Good feedback - typically I’d have some comments but since we’ve
wandered a fair bit off the reserve here, I will refrain. If anyone
wants to continue this at Reddit or somewhere else more appropo, let me
know…
- - -
On 26 Apr 2022, at 11:56, Lefteris Tsintjelis wrote:
On 26/4/2022 20:11, Antonio Leding wrote:
“…I'm just saying it's [F2B] not a solution to modern brute-force
attack on passwords/accounts….”
It’s actually staggering that you say this because of how
incredibly inaccurate this statement is…
Presume someone goes brute-force against a PostFix server via v6 only
- so tons of addresses at their disposal. And let’s also presume
that the defender has F2B tuned to allow no more than 2 attempts.
We know that brute-force is all about attempts per unit time, right?
Yes - ok, so then let’s presume the attacker tunes their stack with
a very low TCP wait time - somewhere around 1s. OK, fine, so after 2
rapid attempts, the attacker will get blocked and they will wait 1s
before moving on to the next IP - rinse - repeat.
The reality here is the attacker is essentially stuck in the mud
against F2B. And because they want to maximize their attempts per
unit time, they will move on once they realize someone is actively
blocking their traffic.
They never moved on from here
In my real-world use-case, I had over 200K daily password attempts
prior to F2B and 2 weeks after implementation, that number dropped to
below 1 per day.
1-2 per IP per day here. They adopt and tune accordingly. It has been
happening and still does for many years now no matter what even with
F2B. Even once a day coming from a few thousand IPs is still a few
thousand attempts even with IP blocking set at 1 day blocking per IP.
Blocking an IP is the single cheapest most effective thing one can do
re: undesired traffic. Are there “better” solutions? Sure but
what is “best” is a subjective determination and always depends
on the use-case. And for almost all use-cases, blocking IPs is a
solid tool…
IP blocking is one of the best ways but F2B is limited to each
firewall's capabilities and you deal with thousands of IPs. If you
want something more permanent and use F2B then firewall will reach its
limits sooner or later.
Changing the authentication method to anything that does not accept
PLAIN TEXT may also be another good way to deal with it that may work.
By doing that only I have actually seen some attacks to completely
stop.
F2B is a nice but limited solution to this problem. The best way, I
personally found so far besides the password authentication method, is
by setting smtpd_delay_reject to no (very important this step) and use
my own home made and maintained DNSBL service as early as possible to
restrict those attacks in a very permanent way from a few mail servers
at the same time. CIDR blocking also works very well and fast with
DNSBL in case of net blocks and huge IP blocks like IPv6 or IPv4 even
and you also have central management of the black/white list. This has
the advantage that does not give any info to the attacker other than
his IP is blocked and stops the attack as early as possible but also
limits the possibilities of a successful attack down to almost
nothing.
Lefteris
