Multiple Email accounts being locked due to login brute force by email in IDS blocks
Problem reported by Chase Casebonne - December 12, 2018 at 12:20 PM
Resolved
We host many domains and hundreds of email accounts.  Since we updated to the latest version today many of our email accounts are locking due to multiple invalid login attempts from IP addresses all around the world.  In the past these IP addresses would be blocked.  When we remove the user from IDS block they are being put back on within minutes.  Was there a change in how Smartmail is supposed to handle these types of issues?  We aren't sure how to proceed.
Chase Casebonne

25 Replies

Reply to Thread
0
Francis Wurtz Replied
Have the same issue since the upgrade. Never had this type of problem before. Smartertools team, please fix ASAP, it's very problematic and have a lot of calls from our customers.
1
Alex Carnot Replied
Employee Post
Hi,
In the current build (formerly SmarterMail 17) Login Brute Force by IP and Login Brute Force by Email were both introduced as default IDS Rules in the Security section of the SysAdmin interface. If you haven't already I'd recommend increasing the "Logins Before Block by Email" on the Login Brute Force by Email rule. The rule can also be disabled altogether.
Alex Carnot
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Chase Casebonne Replied
I am going to disable all together.  However I see there is a two factor authorization option now.  Is that fully implemented?  I can't find the option to fully configure.
Chase Casebonne
0
Alex Carnot Replied
Employee Post
2-Step Authentication must be enabled for a domain by a System Administrator, then a domain must have 2-Step Authentication set to Enabled. From there users will be able to see a 2-Step Authentication card within their Account Settings that allows them to set it up. However, this card cannot be seen while impersonating.
Alex Carnot
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
John Marx Replied
Same issue for us and we disabled until this is fixed.
0
Francis Wurtz Replied
We disabled both too and all seems ok for the moment. Thanks to Alex from Smartertools Team for your first post of this thread who inform Us about the fact that Login Brute Force by IP and Login Brute Force by Email were both introduced as default IDS Rules in this new version, this detail helped Us a lot to put the finger on the origin of the problem. (Sorry for my poor english) ;)
0
Gabriele Maoret Replied
Same issue for us
0
Gabriele Maoret Replied
Can you introduce the documentation of every rule in the Online Help?
0
Simone Schilirò Replied
Same issue. please fix . Is a big problem for my customer.
5
Derek Curtis Replied
Employee Post Marked As Resolution
Hi, All

Hopefully this explains things a bit. Please understand that it isn't "broken", we just have 2 rules that are combining that may be causing issues...

Basically, you have 2 options:

Option 1: Change values
A simple solution is to simply change the default values for By IP and By Email. One way would be to decrease the number of attempts By IP to be LOWER than the By Email number. This will block the IP before the email address hits its own rule limit. You could also decrease the By IP limit and increase the By Email limit to ensure that, if you're seeing a lot of brute force attempts from multiple IPs on the same account, the account still doesn't get locked out. 

Option 2: Disable By Email
Keep the By IP rules in place and disable the By Email rules. This way, IPs will contiue to be blocked when there are brute force attempts, but the email account itself is never blocked. This is a good solution for cases where a particular address (or multiple addresses) are being brute forced by multiple IPs. 

These 2 IDS rules were added and CAN work together. It's just a matter of configuring them TO work together. 

As an aside, we're looking at the defaults we put for each. Right now I think they're set to the same number, but a future build will have the By IP number smaller than the By Email number by default. That way, if both are turned on there will be some difference between the two to try and eliminate confusing and issues. 

I hope that helps. 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Derek Curtis Replied
Employee Post
Gabriele...good suggestion for the Help documentation. I'll be sure our Comm Team has it in the next Help publish. 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
1
John Marx Replied
An additional item to point out would be that it always shows Webmail as the culprit. In our case, it was EWS via Outlook and via Android (Outlook). We figured it out by shutting off the users phone, still happened, shut down desktop Outlook and it was fine. So the information for the block should also have one for IP. That is what through us off at first as we saw it was blocked and then turned the two new items off and the problem went away.
0
Reto Aeberli Replied
Derek, this caused us phone calls too and we disabled all the new ids rules for the moment. I really think you should have better configured values or leave them off per default. 
0
Derek Curtis Replied
Employee Post
Reto, as mentioned we are re-configuring the default values for the next build to avoid problems right out of the gate. 
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
Jade D Replied
IMO it doesnt make sense to disable the mail account. If your IDS rules are correctly setup then the chances of being bruteforced are very slim. 
Why inconvenience the client when they have no control over something that they are completely unaware of.
If the client is failing auth and your IDS rules are correctly setup then they'll be sure to call your offices or log a ticket requesting an unblock and possible change of password.

Disable the function that disables the mailbox and adjust your IDS rules to block failures after 3, 6 and 9 failed attempts, with each subsequent failure rate increasing the number of days that the IP is blocked.

0
John Marx Replied
When the defaults are "reset" is the installer going to reset the one's that are still at the factory setting or will there be instructions of what the new defaults are?
0
Gabriele Maoret Replied
@Jade D: can you elaborate more your sentence "Disable the function that disables the mailbox and adjust your IDS rules to block failures after 3, 6 and 9 failed attempts, with each subsequent failure rate increasing the number of days that the IP is blocked."?

Thanks in advance!!!
0
Gabriele Maoret Replied
Hi Derek, in latest update (today) there a fix:
  • Fixed - Authentication could incorrectly fail stating a user's password exceeded the password reset grace period.

I tought that this is a fix for this issue, but it seems to be not, 'cause I see that many mailboxes are blocked again and so I have to disable the IDS rule...
1
Jade D Replied
Hi Gabriele,

Option 2: Disable By Email 
No need to have this feature enabled if your IDS rules are setup to block IP's that fail auth more than 3 times.
0
Tim Uzzanti Replied
Employee Post
Again, there is no fix because its operating as intended.

Disable the rule or modify some of the attributes.

We will be changing our defaults in an upcoming build.  

We definitely realize it is too restrictive out of the box.

There is a release today that includes a fix for blocks that aren't being cleared after their timeframe or when manually removed.  
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Gabriele Maoret Replied
Hi Tim, thanks for the clarification



Please, could you tell us what will be the new default settings so we can try them?

1
Gabriele Maoret Replied
Thanks Jade
0
viv burrows Replied
I guess this is the reason on my install every single user including me is locked out, the question is, if everyone is locked out how do you correct the issue
0
viv burrows Replied
My solution down server for 15 minutes, restart and login quickly
Adjust security settings
There probably is a much more polished solution
0
Jade D Replied
You should be able to edit those values within the json files without having to wait 15 minutes.
Locate the json file responsible for the default values and open it in an intelligent editor (notepad++)
Stop the smartermail service, edit the json file, save, start the smartermail service.

I have not tested this on the latest version and thus my suggestion may be way out, but logic tells me that the settings are stored as per previous versions of SM where the config values were stored in xml files - so similar should apply

Reply to Thread