My question is as follows:
When enabling Geo-restrictions for authentication and attack detection - does ME block the connection when it attempts the AUTH command or does it "block" the auth. command, which then still results in a pile of failed random login attempts that eventually still locks the account in question?
Reason being - we are being hassled by a ton of random IPs - they bang on the server for two or three attempts - to beat the rate limiting - then come back later - either from the same IP or different ones. We have enabled the geo-restrictions and it seems to have NO effect whatsoever (even after service restart). Additionally, with restrictions enabled, authentications are still permitted (via testing with VPN to over a dozen blocklisted countries.
Please advise --
ME 10.32 vs. Country Authentication Restrictions
-
- Posts: 49
- Joined: Mon Feb 22, 2021 8:30 pm
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: ME 10.32 vs. Country Authentication Restrictions
Hi,
The authentication policy requires a connection in order for the AUTH command to be issued to the service. Therefore it will not prevent the connection but prevent the authentication. Have you enabled the "Abuse detection and prevention" option within the "Localhost" proprieties under the "Policies" tab? This will ban an IP address after 10 invalid AUTH attempts for one hour.
https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
The authentication policy requires a connection in order for the AUTH command to be issued to the service. Therefore it will not prevent the connection but prevent the authentication. Have you enabled the "Abuse detection and prevention" option within the "Localhost" proprieties under the "Policies" tab? This will ban an IP address after 10 invalid AUTH attempts for one hour.
https://www.mailenable.com/documentation/10.0/Enterprise/Localhost_-_Policies.html
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 49
- Joined: Mon Feb 22, 2021 8:30 pm
Re: ME 10.32 vs. Country Authentication Restrictions
Understood on the topology --
In re: Abuse Prevention -
The issue is that the offending IPs only send one or two auth requests per IP - then disappear for over an hour - then come back. They're keen to the rate-limiting feature - and time their hits based on a delay between repeated attempts. While this same behavior also prevents them from locking legitimate email accounts in the same fashion (too many repeated attempts) - it doesn't prevent against the slow-brute-force attacks that are happening.
In the essence that the GEO restrictions should prevent authentication, I find it interesting that when enabled, authentication from a "geo-restricted" IP is still possible and successful - but I will test further and bring logfiles for diagnosis.
At this point, I feel we will have to work on a third-party solution to geo-restrict connections to the mail server. As in - our mail server has no real business communicating with IPs outside North and Central America/Europe. None of our clients or operations do business or communicate with most far-east or even middle-east countries. I am understanding this is not how the GEO-restrict feature is implemented in ME - but rather, connection is allowed - then AUTH command prevented when IP defies acceptable rules.
In this case - it appears to be a network of compromised servers - there are approximately 50 IPs that are involved - several of them try to open up "common accounts" - others try to open up "known accounts that exist" - and most of them also attempt to login with a username wibbogup@<domainname>.<tld> (replace with chosen domain). Granted, this scenario is obviously not a ME problem, so I do thank you for your time on the matter.
In re: Abuse Prevention -
The issue is that the offending IPs only send one or two auth requests per IP - then disappear for over an hour - then come back. They're keen to the rate-limiting feature - and time their hits based on a delay between repeated attempts. While this same behavior also prevents them from locking legitimate email accounts in the same fashion (too many repeated attempts) - it doesn't prevent against the slow-brute-force attacks that are happening.
In the essence that the GEO restrictions should prevent authentication, I find it interesting that when enabled, authentication from a "geo-restricted" IP is still possible and successful - but I will test further and bring logfiles for diagnosis.
At this point, I feel we will have to work on a third-party solution to geo-restrict connections to the mail server. As in - our mail server has no real business communicating with IPs outside North and Central America/Europe. None of our clients or operations do business or communicate with most far-east or even middle-east countries. I am understanding this is not how the GEO-restrict feature is implemented in ME - but rather, connection is allowed - then AUTH command prevented when IP defies acceptable rules.
In this case - it appears to be a network of compromised servers - there are approximately 50 IPs that are involved - several of them try to open up "common accounts" - others try to open up "known accounts that exist" - and most of them also attempt to login with a username wibbogup@<domainname>.<tld> (replace with chosen domain). Granted, this scenario is obviously not a ME problem, so I do thank you for your time on the matter.
Re: ME 10.32 vs. Country Authentication Restrictions
Hello,
I have this same problem. I have enabled the GEO authentication policies, to only allow authentication from certain countries, but I still get hammered on a daily basis from different IPs, so the IP blocking feature doesn't solve this issue. They haven't succeed in guess the password, maybe even the AUTH request is actually blocked with the GEO policies (although the message in the logs just says "Invalid Username or Password") but the issue is that I get enough requests that fail because of the invalid password that the account is locked for the legit users.
I have no way of knowing if the GEO policies are working or not as I can't see any message on the logs related to tha; I would expect that if there is an AUTH LOGIN from a blocked country then it should kill the connection at that point, or at the very least block the AUTH but without counting that attempt as a "valid" one that works towards the blocking of the account.
