“…I'm just saying it's [F2B] not a solution to modern brute-force attack on passwords/accounts….”

It’s actually staggering that you say this because of how incredibly inaccurate this statement is…

Presume someone goes brute-force against a PostFix server via v6 only - so tons of addresses at their disposal. And let’s also presume that the defender has F2B tuned to allow no more than 2 attempts.

We know that brute-force is all about attempts per unit time, right? Yes - ok, so then let’s presume the attacker tunes their stack with a very low TCP wait time - somewhere around 1s. OK, fine, so after 2 rapid attempts, the attacker will get blocked and they will wait 1s before moving on to the next IP - rinse - repeat.

The reality here is the attacker is essentially stuck in the mud against F2B. And because they want to maximize their attempts per unit time, they will move on once they realize someone is actively blocking their traffic.

In my real-world use-case, I had over 200K daily password attempts prior to F2B and 2 weeks after implementation, that number dropped to below 1 per day.

Blocking an IP is the single cheapest most effective thing one can do re: undesired traffic. Are there “better” solutions? Sure but what is “best” is a subjective determination and always depends on the use-case. And for almost all use-cases, blocking IPs is a solid tool…

- - -

On 26 Apr 2022, at 4:09, pat...@patpro.net wrote:

April 26, 2022 12:16 PM, "Mauricio Tavares" <raubvo...@gmail.com> wrote:

Please explain how certificate authentication is, as you said,
100% efficient against brute-force attacks.

No password = no possible brute-forced password.


If these 100s ou 1000s of IP addresses are sending each thousands of
connection requests a minute, isn't this a DDoS?

No it's probably not. And you are trying to change the question here, so that it matches the solution you advocate for. The day you'll experience a real DDoS, I'm pretty sure F2B will see absolutely nothing about it. You don't need to target an open port/service to DDoS a server, 99,99% of the time it's just a flood of packets putting your firewall on it's knees. To put a nice example on the table: last time we had a huge DDoS at work, it was in 2014, we were flooded with peaks at more than 15Gbps of traffic (syn flood, ntp, etc.). It was intermittent and lasted about 3 weeks. Our operator had to drop/null route all traffic from outside Europe during 11 days to protect us. And it was the attack of just one angry guy through a pay-for-use DDoS service.

Brute-forcing passwords/account as nothing to do with DDoS. Purpose of brute(forcing password is gaining access to a service in order to exploit it (steal data, send spam, etc.). Purpose of DDoS is to render the service unavailable.

Unless you run postfix on a 10 years old Raspberry, it can handle the load. But again, I'm not rejecting Fail2Ban, as it can have some value. I'm just saying it's not a solution to modern brute-force attack on passwords/accounts. And on larger email systems it can even cost you more time in support (like when you get a legitimate shared IP address blacklisted).


patpro

Reply via email to