<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Chris,<br>
<br>
We are seeing multiple addresses used to attack a single account
and each address is used just a few times. Pam_abl can block
these for some attack vectors, and it does if the number of
attempts exceeds the threshold, but the attack continues from
other addresses until the user account is blocked. Of course,
since pam_abl doesn't block sendmail auth attempts by IP address,
such attacks make keeping the user threshold high a risky idea.<br>
<br>
This behavior of using multiple addresses is similar to the
Wordpress attacks that have been making the rounds. The bigger
hosts have reported that some 90,000 addresses are used in these
attacks. We are much smaller and have only logged about 4000
unique addresses banned in the past month on one server. That's
ban events from fail2ban since pam_abl doesn't prevent sendmail
authentication attempts by IP address, only user name. There were
44,000 sendmail auth errors logged on that box from password
guessing and 11,000 dovecot authentication errors. Clearly,
sendmail auth is a bigger problem.<br>
<br>
All in all, giving user's accounts user names that are different
from their email addresses and not named with common words is a
reasonable way to reduce the exposure.<br>
<br>
To reduce the Wordpress problem, we've implemented Apache
authentication system-wide for all Wordpress logins -- two logins
are required and we control the ones for Apache so they are much
more difficult than a user is likely to choose. Once we have
verified that no Wordpress accounts named 'admin' are being used
we may remove the additional sign-in but that's not certain. I am
sure it's what my user's want but we'll have to see how this plays
out. Note that pam_abl does not address this attack vector. And
with a zombie network being used to attack, fail2ban is limited
too.<br>
<br>
I think we are seeing a shift in the technology used to penetrate
systems. What used to be an annoyance that was pretty easy to
handle has become much more difficult. I don't think that the
community has the tools needed to thwart long-running penetration
attempts run from a zombie network that is global in scope. User
name/password authentication may not be enough any more.<br>
<br>
Eric<br>
<div class="moz-signature">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<title></title>
<br>
</div>
On 4/17/13 8:34 AM, Chris Gebhardt - VIRTBIZ Internet wrote:<br>
</div>
<blockquote cite="mid:516EA4DF.8040004@virtbiz.com" type="cite">
<pre wrap="">On 4/17/2013 8:27 AM, Eric Peabody wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Chris,
You are right that pam_abl will help prevent the attacker from
successfully guessing the password. But the problem is that pam_abl
locks the accounts when the attacks are running, preventing the
legitimate users from accessing their accounts. Changing the user name
associated with the email address has significantly reduced the
unauthorized activity's interference with legitimate operations.
</pre>
</blockquote>
<pre wrap="">
In the BlueOnyx GUI, make sure that in Server Management > Security >
Login Manager you are only using the HOST RULE and not the USER RULE.
That way, only offending IP addresses will be blocked, not a username.
</pre>
</blockquote>
<br>
</body>
</html>