“…I'm just saying it's [F2B] not a solution to modern brute-force
attack on passwords/accounts….”
It’s actually staggering that you say this because of how incredibly
inaccurate this statement is…
Presume someone goes brute-force against a PostFix server via v6 only -
so tons of addresses at their disposal. And let’s also presume that
the defender has F2B tuned to allow no more than 2 attempts.
We know that brute-force is all about attempts per unit time, right?
Yes - ok, so then let’s presume the attacker tunes their stack with a
very low TCP wait time - somewhere around 1s. OK, fine, so after 2
rapid attempts, the attacker will get blocked and they will wait 1s
before moving on to the next IP - rinse - repeat.
The reality here is the attacker is essentially stuck in the mud against
F2B. And because they want to maximize their attempts per unit time,
they will move on once they realize someone is actively blocking their
traffic.
In my real-world use-case, I had over 200K daily password attempts prior
to F2B and 2 weeks after implementation, that number dropped to below 1
per day.
Blocking an IP is the single cheapest most effective thing one can do
re: undesired traffic. Are there “better” solutions? Sure but what
is “best” is a subjective determination and always depends on the
use-case. And for almost all use-cases, blocking IPs is a solid tool…
- - -
On 26 Apr 2022, at 4:09, pat...@patpro.net wrote:
April 26, 2022 12:16 PM, "Mauricio Tavares" <raubvo...@gmail.com>
wrote:
Please explain how certificate authentication is, as you said,
100% efficient against brute-force attacks.
No password = no possible brute-forced password.
If these 100s ou 1000s of IP addresses are sending each thousands of
connection requests a minute, isn't this a DDoS?
No it's probably not. And you are trying to change the question here,
so that it matches the solution you advocate for. The day you'll
experience a real DDoS, I'm pretty sure F2B will see absolutely
nothing about it. You don't need to target an open port/service to
DDoS a server, 99,99% of the time it's just a flood of packets putting
your firewall on it's knees.
To put a nice example on the table: last time we had a huge DDoS at
work, it was in 2014, we were flooded with peaks at more than 15Gbps
of traffic (syn flood, ntp, etc.). It was intermittent and lasted
about 3 weeks. Our operator had to drop/null route all traffic from
outside Europe during 11 days to protect us. And it was the attack of
just one angry guy through a pay-for-use DDoS service.
Brute-forcing passwords/account as nothing to do with DDoS. Purpose of
brute(forcing password is gaining access to a service in order to
exploit it (steal data, send spam, etc.). Purpose of DDoS is to render
the service unavailable.
Unless you run postfix on a 10 years old Raspberry, it can handle the
load. But again, I'm not rejecting Fail2Ban, as it can have some
value. I'm just saying it's not a solution to modern brute-force
attack on passwords/accounts. And on larger email systems it can even
cost you more time in support (like when you get a legitimate shared
IP address blacklisted).
patpro
