Having upgraded to ASL 3, still see a lot of IMAP connect LOGIN FAILED attempts, not being blocked (and filling logs). The GUI manage rule interface shows "Active Response" set to "No," if set to "Yes" would it block the IP? or can the rule be fine-tuned? Would happily shun an IP if it fails to supply correct password more than 6 times in an hour...
Thanks

Can see Rule ID 3910 being triggered occasionally now, for example after 45 mins of failed logins every 5 seconds (and triggering rule ID 3902), would have expected it to shun the IP sooner. Not sure how these rules are working, so haven't tinkered at all yet, can supply more details if needed?

Yes, Active Response means "block this with the systems firewall if detected".

Thanks, it seems to be working a little better now, not sure if this is due to a rule update or the slowness/aggregate/increased ban time (which was mentioned as being a new feature in ASL 3), but am happy to have a less of this activity flooding the mail log!

If possible, how would you recommend this could be tweaked to me more aggressive; fewer errors required in same time frame and/or longer ban? I can see the potential of ASL 3 but don't want to start monkeying around with the rule manager until I have a clearer view of the data being logged.

Many thanks

Well that depends, what would you like ASL to be able to do?

As an aside, there are other rules in ASL that detect things like brute force IMAP/POP/SMTP password guessing attempts and will block them. Rule 3902 is a one time rule, its telling you an authentication failed. There are other rules that look at things like "did this happen 30 times in a row in 20 seconds from the same IP? If so, firewall em off". We dont want ASL to block someone if they made an honest mistake, but we might want you to know about in case thats important to you.

Thanks Mike,

Can see a whole bunch of rules dedicated to authentication failed/failures in the ASL Rule Manager, I guess the latter uses multiple occurrences of the former to decide when to shun (3910/60910 are working hard, blocking multiple failures on this particular server).

Ideally, I'd like to see if reducing the threshold for multiple failures and extending the block time for repeat offenders causes more problems than it solves; I don't believe genuine users make that many mistakes in the same manner/time frame.

The current "round robin" approach used by these particular spammers will likely never succeed, but without a firewall there would be over 17,000 attempts p/day (one every 5 seconds) from each of the numerous IP's filling logs. Had to manually block them in the past (a chore!)

Incidentally, do "User/Admin/Web authentication failed" in combination with "Multiple authentication failures from same source" cover http 302 authentication errors? Seen occasional/strong brute-force attempts to access phpmyadmin/cms/etc, but not since running ASL 3, so will keep a close eye on logs.

Thanks again

Yes, this is a new feature in ASL 3.0. We added in special rules to detect web application login failures, and to detect slow and fast brute force password guessing attacks on those applications. If you enable the MODSEC_12_BRUTE ruleset (the default is enabled) the WAF and IDS will work together to detect these types of attacks.

They work by looking at the output from the application itself so we can trigger when an authentication fails (and not have to rely on logs). If you have particular web applications you would like ASL to detect this for, please let us know. At the moment we have rules published for:

vbulletin
phpbb
wikimedia
joomla
sugarcrm

We'll be releasing rules tomorrow for:

movable type
wordpress
phpmyadmin

Basically all we need a working copy of the application so we can test it. So if its something that be downloaded and installed, its fairly easy to create rules. So, let us know what you would like.