On 26/4/2022 20:11, Antonio Leding wrote:
“…I'm just saying it's [F2B] not a solution to modern brute-force attack
on passwords/accounts….”
It’s actually staggering that you say this because of how incredibly
inaccurate this statement is…
Presume someone goes brute-force against a PostFix server via v6 only -
so tons of addresses at their disposal. And let’s also presume that the
defender has F2B tuned to allow no more than 2 attempts.
We know that brute-force is all about attempts per unit time, right? Yes
- ok, so then let’s presume the attacker tunes their stack with a very
low TCP wait time - somewhere around 1s. OK, fine, so after 2 rapid
attempts, the attacker will get blocked and they will wait 1s before
moving on to the next IP - rinse - repeat.
The reality here is the attacker is essentially stuck in the mud against
F2B. And because they want to maximize their attempts per unit time,
they will move on once they realize someone is actively blocking their
traffic.
They never moved on from here
In my real-world use-case, I had over 200K daily password attempts prior
to F2B and 2 weeks after implementation, that number dropped to below 1
per day.
1-2 per IP per day here. They adopt and tune accordingly. It has been
happening and still does for many years now no matter what even with
F2B. Even once a day coming from a few thousand IPs is still a few
thousand attempts even with IP blocking set at 1 day blocking per IP.
Blocking an IP is the single cheapest most effective thing one can do
re: undesired traffic. Are there “better” solutions? Sure but what is
“best” is a subjective determination and always depends on the use-case.
And for almost all use-cases, blocking IPs is a solid tool…
IP blocking is one of the best ways but F2B is limited to each
firewall's capabilities and you deal with thousands of IPs. If you want
something more permanent and use F2B then firewall will reach its limits
sooner or later.
Changing the authentication method to anything that does not accept
PLAIN TEXT may also be another good way to deal with it that may work.
By doing that only I have actually seen some attacks to completely stop.
F2B is a nice but limited solution to this problem. The best way, I
personally found so far besides the password authentication method, is
by setting smtpd_delay_reject to no (very important this step) and use
my own home made and maintained DNSBL service as early as possible to
restrict those attacks in a very permanent way from a few mail servers
at the same time. CIDR blocking also works very well and fast with DNSBL
in case of net blocks and huge IP blocks like IPv6 or IPv4 even and you
also have central management of the black/white list. This has the
advantage that does not give any info to the attacker other than his IP
is blocked and stops the attack as early as possible but also limits the
possibilities of a successful attack down to almost nothing.
Lefteris
