Back to Community Threads
1
IDS Rules for Password Brute Force don't work except for Web Login attempts?
Problem reported by Brian A. - 6/28/2023 at 9:22 PM
Resolved
The new IDS Rules don't seem to apply to IMAP attempted logins?

I used to have hundreds of "Brute Force by Password" IDS Blocks. Now, I have none...and I can't even get StupidMail to block an IP address or email address if I try using an incorrect password over IMAP. I set the IDS Rules for "Password Brute Force" for both email and IP to 3 "logins" in 5 minutes. Even after 35 bad login attempts in 1 minute via IMAP, it won't block the IP address or the email address.

As far as I can tell, the only thing the IDS Rules block for Password Brute Force are web login attempts.

Am I missing something or is intrusion detection system for IMAP now absent?

9 Replies

Reply to Thread
0
Andrew Barker Replied
6/29/2023 at 7:20 AM
Employee Post
The recent changes made to IDS rules are still working for IMAP. The only real change is that the rules are no longer protocol specific. This lightened the administrative load and also let us easily extend the IDS rule checks to cover the HTTP based protocols - EWS, MAPI, EAS, and WebDAV.

IDS rules are not triggered for authentication attempts that meet one of the following criteria:

  • Request comes from localhost, 127.0.0.1, or some other loopback indicator.
  • Request comes from an IP in a private range. This indicates that the request is coming from the same network that the server is running on.
  • Request comes from an appropriately bypassed or whitelisted IP.
Further, repeated attempts from the same source with the same user name and login are counted at a throttled rate. Repeated attempts using the exact same credentials are typically a result of a client trying to make multiple connections simultaneously, a user having changed their password on the server but not in their client, or something similar.

If you want to test the IDS rules, you need to make the attempts from an external IP that is not whitelisted or bypassed and you need to change the auth credentials you are attempting with for each attempt.
Andrew Barker Software Developer SmarterTools Inc. www.smartertools.com
0
Gabriele Maoret - SERSIS Replied
6/29/2023 at 8:45 AM
Hi Andrea, I think the clarification you made in this sentences (which I propose again here) is a big problem, I don't agree with your choice and it worries me a lot:

<<<<
IDS rules are not triggered for authentication attempts that meet one of the following criteria:

  • Request comes from localhost, 127.0.0.1, or some other loopback indicator.
  • Request comes from an IP in a private range. This indicates that the request is coming from the same network that the server is running on.
>>>>



The problem is this: what happens if a criminal hacker manages to get into any of my systems and from this local network tries to forcefully attack the SmarterMail passwords?

Or if he manages to reach the SmarterMail server doing IP Spoofing and presenting himself with an IP that you have arbitrarily excluded from the checks?

From what you say he can try as much as he wants and will never be blocked by the IDS system...

The IDS system must work for ANY IP address, even 127.0.0.1 or a private ip (example: 192.168.1.10/24...).

Then it will be up to the administrator to White List the private IPs he wants.

Excluding from the IDS check all the IPs of the private classes (and/or any other "special" IP) in HardCoded mode without giving the administrator the possibility to decide WHICH are excluded or not is a big security hole!!!!
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Kyle Kerst Replied
6/29/2023 at 10:42 AM
Employee Post
Hi Gabriele! Any time we've seen the IDS system be problematic for an environment, its usually centered around an internal user who has forgotten to change a password in their connected email clients. As such, these criteria are implemented to prevent these scenarios and prevent the complete lockout when it happens, specially on NAT-enabled networks where all clients report back with the same router IP or something along those lines. As you're aware, that can introduce some potential vectors for problems. But;

The ability to spoof the IP address would need to take place at the network level, and so the recommendation is to handle this at that level before it reaches the SmarterMail server. SmarterMail will see whichever IP address your network hardware passes along as the requesting IP, so implementing controls to prevent spoofing at that level should prevent this possibility. 

Arguably the same approach should be applied for compromised devices on the network as well, as anything on your internal network should be safeguarded and will be highly problematic if compromised, not just for the SmarterMail server but other devices on the network as well. 

This is not to say we could not implement further changes in these areas, just that there are already tools/utilities and suites that are purpose-built for this. If you need any help evaluating specific scenarios please submit a ticket with us and we'll see what we can come up with for you. Have a good one!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
2
Brian A. Replied
6/29/2023 at 11:53 AM
Marked As Resolution
Further, repeated attempts from the same source with the same user name and login are counted at a throttled rate. Repeated attempts using the exact same credentials are typically a result of a client trying to make multiple connections simultaneously, a user having changed their password on the server but not in their client, or something similar.
Using identical credentials was how I was doing my testing. I didn't change the "bad" test credentials, so now I understand that SmarterMail ignores repeated attempts using identical "bad" credentials.

Request comes from an IP in a private range. This indicates that the request is coming from the same network that the server is running on.
This was my other issue. Someone from within the company should have been blocked after multiple incorrect password attempts. In this case, they were trying to get into an email account that they don't have access to...and shouldn't.

Regarding the hard-coded whitelisting of private IP address ranges seems almost insane. Do you think that password brute force attacks couldn't happen within a local network? Do you think all co-workers are saints? or am I missing something?

I agree with Gabrielle that WE should be the ones to whitelist private IP address ranges. If you want to make this part of a default whitelist, fine... but WE should be able to control that ourselves.

I still find it odd that I used to have HUNDREDS of password brute force attacks that would get blocked, but now I have almost none.

Thanks for getting back to me.
1
Matt Petty Replied
6/29/2023 at 12:29 PM
Employee Post
I wonder if instead of hardcoding the private IP ranges in the code that we instead whitelist the ranges by default then not touch them again. This would allow our desired behavior to take place while allowing the system admins to simply disable or remove those whitelist entries.

I can try to bring it up next time we do a meeting.
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
1
Gabriele Maoret - SERSIS Replied
6/29/2023 at 12:30 PM
I agree with Brian.

This is simply wrong.

I totally not agree with this hardcoded IP whitelist(which by the way is also invisible and therefore unknown to the administrators...), it's simply an intentional security hole.

A system admin can whitelist local address and loop back address if he wants, and it is simply wrong to enforce it if the admin doesn't want to white list theese IPs...

EDIT: Matt Petty's proposal could be a good solution!

This is my opinion.
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
Mark K. Replied
7/1/2023 at 9:16 AM
Hardcoding IP whitelists has failed security scans, as some pen tests are initiated from wihin a corporate network, not just from external facing.

There are major attack vectors from within corporate networks, host based protection is one level of security that is a requirement and with these new releases of SmarterMail, I believe it has taken major steps backwards.

Allow the users to make the choices to enable or disable levels of security based on their own requirements.
2
Matt Petty Replied
7/5/2023 at 8:03 AM
Employee Post
Just wanted to update this thread based on the meeting we had this morning. We discussed this and we're on board with putting the hardcoded entries in the whitelist. They will not able to be deleted but they CAN BE DISABLED. 
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
0
Gabriele Maoret - SERSIS Replied
7/5/2023 at 8:09 AM
Great!
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Change the Login AttemptsSmarterStats > Installation and Configuration
Configure URL Rewriting for Autodiscover on LinuxSmarterMail > Server Configuration and Management
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Force Traffic Over HTTPS when using a Reverse ProxySmarterMail > Server Configuration and Management