Re: using SMTP auth to brute-force passwords

[Matti Aarnio <mea@nic.funet.fi>]

On Thu, Dec 27, 2001 at 10:02:35AM -0700, Devin Reade wrote:
...
> When one enables zmailer to do password auth (PARAM smtp-auth), are
> there delays imposed to slow down brute force attacks, or can an
> attacker pump through the queries as fast as the connection permits?

   No.  Adding a delay (configurable/quadratic) is trivialish.
   However an attacker can:
    - Run N sessions in parallel
    - Drop connection after 2-3 seconds of delay of (non-)answer..

   Detecting an attach would, then, mean detecting failing authentication
   from same address repeatedly within shortish time period.
   That is unfortunately something which independent processes just can't
   do all by themselves.  Such needs adding some interlocked database,
   be it an incore one, or something external.

> Are there any other security-related issues here (other than you want
> smtp-auth to be happening over SSL)?

   No, aside of SASL stuff your other email is referring at.

> [On a related but off topic issue, if anyone knows of a freeware 
> product that provides for slowing down brute-forcing on web servers,
> please let me know in private email.  The only products I've seen 
> so far are commercial.]

   I find it a bit surprising if teergrubing/tar-piting isn't
   supported for e.g. Apache.

   Pushing some source address into e.g. firewall rejection after
   a treshold amount of failures would also serve as rejection of
   badies, but if that something is a web-proxy ?

> --
>         Devin Reade        <gdr@gno.org>

/Matti Aarnio
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi