is it possible to lockout failed authenticators

Discussion:

Miles Fidelman

2013-03-03 13:11:28 UTC

Hi Folks,

One of our users recently had her password compromised, and subsequently
had a bunch of spam sent through her email account. It looks to me,
like the compromised was the result of a weak password, coupled with
brute force cracking attempts against both our imap and smtp servers (at
least there are a LOT of failed authentication attempts logged).

Which has led me to wonder: For human logins, its standard practice to
lock an account after some number of failed attempts - at least for a
few minutes, if not until someone intervenes. What with computers being
a LOT faster than humans, it occurs to me to wonder whether there's an
easy way to set imapd to lock out specific IP/username combinations
after some number of failed authentication attempts.

Suggestions?

Thanks very much,

Miles Fidelman

Richard Westlake

2013-03-03 16:56:51 UTC

Permalink

Hi Miles
I am not sure that imapd or Perdition (Mail Retrieval Proxy) can rate
limit password guesses or block accounts on repeated failure.

You could have a look at tools such as Fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page which could help protect
against future brute force attaches.

I would be interested to learn what solution you do find.

All the best

Richard Westlake
Department of Biological Sciences, Birkbeck College, Malet Street, London WC1E 7HX
Tel: +44 (0)20-7631-6859
----------------------------------------------------------------------
Truth endures but spelling changes -- Anon.
----------------------------------------------------------------------

Date: Sun, 03 Mar 2013 08:11:28 -0500
Subject: [Imap-uw] is it possible to lockout failed authenticators
Hi Folks,
One of our users recently had her password compromised, and subsequently
had a bunch of spam sent through her email account. It looks to me, like
the compromised was the result of a weak password, coupled with brute
force cracking attempts against both our imap and smtp servers (at least
there are a LOT of failed authentication attempts logged).
Which has led me to wonder: For human logins, its standard practice to
lock an account after some number of failed attempts - at least for a few
minutes, if not until someone intervenes. What with computers being a LOT
faster than humans, it occurs to me to wonder whether there's an easy way
to set imapd to lock out specific IP/username combinations after some
number of failed authentication attempts.
Suggestions?
Thanks very much,
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
Imap-uw mailing list
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw

Miles Fidelman

2013-03-03 20:03:21 UTC

Permalink

people do seem to be pointing me at fail2ban - thanks!

Post by Richard Westlake
Hi Miles
I am not sure that imapd or Perdition (Mail Retrieval Proxy) can rate
limit password guesses or block accounts on repeated failure.
You could have a look at tools such as Fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page which could help
protect against future brute force attaches.
I would be interested to learn what solution you do find.
All the best
Richard Westlake
Department of Biological Sciences, Birkbeck College, Malet Street, London WC1E 7HX
Tel: +44 (0)20-7631-6859
----------------------------------------------------------------------
Truth endures but spelling changes -- Anon.
----------------------------------------------------------------------

Date: Sun, 03 Mar 2013 08:11:28 -0500
Subject: [Imap-uw] is it possible to lockout failed authenticators
Hi Folks,
One of our users recently had her password compromised, and
subsequently had a bunch of spam sent through her email account. It
looks to me, like the compromised was the result of a weak password,
coupled with brute force cracking attempts against both our imap and
smtp servers (at least there are a LOT of failed authentication
attempts logged).
Which has led me to wonder: For human logins, its standard practice
to lock an account after some number of failed attempts - at least
for a few minutes, if not until someone intervenes. What with
computers being a LOT faster than humans, it occurs to me to wonder
whether there's an easy way to set imapd to lock out specific
IP/username combinations after some number of failed authentication
attempts.
Suggestions?
Thanks very much,
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
Imap-uw mailing list
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw

Miles Fidelman

2013-03-08 02:57:20 UTC

Permalink

Thanks... a lot of folks have been pointing that way.

Miles

Date: Sun, 03 Mar 2013 08:11:28 -0500
Subject: [Imap-uw] is it possible to lockout failed authenticators
Hi Folks,
One of our users recently had her password compromised, and
subsequently had a bunch of spam sent through her email account. It
looks to me, like the compromised was the result of a weak password,
coupled with brute force cracking attempts against both our imap and
smtp servers (at least there are a LOT of failed authentication
attempts logged).
Which has led me to wonder: For human logins, its standard practice
to lock an account after some number of failed attempts - at least
for a few minutes, if not until someone intervenes. What with
computers being a LOT faster than humans, it occurs to me to wonder
whether there's an easy way to set imapd to lock out specific
IP/username combinations after some number of failed authentication
attempts.
Suggestions?
Thanks very much,
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
Imap-uw mailing list
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw