov/2014 01:04:11] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
[08/Nov/2014 01:04:17] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:04:17] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
[08/Nov/2014 01:04:23] Failed SMTP login from 198.46.135.74 with SASL method LOGIN.
[08/Nov/2014 01:04:23] SMTP: User admin<_at_>carolinanet.com doesn't exist. Attempt from IP address 198.46.135.74.
This option is needed to block ranges of IPs that are attempting to dictionary attack user passwords. Is v8.5 is the faraway future, or near. If faraway we can block IP another way but if v8.5 is soon we will wait as this is the best way to achieve this goal and continuing issue.
|
|
|
|
|
|
|
|
|
|
|
|
| Re: SMTP password guessing attempts not being blocked [message #147992 is a reply to message #147976] |
Mon, 20 April 2020 12:13 |
freakinvibe
Messages: 589
Registered: April 2004
|
|
|
|
It seems to work for me, I get those log entries:
[16/Apr/2020 23:02:02] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:07] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:55] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:55] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:55] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:55] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:59] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:59] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:59] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:59] Failed SMTP login from 185.50.149.16 with SASL method CRAM-MD5.
[16/Apr/2020 23:02:59] SMTP: AntiHammering - IP address 185.50.149.16 will be blocked for 5 minutes, too many failed logins from this IP address.
[16/Apr/2020 23:02:59] SMTP: AntiHammering: connection from IP address 185.50.149.16 is blocked
Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
[Updated on: Mon, 20 April 2020 12:14] Report message to a moderator |
|
|
|
Members
Search
Help
Register
Login
Home
