[BlueOnyx:12876] Re: Renaming user accounts

Eric Peabody admin at bnserve.com
Wed Apr 17 09:28:30 -05 2013 

Chris,

We are seeing multiple addresses used to attack a single account and 
each address is used just a few times.  Pam_abl can block these for some 
attack vectors, and it does if the number of attempts exceeds the 
threshold, but the attack continues from other addresses until the user 
account is blocked.  Of course, since pam_abl doesn't block sendmail 
auth attempts by IP address, such attacks make keeping the user 
threshold high a risky idea.

This behavior of using multiple addresses is similar to the Wordpress 
attacks that have been making the rounds.  The bigger hosts have 
reported that some 90,000 addresses are used in these attacks.  We are 
much smaller and have only logged about 4000 unique addresses banned in 
the past month on one server.  That's ban events from fail2ban since 
pam_abl doesn't prevent sendmail authentication attempts by IP address, 
only user name.  There were 44,000 sendmail auth errors logged on that 
box from password guessing and 11,000 dovecot authentication errors.  
Clearly, sendmail auth is a bigger problem.

All in all, giving user's accounts user names that are different from 
their email addresses and not named with common words is a reasonable 
way to reduce the exposure.

To reduce the Wordpress problem, we've implemented Apache authentication 
system-wide for all Wordpress logins -- two logins are required and we 
control the ones for Apache so they are much more difficult than a user 
is likely to choose.  Once we have verified that no Wordpress accounts 
named 'admin' are being used we may remove the additional sign-in but 
that's not certain.  I am sure it's what my user's want but we'll have 
to see how this plays out.  Note that pam_abl does not address this 
attack vector.  And with a zombie network being used to attack, fail2ban 
is limited too.

I think we are seeing a shift in the technology used to penetrate 
systems.  What used to be an annoyance that was pretty easy to handle 
has become much more difficult.  I don't think that the community has 
the tools needed to thwart long-running penetration attempts run from a 
zombie network that is global in scope. User name/password 
authentication may not be enough any more.

Eric

On 4/17/13 8:34 AM, Chris Gebhardt - VIRTBIZ Internet wrote:
> On 4/17/2013 8:27 AM, Eric Peabody wrote:
>> Chris,
>>
>> You are right that pam_abl will help prevent the attacker from
>> successfully guessing the password.  But the problem is that pam_abl
>> locks the accounts when the attacks are running, preventing the
>> legitimate users from accessing their accounts. Changing the user name
>> associated with the email address has significantly reduced the
>> unauthorized activity's interference with legitimate operations.
> In the BlueOnyx GUI, make sure that in Server Management > Security >
> Login Manager you are only using the HOST RULE and not the USER RULE.
> That way, only offending IP addresses will be blocked, not a username.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130417/296e1ea0/attachment.html>

More information about the Blueonyx mailing list