GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » Product Feedback » Kerio Connect Feedback » Serious security flaw in authentication
emblem-important.png  Serious security flaw in authentication [message #152116] Fri, 01 July 2022 09:25 Go to previous message
PascalDorland is currently offline  PascalDorland
Messages: 5
Registered: June 2011
Location: Hilversum
LS,

Recently we found out that the feature of blocking malicious login attempts doesn't work.
In our case, AD accounts (we authenticate against a domain controller) become locked out when
hackers try to login several times.

This can also happen with accounts that aren't allowed at all to login from the internet.
(client restriction, access policy)
For instance, I have managed to lock an important account via the internet that is only allowed
to login from our internal IP address ranges.

In the logfiles on Kerio mailserver you can read the following messages:

"Account lockout - user [ADOMAINTESTUSER] will be blocked for connections from IP address [IP ADDRESS] for 5 minutes: too many failed logins from this IP address"

This doesn't happen!!!

You can proceed with your subversive activities and within the minute the account at matter gets locked out.
Hackers hereby have the opportunity to close down parts of your userbase.


What I would like to see is:

When a user tries to authenticate, there should be a checkup first if the username/account is allowed at all to login from it's originating IP.
If not, the communication should be dropped. If it's allowed, further authentication is ok.
I consider this to be a design flaw and a high security issue.

In this way you can have critical accounts with a mailbox and not the risk of those accounts getting locked out due to activity from the internet.
At this time Kerio is giving a false sense of security, there is nothing getting blocked at all!
Brute force galore.
 
Read Message emblem-important.png
Read Message
Read Message
Read Message
Previous Topic: Feature Request: OpenSSL: version mismatch libssl & libcrypto
Next Topic: Error libcrypto-1_1.dll and libssl-1_1.dll third party programs
Goto Forum:
  


Current Time: Wed Sep 28 09:47:38 CEST 2022

Total time taken to generate the page: 0.02554 seconds