store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Jul 31, 2014 1:21 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Rule ID 3902
Unread postPosted: Mon Jul 25, 2011 4:21 am 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
Having upgraded to ASL 3, still see a lot of IMAP connect LOGIN FAILED attempts, not being blocked (and filling logs). The GUI manage rule interface shows "Active Response" set to "No," if set to "Yes" would it block the IP? or can the rule be fine-tuned? Would happily shun an IP if it fails to supply correct password more than 6 times in an hour...
Thanks


Top
 Profile  
 
 Post subject: Re: Rule ID 3902
Unread postPosted: Tue Jul 26, 2011 10:41 am 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
Can see Rule ID 3910 being triggered occasionally now, for example after 45 mins of failed logins every 5 seconds (and triggering rule ID 3902), would have expected it to shun the IP sooner. Not sure how these rules are working, so haven't tinkered at all yet, can supply more details if needed?


Top
 Profile  
 
 Post subject: Re: Rule ID 3902
Unread postPosted: Tue Jul 26, 2011 12:39 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Quote:
Having upgraded to ASL 3, still see a lot of IMAP connect LOGIN FAILED attempts, not being blocked (and filling logs). The GUI manage rule interface shows "Active Response" set to "No," if set to "Yes" would it block the IP?


Yes, Active Response means "block this with the systems firewall if detected".

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Rule ID 3902
Unread postPosted: Wed Jul 27, 2011 12:31 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
Thanks, it seems to be working a little better now, not sure if this is due to a rule update or the slowness/aggregate/increased ban time (which was mentioned as being a new feature in ASL 3), but am happy to have a less of this activity flooding the mail log!

If possible, how would you recommend this could be tweaked to me more aggressive; fewer errors required in same time frame and/or longer ban? I can see the potential of ASL 3 but don't want to start monkeying around with the rule manager until I have a clearer view of the data being logged.

Many thanks


Top
 Profile  
 
 Post subject: Re: Rule ID 3902
Unread postPosted: Wed Jul 27, 2011 12:39 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Quote:
If possible, how would you recommend this could be tweaked to me more aggressive; fewer errors required in same time frame and/or longer ban? I can see the potential of ASL 3 but don't want to start monkeying around with the rule manager until I have a clearer view of the data being logged.


Well that depends, what would you like ASL to be able to do? :-)

As an aside, there are other rules in ASL that detect things like brute force IMAP/POP/SMTP password guessing attempts and will block them. Rule 3902 is a one time rule, its telling you an authentication failed. There are other rules that look at things like "did this happen 30 times in a row in 20 seconds from the same IP? If so, firewall em off". We dont want ASL to block someone if they made an honest mistake, but we might want you to know about in case thats important to you.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Rule ID 3902
Unread postPosted: Wed Jul 27, 2011 7:16 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Jan 02, 2008 3:21 pm
Posts: 520
Location: United Kingdom
Thanks Mike,

Can see a whole bunch of rules dedicated to authentication failed/failures in the ASL Rule Manager, I guess the latter uses multiple occurrences of the former to decide when to shun (3910/60910 are working hard, blocking multiple failures on this particular server).

Ideally, I'd like to see if reducing the threshold for multiple failures and extending the block time for repeat offenders causes more problems than it solves; I don't believe genuine users make that many mistakes in the same manner/time frame.

The current "round robin" approach used by these particular spammers will likely never succeed, but without a firewall there would be over 17,000 attempts p/day (one every 5 seconds) from each of the numerous IP's filling logs. Had to manually block them in the past (a chore!)

Incidentally, do "User/Admin/Web authentication failed" in combination with "Multiple authentication failures from same source" cover http 302 authentication errors? Seen occasional/strong brute-force attempts to access phpmyadmin/cms/etc, but not since running ASL 3, so will keep a close eye on logs.

Thanks again


Top
 Profile  
 
 Post subject: Re: Rule ID 3902
Unread postPosted: Wed Jul 27, 2011 8:08 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3605
Location: Chantilly, VA
Quote:
Seen occasional/strong brute-force attempts to access phpmyadmin/cms/etc, but not since running ASL 3, so will keep a close eye on logs.


Yes, this is a new feature in ASL 3.0. We added in special rules to detect web application login failures, and to detect slow and fast brute force password guessing attacks on those applications. If you enable the MODSEC_12_BRUTE ruleset (the default is enabled) the WAF and IDS will work together to detect these types of attacks.

They work by looking at the output from the application itself so we can trigger when an authentication fails (and not have to rely on logs). If you have particular web applications you would like ASL to detect this for, please let us know. At the moment we have rules published for:

vbulletin
phpbb
wikimedia
joomla
sugarcrm

We'll be releasing rules tomorrow for:

movable type
wordpress
phpmyadmin

Basically all we need a working copy of the application so we can test it. So if its something that be downloaded and installed, its fairly easy to create rules. So, let us know what you would like.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group