Right now I have to keep getting into the admin console to unlock the accounts several times a day... I have been adding the IPs and in some cases even the whole subnet of the offending IPs to my Firewall, but that's not a viable nor a permanent solution.
I have this same problem. I have enabled the GEO authentication policies, to only allow authentication from certain countries, but I still get hammered on a daily basis from different IPs, so the IP blocking feature doesn't solve this issue. They haven't succeed in guess the password, maybe even the AUTH request is actually blocked with the GEO policies (although the message in the logs just says "Invalid Username or Password") but the issue is that I get enough requests that fail because of the invalid password that the account is locked for the legit users.
I have no way of knowing if the GEO policies are working or not as I can't see any message on the logs related to tha; I would expect that if there is an AUTH LOGIN from a blocked country then it should kill the connection at that point, or at the very least block the AUTH but without counting that attempt as a "valid" one that works towards the blocking of the account.
Right now I have to keep getting into the admin console to unlock the accounts several times a day... I have been adding the IPs and in some cases even the whole subnet of the offending IPs to my Firewall, but that's not a viable nor a permanent solution.
Re: ME 10.32 vs. Country Authentication Restrictions
I have same issue. If anyone has come up a third party solution or criteria script, please post here
-
- Site Admin
- Posts: 1145
- Joined: Mon Jun 10, 2002 6:31 pm
- Location: Melbourne, Victoria, Australia
Re: ME 10.32 vs. Country Authentication Restrictions
Hi,
The check for country restriction is done after the login is done. It needs to do this in order to determine the mailbox (i.e. needs to match the authentication details to a mailbox) in order to see whether the mailbox or postoffice has a country restriction on it, even if you have blocked at the global level. If you have the abuse detection enabled, it will kick in the sender will just get invalid logins and it will not get to the auth check or the country check. This will be a problem if you have the lockout on a mailbox after a certain number of failed logins, since the act of the auth lookup will cause the invalid login counter to increment. We recommend not using the mailbox lockout feature and rely on the abuse detection since it will lock out the connecting IP address instead of the mailbox. The problem with the mailbox lockout is that password changes can cause lockouts for valid users since it does not keep history of passwords in order to prevent the case of a client application using an older password until updated. We still intend to fix this the lockout working with the country blocking though.
The check for country restriction is done after the login is done. It needs to do this in order to determine the mailbox (i.e. needs to match the authentication details to a mailbox) in order to see whether the mailbox or postoffice has a country restriction on it, even if you have blocked at the global level. If you have the abuse detection enabled, it will kick in the sender will just get invalid logins and it will not get to the auth check or the country check. This will be a problem if you have the lockout on a mailbox after a certain number of failed logins, since the act of the auth lookup will cause the invalid login counter to increment. We recommend not using the mailbox lockout feature and rely on the abuse detection since it will lock out the connecting IP address instead of the mailbox. The problem with the mailbox lockout is that password changes can cause lockouts for valid users since it does not keep history of passwords in order to prevent the case of a client application using an older password until updated. We still intend to fix this the lockout working with the country blocking though.
Re: ME 10.32 vs. Country Authentication Restrictions
I agree and have been stung by the lockout feature before.
-
- Posts: 49
- Joined: Mon Feb 22, 2021 8:30 pm
Re: ME 10.32 vs. Country Authentication Restrictions
I am working on an app that pulls the latest IP allocations from the main 5 main sources.
It will supernet ranges of countries you want to block that overlap so as to reduce the load of multiple firewall entries in WFP.
Basically, it will pull latest lists, let you choose "problem countries you want to block completely" and then take any ranges assigned to those countries, attempt to combine subnets that are adjacent, then give you chance to add rules to the Windows filtering platform (blocking the ports you choose) -- this will make a huge difference for me in the end personally.
Another utility I will be generating will be something that works as a connection proxy -- catching the incoming connections and doing a better job with the EHLO pattern blocking.
One of the major problems is botnets that will attempt logins to accounts from hundreds of IP addresses, but it's only one attempt per address, so it never triggers IP ban and if you turn off mailbox protection lockouts, then it's just a matter of time till they eventually pop the password.
It will supernet ranges of countries you want to block that overlap so as to reduce the load of multiple firewall entries in WFP.
Basically, it will pull latest lists, let you choose "problem countries you want to block completely" and then take any ranges assigned to those countries, attempt to combine subnets that are adjacent, then give you chance to add rules to the Windows filtering platform (blocking the ports you choose) -- this will make a huge difference for me in the end personally.
Another utility I will be generating will be something that works as a connection proxy -- catching the incoming connections and doing a better job with the EHLO pattern blocking.
One of the major problems is botnets that will attempt logins to accounts from hundreds of IP addresses, but it's only one attempt per address, so it never triggers IP ban and if you turn off mailbox protection lockouts, then it's just a matter of time till they eventually pop the password.
Re: ME 10.32 vs. Country Authentication Restrictions
I use OPNsense firewall, so what I did was restrict ports 465 and 993 to US only IP's using GeoIP_lite. Seems to work so far